nonsense being sent on contact form that isn't even spam

unwashed potato! · 6 Oct 2010 at 15:36

i get about one or two messages a day with complete nonsense coming through my contact form on my site. it doesn't make any sense as it's all just random characters so i don't understand the point in it and just want to see make sure it's no chance a legit email that is incorrectly being converted into something i can't read.

example of something i just received...

From: oordxlm
Company: PpOnkcAqMieizhcT
Number: aZKOJiRfBPxtJytjtXZ
Email: [email protected]
Address: haOUuCAVvb

is it just odd pointless spam?

daz · 6 Oct 2010 at 15:37

I would imagine it's automated bots looking to/attempting to exploit the contact form.

Perhaps implement a captcha.

FabienO · 6 Oct 2010 at 15:38

would be nice if we could see the code from your form.

unwashed potato! · 6 Oct 2010 at 15:40

daz said:
I would imagine it's automated bots looking to/attempting to exploit the contact form.

Perhaps implement a captcha.

not so keen on captcha if possible. it's about 1 a day atm so no problem to just delete it

FabienO said:
would be nice if we could see the code from your form.

can't remember why there is so many things going on here but it appears to give me what i want...

$cName = stripslashes(htmlspecialchars($_POST['cName'], ENT_QUOTES));

just a few checks to $cName and then it's added to the email and sent to me.

Dutch777 · 6 Oct 2010 at 20:50

Mammalian said:
example of something i just received...

From: oordxlm
Company: PpOnkcAqMieizhcT
Number: aZKOJiRfBPxtJytjtXZ
Email: [email protected]
Address: haOUuCAVvb

is it just odd pointless spam?

I get very similar to the above through a contact form, seems to happen a few times a week.

So nothing to worry about ?

Dutch

--------------------------------------

A.N.Other · 7 Oct 2010 at 16:11

Well you can pretty simply implement a regex for the phone number and email address to make them conform to a standard. The name, company and address are more tricky in that regard, but you can still check for a set of illegal characters that you can define (not that the above would be rejected by this, anyway). You can also use a regex system to check for header injection ("cc: ", "bcc: " etc as well as new lines in the name, for example).

Another thing you could do would be to move the php for receiving the data from the contact form to another file, if it's not already, and send it a key two ways to validate that the data the script receives comes from the contact form being filled in. A simple thing to do would be to generate a unique code (foo) and put it in a hidden field in the form. Separately, md5 the same code and put it in the php session (bar). On the page to send the email if md5(foo) <> bar, then the data its received hasn't come from the contact form.

slylittlefox · 10 Oct 2010 at 17:17

Code in Akismet?

HungryHippos · 10 Oct 2010 at 19:15

I also read you can put a fake field on the form which is hidden, if the field is filled in then you know a bot has completed the form and you can stop it being sent.