Periodic Jargon Sent Thru Simple Form?

[justravis]

I periodically receive these weird emails from our web form.

 

---

 

from: ntcmbhn <crzqhz@idotvx.com>

subject: ADA Web: IuPyKAxHvWGq

Body:

ylMS24  <a href="http://bvzyhqvdnrkq.com/">bvzyhqvdnrkq</a>, aecoaxaxwnpr, [link=http://yanczwljvulo.com/]yanczwljvulo[/link], http://wughqztmyzta.com/

 

---

 

I don't BELIEVE this is disrupting any legitimate submissions.

 

Besides having random text inside an image for them to retype, how can i avoid this?

 

Or do you see anything wrong with my code?

 

 

Thanks for your time!

 

---

 

<?php


if($_POST[send])
{
$arrErrs=chkusual();

if(!$arrErrs)
{
	if(!$_POST[recipient])
	{
		$to='Able-Disabled Advocacy ';
		#$to.='<test@powerontechnologies.com>';
		$to.='<ada@able2work.org>';
	}
	else
	{
		$to=$_POST[recipient] . '@able2work.org';
	}

	$subj="ADA Web: $_POST[subj]";

	$msg=$_POST[msg];

	$sent=mail($to, $subj, $msg, "From: $_POST[name] <$_POST[email]>");

	$autoto=$_POST[email];
	$autosubj='Thank you for contacting Able-Disabled Advocacy!';
	$automsg='We appreciate you taking the time to visit our website.  A staff member will reply to your email shortly.';

	$autosent=mail($autoto, $autosubj, $automsg,"From: $to");
}
}

?>
<html>
<body>
<?php

if($sent && $autosent)
{
echo "$autosubj<br />\n";
}
else
{
?>
If you would like to send us an email, please submit the form below.<br />
<form action='<?php echo $PHP_SELF ?>' method='post' />
<input type=hidden name=reqTypeNotArr id=reqTypeNotArr value="recipient,Please choose a recipient;name,Please enter your name;email,Please enter your email address;msg,Please enter a message">
<input type=hidden name=reqEmail id=reqEmail value="email">
<table>
<tr>
	<td width=10px valign=top>
		Recipient:
	</td>
	<td>
		<select name='recipient' id='recipient'>
			<option value=''>Select A Recipient</option>
			<option value=elaine>Cooluris, Elaine - Executive Director</option>
			<option value=bob>Eagleman, Bob - Director of Operations</option>
			<option value=jacki>Farrington, Jacki - YouthBuild Program Manager</option>
			<option value=luis>Gallegos, Luis - Director of Information Technology</option>
			<option value=cindy>Lennon, Cindy - PWI Program Director</option>
			<option value=travis>Perreira, Travis - Special Projects Coordinator & Webmaster</option>
			<option value=denise>Yoggerst, Denise - Special Projects Manager</option>
		</select>
		<?php outerrs('recipient', $class='err', $startbr=1) ?>
	</td>
</tr>
<tr>
	<td>
		Your Name:
	</td>
	<td>
		<input type='text' name='name' id='name' value="<?php echo $_POST[name] ?>"/>
		<?php outerrs('name', $class='err', $startbr=0) ?>
	</td>
</tr>
<tr>
	<td valign=top>
		Your Email:
	</td>
	<td>
		<input type='text' name='email' id='email' value="<?php echo $_POST[email] ?>"/>
		<?php outerrs('email', $class='err', $startbr=0, $endbr=1) ?>
	</td>
</tr>
<tr>
	<td>
		Subject:
	</td>
	<td>
		<input type='text' name='subj' id='subj' value="<?php echo $_POST[subj] ?>"/>
	</td>
</tr>
<tr>
	<td colspan=2>
		Message:<br />
		<?php outerrs('msg', $class='err', $startbr=0) ?>
		<textarea cols=40 rows=5 name='msg' id='msg'><?php echo $_POST[msg] ?></textarea><br />
	</td>
</tr>
<tr>
	<td colspan=2 align=center>
		<input type='submit' name='send' id='send' value='send'>
	</td>
</tr>
</table
</form>
</body>
</html>

 

[oni-kun]

I'll assume by that you mean spam, Then no. You'll have to run checks your self to make sure that one is entering a legitimate submission, although this isn't the easiest thing.

 

If you're getting that from a spambot, disallow bots and add a simple.. 'What is 4+2?' question, I did that on mine since CAPTCHA was becomming annoying to use..

[deadlyp99]

Yeah that is a bot, I was getting those type of emails when I ran a ptc site a few years back, through logs I found it was a server doing the "post".

 

So yeah, a simple math problem should solve 99.999% of bot-spam, though not the human kind.

 

Those kinds of emails seem more like an attempt to find a way to exploit the server then anything. There are some quite complex worms that will auto-hack servers, so that's likely what it was. That or a bored 3 year old 

[justravis]

Yes, i assumed it was some type of spambot, but the message was gibberish.  The link doesn't work.

 

I think it is some bot testing the server.  Does my code for the form contain any obvious security leaks?

 

 

THANKS!

[deadlyp99]

Possibly, I'm no expert at coding security, but there are certain techniques to poison(inject code) forms to gain control and use it to send emails.

 

I do have to point out one obvious error though. You jump right into using the variables received from POST without filtering them.

 

http://www.webreference.com/programming/php/DataFiltering/

 

SQL isn't at risk here, but the formatting (including destination address) are data you don't want to be edited.

 

You'll have to find ways to get interested in security to learn a lot about it. I'm majoring in it, and always looking up things on the light and dark sides.

 

I found this interesting: http://www.google.com/search?q=ylMS24&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

 

Tell me the first result! There were only 4, just crazy. Based on that, the person who sent the email could have tracked you here. Scary stuff eh?

[justravis]

Has anybody tried asking the visitor to enter the CAPTCHA backwards?

 

if the CAPTCHA says ABCD, the visitor should type DCBA.

[bundyxc]

I've seen that before, but the dumb admin decided to make it longer words.

If I ever go to any of your sites, and I see a question like "What's 'ENCYCLOPEDIA' spelled backward?" for your CAPTCHA, I will never talk to you again. :l

 

P.S. For the record, it's 'AIDEPOLCYCNE'.