Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    Regular Coder
    Join Date
    Jan 2006
    Posts
    377
    Thanks
    8
    Thanked 1 Time in 1 Post

    Form injection: Is it THAT bad?

    One of my clients' accounts has been suspended two days before because of a huge email traffic. Reports say that nearly 28000 emails have been sent through that domain. My client is unable to send that much emails, so it must have been some sort of spam effort. The first thing I thought are the forms on the website. There is a contactus form and a login form for member entry. On the contactus form, I thought I had taken some precaution using:

    PHP Code:
    if(isset($_POST['postquote'])) {
        
    $name $_POST['name'];
        
    $gender $_POST['gender'];
        
    $email $_POST['email'];
        
    $email urldecode($email);
        if (
    eregi("\r",$email) || eregi("\n",$email)){
            
    $admin_to "admin@mydomain.com";
            
    $admin_subject "Spammer Injection";
            
    $admin_message "Sir, spammer injection has been a failure, script died as you ordered!\n\nEmail Phrase is: $email";
            
    $admin_from "Spam Warrior Of My Domain";
            
    mail($admin_to,$admin_subject,$admin_message,"From: $admin_from\n");
            die(
    "Why ?? :(");
        }
        
    $phone $_POST['phone'];
        
    $fax $_POST['fax'];
        
    $quote $_POST['quote'];

        
    // code to send email

    }

    // contactus form

    ?> 
    Obviously that was not enough. I protected the email field, seems that it may be possible that the spammers use the other fields to send email. So, I have to protect other fields as well. How can I do this? Is there no escape from these spammers?

  • #2
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    What's the "code to send email"?
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #3
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,538
    Thanks
    8
    Thanked 1,093 Times in 1,084 Posts
    Also, try this:

    First of all, give your email script a random name, such
    as e442ma23il.php ... (not "formmail.php", or "email.php")

    Then, create two other email forms, one with the script
    name "formmail.php", another with "email.php". Put these into
    your website before your REAL form, but comment them out.
    The spamming robots will look through your HTML source and
    see the form(s), but visitors to your site will not see them, as
    they are commented-out.

    Once a spamming robot sees a form and recognizes "formmail.php",
    it will process that form and exit your site. In my experience, the robot
    will not look any further.

    A friend of mine had the same problem until I put in the commented-out
    forms ... see this example: http://www.emilykimball.com/contact.php

    View the HTML source and you'll see the fake forms served-up for the robots.

  • #4
    Senior Coder
    Join Date
    Feb 2003
    Posts
    1,665
    Thanks
    0
    Thanked 27 Times in 25 Posts
    I've found that checking for valid UA referer info was enough to stop form spam abuse on my own site form a while back.

    e.g.
    Code:
    $referpages[] = 'http://mydomain.com/contact.php';
    $referpages[] = 'http://www.mydomain.com/contact.php';
    
    $valid_ua = !empty($_SERVER['HTTP_USER_AGENT']);
    $valid_referer = !empty($_SERVER['HTTP_REFERER']) && in_array($_SERVER['HTTP_REFERER'],$referpages);
    
    $username_ok = !empty($_POST['user_name']);
    $useremail_ok = !empty($_POST['user_email']) && check_email_address($_POST['user_email']);
    $usermssg_ok = !empty($_POST['user_mssg']);
    
    
    /*	FINAL CHECKS */
    		
    if ($valid_ua && $valid_referer && $username_ok && $useremail_ok && $usermssg_ok) {
    	// send the form and return thanks;
    } else {
    	// return to form and highlight errors;
    }
    I've never needed to insert spoof form handlers and I've never had to use cryptic file names*. The checks for UA and valid referers has always kept the form secure.


    (* I tend to build the form handler script into the head of the actual form page. I submit the form back to the form page. Saves having to add extra files to a site.)
    Last edited by Bill Posters; 11-06-2006 at 03:09 PM.

  • #5
    Regular Coder
    Join Date
    Jan 2006
    Posts
    377
    Thanks
    8
    Thanked 1 Time in 1 Post
    Thanks for the answers, will evaluate them one by one.

    @marek

    Here is the code to send email:

    Code:
    	$to = "info@mydomain.com";
    	$subject = "[Mydomain] Feedback";
    	$fullname = "$name <$email>, ($gender)";
    	$message = "";
    	$message .= "Following message has been sent to you from mydomain website:\n\n";
    	$message .= "Sender: $name\n";
    	$message .= "Email: $email\n";
    	$message .= "Gender: $gender\n";
    	$message .= "Tel: $phone\n";
    	$message .= "Fax: $fax\n\n";
    	$message .= "Message content:\n$quote\n";
    
    	include("header.php");
    
    	if (mail($to,$subject,$message,"From: $name <$email>\n")){
    		echo "<p>Dear $name, your message has been sent to our staff successfuly...</p>";
    	} else {
    		echo "<p>There has been error while sending your message to our staff.</p>";
    	}
    	include("footer.php");
    	exit();

  • #6
    $object->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Jun 2003
    Posts
    3,100
    Thanks
    2
    Thanked 23 Times in 23 Posts
    You might want to also read this page. It explains a lot of the ways that your contact form can be used as a spam relay, and more importantly, how to stop it. The more you know about this sort of thing, the more measures you can take to prevent it from happening with your own form.
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    SNAP to it!

  • #7
    Regular Coder
    Join Date
    Jan 2006
    Posts
    377
    Thanks
    8
    Thanked 1 Time in 1 Post
    @mlseim

    Hi, how come the robots are not that smart not to understand that your form info is commented out? And why don't they parse the whole page and don't take your actual third form into account?

  • #8
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,538
    Thanks
    8
    Thanked 1,093 Times in 1,084 Posts
    Quote Originally Posted by guvenck View Post
    Hi, how come the robots are not that smart not to understand that your form info is commented out? And why don't they parse the whole page and don't take your actual third form into account?
    I'm not sure, but the spamming stopped. I think that the programs they are
    using only take the time to hit the first form, then they move on to the next
    site? I'm not a spamming robot expert, but it could be the same way
    burglars hit parking lots. Quickly check each car and spend as little time as
    possible with each one. If you find something, grab it and move on.

  • #9
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,147
    Thanks
    2
    Thanked 333 Times in 325 Posts
    One more obvious problem is that you put the un-tested $name variable from the form into the header field - "From: $name <$email>\n"

    In addition to the other checks mentioned, I recommend putting any name/email into the message body (which you already have) and make the From: address be your email address. The email looks like an email to yourself from yourself and there is no way that the header parameter can be mis-used.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •