Jump to content

Recommended Posts

Hi,

 

I am using a PHP sendmail form on a clients website.

 

Recently they have been receiving a few SPAM emails sent through the form.

 

Here is the script:-

 

<?

 

  $name = $_REQUEST['name'] ;

  $surname = $_REQUEST['surname'] ;

  $email = $_REQUEST['email'] ;

  $message = $_REQUEST['message'] ;

  $subject1 = $_POST['subject1'] ;

  $mailing = $_POST['mailing'] ;

  $telephone = $_REQUEST['telephone'] ; 

 

 

$to = "info@mydomain.com";

$subject = "Message from mydomain Website";

$MsgHeader = "From: mydomain Website <info@mydomain.com>\n";

$MsgHeader .= "Bcc: <webmaster@mydomain.co.uk> r\n";

$MsgHeader .= "MIME-Version: 1.0\n";

$MsgHeader .= "Content-type: text/html; charset=iso-8859-1\n";

$MsgBody = "

<html>

<head>

<title>mydomain</title>

</head>

<body>

 

<table style='padding-left:20px'>

<tr><td> </td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>Name : $name</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>Surname : $surname</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>&nbsp</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>Message subject : $subject1</font></font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>&nbsp</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>Email : $email</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>&nbsp</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>Message : $message</font></font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>&nbsp</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>mydomain Mailing List : $mailing</font></font></td></tr>

 

 

<tr><td> </td></tr>

</table>

 

</body>

</html>";

 

if (!isset($_REQUEST['email'])) {

    header( "Location: http://www.mydomain.com/contact.html" );

  }

  elseif (empty($email) || empty($message) || empty($name)) {

 

    header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" );

    header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );

    header( "Cache-Control: no-cache, must-revalidate" );

    header( "Pragma: no-cache" );

 

  ?>

 

    <html>

    <head><title>Error</title></head>

    <body>

    <h1>Error</h1>

    <p>

    Oops, it appears you haven't filled in the form correctly. Please ensure ALL fields have been filled in correctly. Please use the BACK

    button in your browser and try again.

    </p>

    </body>

    </html>

 

    <?php

 

  }

 

else {

    mail($to, $subject, $MsgBody, $MsgHeader);

    header("Location: http://www.mydomain.com/thanks.html");

  }

?>

 

Here is an example of the email they receive:-

 

Name : eaocjx

Surname : eaocjx

 

Message subject : This message is regarding a reservation.

 

Email : efjdxg@eetzdk.com

 

Message : eW0j94 vblnpniwgyjg, wjltmmwufhuu, [link=http://jeybfmhnxxcf.com/]jeybfmhnxxcf[/link], http://zbqhcclscykz.com/

 

mydomain Mailing List : Sign me up

 

 

I validate all fields clientside using javascript.

 

Any comments or help on how to solve this would be much appreciated. I hope I have given you enough info.

 

Thanks.

 

Matt

Link to comment
https://forums.phpfreaks.com/topic/155535-sendmail-form-hijacked/
Share on other sites

here's a script I wrote for my wife's website:

 

the contact page:

if ($page == "contact"){
              function security_question(){
$question_array[] = "What color is an orange?";
$question_array[] = "Red plus Blue = ";
$question_array[] = "One plus 1 = ";
$question_array[] = "I have 3 pens. I give you none. How many do I have?";
$question_array[] = "Who was the first U.S. President?";
$question_array[] = "What color is a Lemon?";
$total_questions = count($question_array) - 1;
$random_number = rand(0,$total_questions);
$random_question = $question_array[$random_number];
$_SESSION['sec_question'] = $random_number;
return $random_question;
}
$question = security_question();
?>

<form method="POST" action="p_contact.php">
				<h1>Contact Us</h1>
					<p>
				<table border="0">
					<tr>
						<td>Your Name:</td>
						<td><input type="text" name="name" size="56"></td>
					</tr>
					<tr>
						<td>E-Mail Address:</td>
						<td><input type="text" name="email" size="56"></td>
					</tr>
					<tr>
						<td>Contact Reason:</td>
						<td><select name="reason">
						    <option value="1" selected="selected">Just Saying "hi"</option>
						    <option value="2">I found a problem</option>
						    <option value="3">I want help with web design</option>
						    <option value="4">Other</option>
						    </select>
						    </td>
					</tr>
					<tr>
						<td>Subject:</td>
						<td><input type="text" name="subject" size="56"></td>
					</tr>
					<tr>
						<td>Message:</td>
						<td><textarea name="body" cols="42" rows="10"></textarea></td>
					</tr>
					<tr>
					<tr>
						<td>(<strong>Security Question</strong>)<br /><?php print $question; ?></td>
						<td><input type="text" name="sec_q"></td>
					</tr>
						<td> </td>
						<td><input type="submit" value="Submit"></td>
					</tr>
				</table>
</form></p>
<?php
}

 

the contact processor file

<?php
session_start();
if (isset($_SESSION["sec_question"]) && isset($_POST['sec_q']) && $_POST['sec_q'] != ""){
$answer = strtolower($_POST['sec_q']);
if ($answer == "2"){
	$answer = "two";
}
if ($answer == "washington"){
	$answer = "george washington";
}
if ($answer == "george"){
	$answer = "george washington";
}
if ($answer == "3"){
	$answer = "three";
}
$question = strtolower($_POST['sec_q']);
$questions[] = "orange";
$questions[] = "purlple";
$questions[] = "two";
$questions[] = "three";
$questions[] = "george washington";
$questions[] = "yellow";
if ($questions[$_SESSION['sec_question']] == $answer){
	$reason_array = array("Just Saying \"hi\"", "I found a problem", "I want help with web design", "Other");
	$reason = $_POST['reason'];
	$reason_count = count($reason_array);
	if (!is_numeric($reason) || ($reason > $reason_count || $reason < 0)){
		header("location:http://google.com");
		exit();
	}
	$contact_reason = $reason_array[$reason -1];
	$subject = $_POST['subject'];
	$body = $_POST['body'];
	$email = $_POST['email'];
	$name = $_POST['name'];
	$to = "*************@gmail.com";
	$subject = $_POST['subject'];
	$message = "<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN'
        'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
        <html>
        <head>
        <title>".$subject."</title>
        </head><center>Contact Reason: $contact_reason</center><br />\n
        <strong>IP: {$_SERVER['REMOTE_ADDR']}</strong><br />\n
        <strong>Name:</strong>$name<br />\n";
	$message_clean1 = str_replace("\'", "'", $_POST['body']);
	$message_clean2 = str_replace('"', "'", $message_clean1);
	$message_clean3 = str_replace("\v", "", $message_clean2);
	$message_clean4 = str_replace("\'", "'", $message_clean3);
	$message .= $message_clean4;
	$message .= "<br /><br /><br />";
	$message .= "\n</body></html>";
	include("MIME.class.php");
	$mime = new MIME_mail($email, $to, $subject);
	$mime->attach($message, "", HTML, BASE64);
	$mime->send_mail();
	header("location:index.php");
	exit();
}
else{
	header("location:http://google.com");
	exit();
}
}
else{
header("location:http://google.com");
exit();
}

?>

since she started using this script, she's received 0 spams.  I'd recommend something like this for you.  It's a human checker.  The security question thing is the part you'll be interested in.

Is CAPTCHA really that unsecure? Google, hotmail, yahoo, etc are all still using CAPTCHA.  Surely if it was easily breakable, they would be the first to move away from this system?

 

Do you think Human checker is the only viable option to solve my problem.

 

Thanks for all your help.

Think about your example sites you listed though. Google, yahoo, hotmail, etc.. think of them as companies as a whole.  Sure, they have captcha to weed out all the weaksauce bots because they are just so damn common, but think about what those companies mainly do: they are search engines, or have search engines/web indexers as a facet of their company.  Don't you think it's in their best interest to know everything that's going on out there, what all is living out there on the web?  Spend some time meditating on and visualizing the web, my friend.

Crayon, I am not sure in what way to take your last response? However, i respect your views and trust it didn't mean to come across as sarcastic.

 

Mikesta707, thank you very much for your suggestions, I probably didn't explain it clearly enough to begin with but thankyou for your help. I am always grateful for positive responses.

 

Thanks all for your help.  I shall look into replacing the CAPTCHA system.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.