sendmail form hijacked.

[healy787]

Hi,

 

I am using a PHP sendmail form on a clients website.

 

Recently they have been receiving a few SPAM emails sent through the form.

 

Here is the script:-

 

<?

 

  $name = $_REQUEST['name'] ;

  $surname = $_REQUEST['surname'] ;

  $email = $_REQUEST['email'] ;

  $message = $_REQUEST['message'] ;

  $subject1 = $_POST['subject1'] ;

  $mailing = $_POST['mailing'] ;

  $telephone = $_REQUEST['telephone'] ; 

 

 

$to = "info@mydomain.com";

$subject = "Message from mydomain Website";

$MsgHeader = "From: mydomain Website <info@mydomain.com>\n";

$MsgHeader .= "Bcc: <webmaster@mydomain.co.uk> r\n";

$MsgHeader .= "MIME-Version: 1.0\n";

$MsgHeader .= "Content-type: text/html; charset=iso-8859-1\n";

$MsgBody = "

<html>

<head>

<title>mydomain</title>

</head>

<body>

 

<table style='padding-left:20px'>

<tr><td> </td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>Name : $name</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>Surname : $surname</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>&nbsp</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>Message subject : $subject1</font></font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>&nbsp</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>Email : $email</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>&nbsp</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>Message : $message</font></font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>&nbsp</font></td></tr>

<tr><td><font style='font-size: 13px' style='font-family: Tahoma, Arial'>mydomain Mailing List : $mailing</font></font></td></tr>

 

 

<tr><td> </td></tr>

</table>

 

</body>

</html>";

 

if (!isset($_REQUEST['email'])) {

    header( "Location: http://www.mydomain.com/contact.html" );

  }

  elseif (empty($email) || empty($message) || empty($name)) {

 

    header( "Expires: Mon, 20 Dec 1998 01:00:00 GMT" );

    header( "Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT" );

    header( "Cache-Control: no-cache, must-revalidate" );

    header( "Pragma: no-cache" );

 

  ?>

 

    <html>

    <head><title>Error</title></head>

    <body>

    <h1>Error</h1>

    <p>

    Oops, it appears you haven't filled in the form correctly. Please ensure ALL fields have been filled in correctly. Please use the BACK

    button in your browser and try again.

    </p>

    </body>

    </html>

 

    <?php

 

  }

 

else {

    mail($to, $subject, $MsgBody, $MsgHeader);

    header("Location: http://www.mydomain.com/thanks.html");

  }

?>

 

Here is an example of the email they receive:-

 

Name : eaocjx

Surname : eaocjx

 

Message subject : This message is regarding a reservation.

 

Email : efjdxg@eetzdk.com

 

Message : eW0j94 vblnpniwgyjg, wjltmmwufhuu, [link=http://jeybfmhnxxcf.com/]jeybfmhnxxcf[/link], http://zbqhcclscykz.com/

 

mydomain Mailing List : Sign me up

 

 

I validate all fields clientside using javascript.

 

Any comments or help on how to solve this would be much appreciated. I hope I have given you enough info.

 

Thanks.

 

Matt

[mikesta707]

Password protect the page?

[jonsjava]

here's a script I wrote for my wife's website:

 

the contact page:

if ($page == "contact"){
              function security_question(){
$question_array[] = "What color is an orange?";
$question_array[] = "Red plus Blue = ";
$question_array[] = "One plus 1 = ";
$question_array[] = "I have 3 pens. I give you none. How many do I have?";
$question_array[] = "Who was the first U.S. President?";
$question_array[] = "What color is a Lemon?";
$total_questions = count($question_array) - 1;
$random_number = rand(0,$total_questions);
$random_question = $question_array[$random_number];
$_SESSION['sec_question'] = $random_number;
return $random_question;
}
$question = security_question();
?>

<form method="POST" action="p_contact.php">
				<h1>Contact Us</h1>
					<p>
				<table border="0">
					<tr>
						<td>Your Name:</td>
						<td><input type="text" name="name" size="56"></td>
					</tr>
					<tr>
						<td>E-Mail Address:</td>
						<td><input type="text" name="email" size="56"></td>
					</tr>
					<tr>
						<td>Contact Reason:</td>
						<td><select name="reason">
						    <option value="1" selected="selected">Just Saying "hi"</option>
						    <option value="2">I found a problem</option>
						    <option value="3">I want help with web design</option>
						    <option value="4">Other</option>
						    </select>
						    </td>
					</tr>
					<tr>
						<td>Subject:</td>
						<td><input type="text" name="subject" size="56"></td>
					</tr>
					<tr>
						<td>Message:</td>
						<td><textarea name="body" cols="42" rows="10"></textarea></td>
					</tr>
					<tr>
					<tr>
						<td>(<strong>Security Question</strong>)<br /><?php print $question; ?></td>
						<td><input type="text" name="sec_q"></td>
					</tr>
						<td> </td>
						<td><input type="submit" value="Submit"></td>
					</tr>
				</table>
</form></p>
<?php
}

 

the contact processor file

<?php
session_start();
if (isset($_SESSION["sec_question"]) && isset($_POST['sec_q']) && $_POST['sec_q'] != ""){
$answer = strtolower($_POST['sec_q']);
if ($answer == "2"){
	$answer = "two";
}
if ($answer == "washington"){
	$answer = "george washington";
}
if ($answer == "george"){
	$answer = "george washington";
}
if ($answer == "3"){
	$answer = "three";
}
$question = strtolower($_POST['sec_q']);
$questions[] = "orange";
$questions[] = "purlple";
$questions[] = "two";
$questions[] = "three";
$questions[] = "george washington";
$questions[] = "yellow";
if ($questions[$_SESSION['sec_question']] == $answer){
	$reason_array = array("Just Saying \"hi\"", "I found a problem", "I want help with web design", "Other");
	$reason = $_POST['reason'];
	$reason_count = count($reason_array);
	if (!is_numeric($reason) || ($reason > $reason_count || $reason < 0)){
		header("location:http://google.com");
		exit();
	}
	$contact_reason = $reason_array[$reason -1];
	$subject = $_POST['subject'];
	$body = $_POST['body'];
	$email = $_POST['email'];
	$name = $_POST['name'];
	$to = "*************@gmail.com";
	$subject = $_POST['subject'];
	$message = "<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN'
        'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
        <html>
        <head>
        <title>".$subject."</title>
        </head><center>Contact Reason: $contact_reason</center><br />\n
        <strong>IP: {$_SERVER['REMOTE_ADDR']}</strong><br />\n
        <strong>Name:</strong>$name<br />\n";
	$message_clean1 = str_replace("\'", "'", $_POST['body']);
	$message_clean2 = str_replace('"', "'", $message_clean1);
	$message_clean3 = str_replace("\v", "", $message_clean2);
	$message_clean4 = str_replace("\'", "'", $message_clean3);
	$message .= $message_clean4;
	$message .= "<br /><br /><br />";
	$message .= "\n</body></html>";
	include("MIME.class.php");
	$mime = new MIME_mail($email, $to, $subject);
	$mime->attach($message, "", HTML, BASE64);
	$mime->send_mail();
	header("location:index.php");
	exit();
}
else{
	header("location:http://google.com");
	exit();
}
}
else{
header("location:http://google.com");
exit();
}

?>

since she started using this script, she's received 0 spams.  I'd recommend something like this for you.  It's a human checker.  The security question thing is the part you'll be interested in.

[healy787]

Hi thanks for you reply.

 

Unfortunately I am already using CAPTCHA and javascript validation client side and yet the SPAM still comes through.

[jonsjava]

Captcha has been broken for a while now. Human checker requires a human mind, or a search algorithm to solve.  all 12 of my websites had the problem you are now seeing, until I added the human checker.

[.josh]

not to mention the fact that doing javascript validation is useless.  Humans can just disable it.  Bots just ignore it. 

[healy787]

Is CAPTCHA really that unsecure? Google, hotmail, yahoo, etc are all still using CAPTCHA.  Surely if it was easily breakable, they would be the first to move away from this system?

 

Do you think Human checker is the only viable option to solve my problem.

 

Thanks for all your help.

[mikesta707]

why not just password protect the page... So that you know exactly who can access it

[healy787]

How would this work? It is a contact form page. Everyone and anyone would possibly need access to it.

[.josh]

Think about your example sites you listed though. Google, yahoo, hotmail, etc.. think of them as companies as a whole.  Sure, they have captcha to weed out all the weaksauce bots because they are just so damn common, but think about what those companies mainly do: they are search engines, or have search engines/web indexers as a facet of their company.  Don't you think it's in their best interest to know everything that's going on out there, what all is living out there on the web?  Spend some time meditating on and visualizing the web, my friend.

[mikesta707]

How would this work? It is a contact form page. Everyone and anyone would possibly need access to it.

 

oh ok, i wasn't sure, you just said it was on a clients email. sorry bout that

[healy787]

Crayon, I am not sure in what way to take your last response? However, i respect your views and trust it didn't mean to come across as sarcastic.

 

Mikesta707, thank you very much for your suggestions, I probably didn't explain it clearly enough to begin with but thankyou for your help. I am always grateful for positive responses.

 

Thanks all for your help.  I shall look into replacing the CAPTCHA system.

[.josh]

Meant no offense by it. Was saying, if you want to get a clear picture on how things work, spend some time meditating and visualizing and observing it.

[healy787]

Thanks Crayon.