Re: Contact Form Spam
- From: Shelly <sheldonlg@xxxxxxxxxxxxxxx>
- Date: Wed, 23 Jan 2008 21:03:11 -0800 (PST)
On Jan 23, 11:57 pm, Manuel Lemos <mle...@xxxxxxx> wrote:
Hello,
on 01/24/2008 02:49 AM Shelly said the following:
I have not studied that class. I don't know if it properly encodesI use the class htmlMimeMail fromhttp://www.phpguru.org/byRichardThe email is only sent to the site owner, so the spammer has no way ofIf you are not using a good CAPTCHA, I am not sure what you mean by
knowing what the email should look like. That tells me that they have
to be going through the form. Yet the proper email has an echo of
generated security code. The spam email has that field empty. So,
that says he can't be going through the form.
It seems to me that they must:
1 - Somehow diverting a legitimate email so that copy is sent to
them.
2 - Using that email copy to create a template and modify the output
so that junk is sent.
I really don't know how they are doing it.
security codes.
Anyway, I suspect that your code has a common vulnerability of contact
forms which is to not properly encode information that goes to message
headers. This means that if the abuser inserts a well throught character
sequences, he may make your script compose a message that uses your mail
server to send spam to anybody in the world.
It is hard to advise without seeing your script. Anyway, I recommend
using a component that knows how to properly encode or escape malicious
character sequences to avoid abuses like your suffering.
I use this MIME message composing and sending class that is well aware
of all the e-mail standards that are necessary to compose messages
properly. You may want to use it to avoid the abuses.
http://www.phpclasses.org/mimemessage
message headers.
Heyes. The security code is just a randomly generated string of 6That may explain it. Even some CAPTCHAs can be bypassed with good OCR
characters. I am not using a CAPTCHA. I guess I will have to.
scripts. But even a basic CAPTCHA can raise the bar hard enough to make
your abuser give up.
But with or without a CAPTCHA, they still need to get the text that is
checked by me before sending the email. I put that text (both what I
asked for and what they put in) into the email that is sent. The
email that we received from them had those fields empty. Wouldn't
they have been filled with their correct determination of the code?
It is hard to even understand the context of all what you are saying
without seeing your code.
If you put the text in the form page, it is very easy to retrieve the
page, get the code and emulate the form submission with the code in it.
With CAPTCHA that would be harder.
Exactly. If they put the code in it (assuming they got it), and since
I put it in the email that is sent (both what they put in and what I
asked for), why would the email they send not have anything in either
field in the email?
If you say you verify the presence of the correct code, maybe you are
not doing it correctly.
It is done correctly. I tested this about twenty times. It only
succeeds if the code that is typed in is the same as the one asked
for. BTW, every time the page is presented there is a different set
of 6 characters.
Shelly
.
- Follow-Ups:
- Re: Contact Form Spam
- From: Manuel Lemos
- Re: Contact Form Spam
- References:
- Contact Form Spam
- From: Shelly
- Re: Contact Form Spam
- From: Manuel Lemos
- Re: Contact Form Spam
- From: Shelly
- Re: Contact Form Spam
- From: Manuel Lemos
- Re: Contact Form Spam
- From: Shelly
- Re: Contact Form Spam
- From: Manuel Lemos
- Re: Contact Form Spam
- From: Shelly
- Re: Contact Form Spam
- From: Manuel Lemos
- Contact Form Spam
- Prev by Date: Re: Contact Form Spam
- Next by Date: Re: Contact Form Spam
- Previous by thread: Re: Contact Form Spam
- Next by thread: Re: Contact Form Spam
- Index(es):
Relevant Pages
|
