Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    New Coder
    Join Date
    Jan 2005
    Posts
    85
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Contact forms abuse?

    Hi all,

    We have several contact forms on our site - simple .php scripts that take the contents of a form and e-mail us the comments.

    Lately we have been experiencing some shenanigans with the forms! We get several dozen submissions a day from the forms - but not all from legitimate site users. The bulk of the submissions are from e-mail addresses that contain our domains - like

    thee9173@ourdomain.com
    o4228@ourdomain.com

    The message bodies are empty and the subject line is as such:

    Subject: rely upon tto s power of observation his
    Anyone know what this is all about and how we can stop it?

    The form we currently use, I found over at HotScripts, is the wmdformmailer.php. Maybe someone could suggest a better form.

    Thanks!
    Dodge

  • #2
    $object->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Jun 2003
    Posts
    3,092
    Thanks
    2
    Thanked 23 Times in 23 Posts
    If the message body is empty or less than a certain number of characters, do something like this:

    Code:
    if (strlen($message) <= 10) {
    	header("location: http://www.mydomain.com");
    	exit();
    }
    To combat the bogus email address problem that you mentioned, you might consider incorporating the PEAR Validate class into your code.

    One of the things I had noticed was that some of these auto spammers were using my domain name in their email address. For example, mydomain.com would use an email address of something like jfkdjf@mydomain.com. To circumvent that sort of thing, I put this code in place:

    Code:
    $fromtest = strpos($from, 'mydomain.com');
    
    if($from == "" || $fromtest == true) {
     header("location: http://www.mydomain.com");
     exit();
    }
    Doing things like this seems to have stopped the contact form spam, for the time being at least.

    Hope this helps.
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    SNAP to it!

  • #3
    New Coder
    Join Date
    Jan 2005
    Posts
    85
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank you very much!

    Could I further bother you to explain "where" those code snippets go? I'm afraid that I have no working knowledge of .php (if that is what that is?).

    I'm including the script - the one I'm currently using - could you take a look and see if it could be modified with the ideas you had above?

    Or does that info, you mentioned, actually go in the form?

    Thanks
    Dodge

    Code:
    <?php
    $toMail = ''; // your email address
    $CCMail = ''; // CC (Crbon copy) also send the email to this address (leave empty if you don't use it)
    $thanksPage = ''; // the URL of the thank you page.
    $mailSub = ''; // the subject of the email
    // If you are asking for a email address in your form, you can name the input fields "EMail".
    // It's necessary that you should have an "EMail" input field in your HTML form. You just need to call this script in your form like: <FORM action="wmdformmailer.php" method="post" name="ContactForm" id="ContactForm">
    // If you do this, the message will apear to come from that email address and you can simply click the reply button to answer it.
    // You can use this script to submit your forms or to receive orders by email.
    
    //================= DON'T EDIT BELOW THIS CODE ==============================
    if(isset($_POST['EMail'])){
    	$mailBody = '<font face="arial" size="2" color="#000000">';
    	foreach ($_POST as $field => $input) {
    		if(strtolower($field) != 'submit' || strtolower($field) != 'reset'){
    			$mailBody .= '<b>'.ucfirst ($field) .' : </b>'. trim(strip_tags($input)) . '<br>';
    		}
    	}
    	//===============================================================
    	$mailBody .= '</font>';
    	//===============================================================
    	$usrMail = $_POST['EMail'];
    	$headers = "From:$usrMail\r\n";
    	$headers .= "cc:$CCMail\r\n";
    	$headers .= "Content-type: text/html\r\n";
    	$sendRem = mail($toMail, $mailSub, $mailBody, $headers);
    	if($sendRem){
    		header('location:'.$thanksPage);
    		exit;
    	}else{
    		print '<h2>Failed to send your query.</h2>';
    		print '<h3>Please Try Later.</h3>';
    	}
    }
    
    ?>

  • #4
    $object->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Jun 2003
    Posts
    3,092
    Thanks
    2
    Thanked 23 Times in 23 Posts
    I didn't incorporate the Validate class in this (I don't use it myself), but here is some altered (and untested) code for you. Bolded items are the new stuff. Note: Be sure to change mydomain.com to whatever your domain name is.
    Code:
    <?php
    $toMail = ''; // your email address
    $CCMail = ''; // CC (Crbon copy) also send the email to this address (leave empty if you don't use it)
    $thanksPage = ''; // the URL of the thank you page.
    $mailSub = ''; // the subject of the email
    $fromtest = strpos($from, 'mydomain.com');
    // If you are asking for a email address in your form, you can name the input fields "EMail".
    // It's necessary that you should have an "EMail" input field in your HTML form. You just need to call this script in your form like: <FORM action="wmdformmailer.php" method="post" name="ContactForm" id="ContactForm">
    // If you do this, the message will apear to come from that email address and you can simply click the reply button to answer it.
    // You can use this script to submit your forms or to receive orders by email.
    
