Re: Newbie php problem

Beauregard T. Shagnasty wrote:

Tim Greer wrote:

Beauregard T. Shagnasty wrote:
Tim Greer wrote:
You probably want to evolve that script, but for the immediate
problem, why not have a form field that's a hidden HTML tag, which
is a specific value, and the script only executes the mail function
if (for example) the field name "mailed" is "wassubmitted" or any
combination you wish to use, and only then is is submitted.

What would prevent the bot people from copying your contact form
(View Source, of course), complete with "hidden" field, and
submitting it to your action script from their own server?

Nothing would and that wasn't the intent of the reply. I said that
it would stop a lot of bots and (probably) the search engine spiders.

Search engine spiders don't "submit" the form, so there is no worry
there.

No kidding. The OP said that their script would send email without any
submission (being blank emails they received), which happens when a
search engine spider "hits" the page (i.e., no submission). If you
look at their code, you'll see why that happens. Requiring fields to
be submitted probably would mean they don't need to have a different
hidden field to prevent blank emails, but spambots pass common variable
names (which they use) to mail scripts by common names that are in
common paths, so that additional field could help prevent some spam
bots (form mail spam bots, to be clear).

All of the bots out there use specific preset fields to exploit
common mail forms,

Spam bots?

Yes. There are spam bots that hit form mail scripts with common names,
in common paths, which attempt to automatically exploit them by passing
common field names to result in a successful submission. Not all of
them work that way or do the same thing, but those are the one's I was
mentioning in my initial response to the OP.

Not in my experience.

Okay... ?

There is a persistent spammer who
keeps trying to exploit one of my contact forms. I have non-standard
field names, and he will submit to my action script using compromised
Windows zombies from around the planet.

There's no way to prevent a spammer that is manually trying to submit to
your form mail script, but you can easily prevent an automated spam
submission. Indeed, the field names (or the uniqueness of them)
wouldn't be relevant to that aspect. You'd want to use unique sessions
per request, per IP (being dynamic and unguessable), which will expire
in a short time. In addition, once the submission for that request has
been made, the session is removed and a new one for a new request must
be created. In addition to that, you would implement a means to have a
captcha in an image code that must match the requestor's IP and
session. Additional features would ensure that only one IP (unique
requester) could submit x number of times per hour or day, and any
attempts beyond 'x' would result in a block and no further emails or
processing (because saving processing is a good thing). That is a for
example, just some of the methods that are easily implemented, which
are pretty fool proof for any automated or zombied type of spam bots.

He will try a few times a
month. So then I will change the name of the file, change the name of
a field or two, and a week later he is back testing/trying again.
Since the link changed, he has to be coming back manually to find my
'new' contact page.

Changing the name of the file, field names, etc. is never a good method.
Security by obscurity is a bad idea. Implement something like I have
outlined in the previous paragraph and you won't have to worry.

so that would stop most (probably all), but if they copied the
field and value, then it would allow them to exploit it, of course.
Unlikely if your site isn't too popular and you use a unique field,
though. Of course, this is why I said that they'd want to use a more
advanced script, since there are better ways (and you can stop
automated bots completely, if you do it right). My suggestion was
simply to solve their immediate problem (and also to suggest a more
advanced script, which I also had done).

My spammer isn't automated .. but if he found that he could exploit my
form, you betcha he would automate it soon enough.

Right, and the OPs script was utterly vulnerable to an automated attack
(even if it would just be them that got the email). You are correct
that you can't stop a manual submission in most cases, but you can
limit it where they can't spam you (at least not to where they can
possibly automate it). You are welcome to view our contact form and
try and abuse it (I'm not kidding and I'm not being sarcastic), if you
want to see how the script I have coded for our contact form works.
Granted, the generated number for the code could be parsed since I
don't have it distort the font/text or cycle the colors or add
background noise, but we didn't feel that was needed. I had created a
similar script previously that was alphanumeric, it would randomly have
different numbers of characters (say 6 to 10, depending), cycling
through different font types, colors, font sizes, distortions (bending
at different angles/waves of the text) and background noises, but
always readable, which made it impossible for a program to turn the
image's characters into text to automate an attack or spam bot.
However, again, we didn't feel that was necessary in this case.

IMO, a hidden field is next to useless for the purpose you
described.

Not really. They wanted their script to be protected from search
engines and misguided posts, and if you require a specific field to
be posted, along with non empty fields you should require, it'll suit
the
purpose perfectly fine. If they want to make it so spam bots can't
take the source (or read the source) and use the fields to protect
from blank or spamful posts (they've only complained about blank
posts), then they'd certainly need to do more/different things, which
I suggested.

Yes, the OP was only complaining about blank fields, and I guess I
took it further than that.

Don't get me wrong, I can appreciate you taking it further -- the OP
will only benefit from it. I also mentioned they should evolve their
script and use a more advanced one, but I wanted to reply with a quick
solution for what they have now, without getting into gory details. No
doubt, it's not a perfect solution, but I didn't want to outline
examples, like I explained above, when I'd have felt I should offer
code examples and explain the logic to them (since they said they were
new to PHP).

The simple answer is to test all fields
prior to calling the mail() function. The OP's code fragment shows no
testing at all. (Yes, I know it's only a fragment.)

Yes, I can't agree more. Simply requiring those fields would help
prevent search engine spiders from activating the mail() function, I
just suggested also adding a unique field that would need to be passed
to prevent a lot of the more basic of the automated spam bots. Agreed,
any spammer that actually looked at the source could then use that to
automate it, but that's why I suggested a more advanced solution (but I
didn't want to leave them hanging in the meantime with their current
complaint).

But an additional hidden field won't help there.

Again, that was simply to add a very, very basic method to ensure they
weren't hit by spam bots that used the common field names, which (for
example) might be randomly hitting that page to be resulting in his
blank emails. I don't imagine it would take much for more advanced
spam bots to have "learning" ability, to check the source for any
hidden fields or scrap some javascript if that was a different
solution, parse that and add it to the automated spam bot, so I don't
disagree it might not make any difference. As you can see above, I
have suggested a more complex and actually workable solution, which is
fool proof regarding bots (except the one's that can parse text from an
image, but if that was a concern, we'd quickly resolve that with the
solutions I mentioned above with random char numbers, font faces, text
sized, distortions, colors and background noise). I clearly wasn't
suggesting that the extra hidden field (or requiring fields the OP
wants) to be some solution they should feel safe about, it was only to
provide a solution to the problem they reported (I did suggest a better
script to be used).
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!
.

Relevant Pages

  • Re: Wrong email address
    ... Mailto tags invite spam bots and you're email is ... the format of email addresses i.e.. ... The best thing is to use a form processor script, ...
    (microsoft.public.frontpage.client)
  • Re: Guestbook spam en robots.txt
    ... >> Don't forget to change the name of your script that receives the form ... > only have the submission script submit the data when the hidden field has ... I suspect that most spam bots submit the form hidden fields and all (they ...
    (comp.infosystems.www.authoring.html)
  • Re: Form - Feedback - email wont work
    ... they are no better than a mailto: ... Spam bots these days seem to look for anything remotely ... I've found an ASP script where you code the email into the ... therefore it is not in the html page that the ASP script. ...
    (microsoft.public.frontpage.client)
  • Re: FP2003 email question
    ... Even using a script, hidden input type fields can still be detected by spam bots, ...
    (microsoft.public.frontpage.client)
  • Re: expect script doesnt pass graphics chars correctly
    ... My expect script needs to automate login to a terminal server which is ...
    (comp.lang.tcl)