Jump to content

Recommended Posts

The script tied to my contact form worked flawlessly for several years. Suddenly, I am receiving spam. Although I created a new email address for this purpose, it started getting spam within 24 hours. Can I protect the script somehow?

 

<?php 
if (isset($_POST['submit'])) 
{
	$post = true;
	$sender = $_POST['SenderName'];
	$email = $_POST['SenderEmail'];
	$subject = stripslashes(trim($_POST['Subject']));
	$text = stripslashes(trim($_POST['MessageText']));
	if (!strpos($email, '@') || !strpos($email, '.')) {
		$fail = "Reason: Please enter your valid return email address";
	} elseif (strlen(trim($text)) == 0) {
		$fail = "Reason: You did not type in a message";
	} else {
        $text = nl2br(htmlentities(trim($text),ENT_QUOTES,"",false));
    	$sender = "\"$sender\" <$email>";
        $subject = "inquiry";
		$m_email = 'meow@meow.com';
	    $head = "<html><head><title>inquiry</title></head><body>";
	    $tail = "</body></html>";
	    $text = $head.$text.$tail;
	    $headers = '';
	    $headers .= "From: $sender\r\n";
	    $headers .= "Reply-to: $email\r\n";
	    $headers .= "Return-path: $email\r\n";
	    $headers .= 'Envelope-from: auto@meow.com'."\r\n";
	    $headers .= 'MIME-Version:1.0'."\r\n";
	    $headers .= 'Content-type: text/html; charset=iso-8859-1'."\r\n";
	    $mail_sent = mail($m_email, $subject, $text, $headers, "-f auto@meow.com");
		if ($mail_sent == false) $fail = 'Server Error: Email could not be sent at this time.';
	}
    if ($fail) {
        echo "<div id=\"mail_send_msg\"><h2>Sorry, your message could not be sent.<br />$fail</h2></div>\n";
    } else {
        echo "<div id=\"mail_send_msg\"><h2>Your email message has been sent!</h2></div>\n";
    }
} else {
	echo "POST not recognized.";
}	
?>

 

Link to comment
https://forums.phpfreaks.com/topic/314916-sudden-influx-of-spam/
Share on other sites

firstly, these emails are NOT being sent from the email address that is entered in the form. they are being sent from the mail server at your web hosting and the From: and Return-path: email addresses must correspond to your web hosting. you can use the submitted email address as the Reply-to: address, after validating that it is exactly and only a validly formatted email address (checking that it contains an @ and a . is not sufficient.)

your code is open to mail header injection, so, a bot script can basically build an email with anything and send it to any email address. the spam emails you are receiving are just the copy being sent to your To: email address. you MUST validate all inputs before using them. for the entered email address, after you have trimmed and validated that it is not an empty string, use php's filter_var with the FILTER_VALIDATE_EMAIL flag (do NOT use the FILTER_SANITIZE_EMAIL flag as it alters the value.) if the entered email address passes all the validation, use it in the Reply-to: mail header.

Edited by mac_gyver
  • Like 1

Our seems that the previous response are pointing out two items:

1) Your page is subject to not attacks.

One solution to that is to create a method that would require human intervention to assure that the girls are being populated by a real person.

You can create an text input that requires a phrase ("yes I'm human") or a random number and validate it before the form will be allowed to submit.

2) Your entire method of validating the return email is whether a dot and @ exist in the email address.

There are loads of viewpoints p online. Do a search for "PHP email validation".

Then, test what you code by trying to spam yourself.

 

You don't have to literally SPAM yourself.

But you DEFINITELY should TEST to make certain that the code you create works as expected.

Add one new piece at a time. Then, try to send yourself a message that would be INVALID. if it gets through, try harder. If it is successful, then move to another feature and test again.

PS: I find it effective to create a message to myself for definite confirmation.

echo "This worked great";

} else { 

echo "no luck this time";

After enjoying success, you can comment them out or remove them.

 

As an example of a simple but fairly effective solution, my contact form just has an input labeled "Secret Code" and instructs the user to type "nospam" in that field.

<div>
  <label for="secretCode">Secret Code:</label>
  <input type="text" name="secretCode" id="secretCode" placeholder="Type nospam here">
  <br>Type "nospam" above.
</div>

In your script, just check that the user typed the correct value in the field and show an error if not.

$errors = [];
//Other validation stuff.
if ($_POST['secretCode'] != 'nospam'){
    $errors[] = 'You did not enter the correct secret code.';
}

if ($errors){
    echo "Your message could not be sent because some errors were discovered in the information you provided.  ";
    echo "\r\n";
    foreach ($errors as $e){
        echo "\r\n* {$e}";
    }
    echo "\r\nPlease click back in your browser, correct the errors and try again.";
    exit;
}

I would also suggest you look into an emailing library rather than use the mail function directly.  The libraries will help with the other security issues mentioned by properly constructing the headers and other data related the email with the inputs you provide.  I'm a fan of Swift Mailer (now Symfony Mailer), but there are others you could try as well.

 

3 hours ago, Sherio said:

Thank you, phppup. I have no clue how to spam myself, nor would I ask you to put it out there for the whole world to see. 🙂

It would be a good time to talk about what writing a PHP script consists mostly of, especially when new to it.  Writing the code is actually the smallest portion of it all.  You should be spending the majority of your time trying to break it and trying to exploit it.  By breaking, as an example, you would try to input unexpected values in your form, leaving things empty, skipping processes, etc.  You need to write code that recovers from things like this not just for the user's experience but for your protection.  Exploitation is what's being discussed here.  header injections, sql exploits, things like that can often be protected against just by using good code, good classes(like PHPMailer as an example, for mail capabilities) and utilizing built in features like var sanitation through PHP.

It's cool if you don't understand what all this means yet but instead of writing an email form that can be exploited, you should be focusing on learning. Everyone being hammered by spam through your exploitable email form would thank you for it.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.