    //================= DON'T EDIT BELOW THIS CODE ==============================
    if(isset($_POST['EMail'])){
    	$mailBody = '<font face="arial" size="2" color="#000000">';
    	foreach ($_POST as $field => $input) {
    		if(strtolower($field) != 'submit' || strtolower($field) != 'reset'){
    			$mailBody .= '<b>'.ucfirst ($field) .' : </b>'. trim(strip_tags($input)) . '<br>';
    		}
    	}
    	if($toMail == "" || $fromtest == true) {
     		header("location: http://www.mydomain.com");
     		exit();
    	}
    	if (strlen($mailBody) <= 10) {
    	header("location: http://www.mydomain.com");
    	exit();
    	}
    	//===============================================================
    	$mailBody .= '</font>';
    	//===============================================================
    	$usrMail = $_POST['EMail'];
    	$headers = "From:$usrMail\r\n";
    	$headers .= "cc:$CCMail\r\n";
    	$headers .= "Content-type: text/html\r\n";
    	$sendRem = mail($toMail, $mailSub, $mailBody, $headers);
    	if($sendRem){
    		header('location:'.$thanksPage);
    		exit;
    	}else{
    		print '<h2>Failed to send your query.</h2>';
    		print '<h3>Please Try Later.</h3>';
    	}
    }
    
    ?>
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    SNAP to it!

  • #5
    New Coder
    Join Date
    Jan 2005
    Posts
    85
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank you, I will give this a try.

    Is there a way to test this or do I just wait and see if I get any more of those bogus e-mails?

    I tried using the form and inputing an e-mail address on that domain and it went through with no trouble ... I don't know what that means. :\ Should it have rejected that submission?

    Thanks
    Dodge

  • #6
    $object->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Jun 2003
    Posts
    3,092
    Thanks
    2
    Thanked 23 Times in 23 Posts
    You need to change that code from mydomain.com to whatever your website domain is. Then test it with some bogus email address from your domain as the "from" email address. Your contact form should reject mail from there if it is working properly. Also, test it with an empty message body, which should also get rejected.
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    SNAP to it!

  • #7
    Regular Coder ralph l mayo's Avatar
    Join Date
    Nov 2005
    Posts
    951
    Thanks
    1
    Thanked 31 Times in 29 Posts
    Small caveat:

    Quote Originally Posted by vinyl-junkie
    Code:
    $fromtest = strpos($from, 'mydomain.com');
    
    if($from == "" || $fromtest == true) {
     header("location: http://www.mydomain.com");
     exit();
    }
    strpos(haystack, needle) never returns true, only false or an integer indicating the starting position of needle in haystack. This snippet only works by fluke since PHP treats nonzero integers as true. More correct usage:

    PHP Code:
    $fromtest strpos($from'mydomain.com');

    // !== means not identical to, != means not equal to.  the former is more correct in boolean logic
    if($from == "" || $fromtest !== false) {
     
    header("location: http://www.mydomain.com");
     exit();


  • #8
    New Coder
    Join Date
    Jan 2005
    Posts
    85
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Okay - vinyl-junkie - I did replace mydomain with our domain ... this morning my inbox was full of theaffending e-mails, so something went wrong in there somewhere; could have been something I did. :|

    Ralph | Mayo - when I used your code it broke the process completely. No mail was delivered and I wasn't directed to the "thanks" page. I don't know what the deal is there - I replaced Vinyl-junkie's code with yours.

    Thanks!
    Dodge

  • #9
    $object->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Jun 2003
    Posts
    3,092
    Thanks
    2
    Thanked 23 Times in 23 Posts
    If you'd like, PM me with the full script including the contact form. I'll have a look at the code, plus try it out on my server. I'll change the appropriate code to point to my domain instead of yours before testing it out. (I promise I won't use the script to spam you. )
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    SNAP to it!

  • #10
    New Coder
    Join Date
    Jan 2005
    Posts
    85
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank you for that nice offer. After talking to my webhost and showing them the script they were sufficiently concerned enough to design me a secure backend script for our forms... it's to everyone's benefit to stop the spam when possible so they are not even charging me for the dev time.

    Thanks so much for the time and help with this.

    Dodge


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •