Website form being spammed...

Simmy · 24 Nov 2005 at 09:35

Sorry Mr_L, didn't see your suggestion. Will give that a go now

Sic · 24 Nov 2005 at 10:02

the problem is that filling out a checkbox is just like filling out any other section of a form, but it's boolean so it makes it even easier to fill out. whilst it's a nice idea, it'd only take a slight alteration to a script to check it, or if a human is entering the details, there's nothing you can do about it really.

can you post one of the emails you're getting? when i was getting spammed (again, even though i already have a CAPTCHA!!

) i noticed that because i was using htmlentities it was kicking out ampersands when they were trying to use php in my form fields, so i (Beansprout found me the code for ampersands) blocked ampersands from passing through the form, and also blocked the buy's email address for good measure.

i would also advise running your $_POST variables through htmlentities as well as stripslashes. you could also save yourself some space by doing it all at once.

ie:

Code:

$message = stripslashes(htmlentites($_POST['message']));

i think that's right...not done any PHP in a couple of months

Simmy · 24 Nov 2005 at 10:55

code now looks like this

<?php
$my_email = "Query'at'smg-computers.com";
$email = $_POST['Email'];
$subjectcmp = $_POST['Subject'];
$comments = $_POST['Comments'];

// This line prevents values being entered in a URL

if ($_SERVER['REQUEST_METHOD'] != "POST"){exit;}

$message = "";

// This line prevents a blank form being sent

while(list($key,$value) = each($_POST)){if(!(empty($value))){$set=1;}$message = $message . "$key: $value\n\n";} if($set!==1){header("location: $_SERVER[HTTP_REFERER]");exit;}

$message = $message;
$message = stripslashes($message);

$subject = "SMG Query - " . stripslashes($_POST['Subject']);
$headers = "From: " . (stripslashes(htmlentities($_POST['Email']))) . "\n" . "Return-Path: " . (stripslashes(htmlentities($_POST['Email']))) . "\n" . "Reply-To: " . (stripslashes(htmlentities($_POST['Email']))) . "\n";

if ($email && $subjectcmp && $message && $comments != NULL )
{
if (strstr($email, "'at'smg-computers.com"))
{
echo "Invalid Email Address" ?> <a href="javascript:history.go(-1)" onMouseOver="self.status=document.referrer;return true"> Back </a> <?php ;
exit;
}
else
{
mail($my_email,$subject,$message,$headers);
}
}
else
{
echo "Make sure all fields are filled in." ?> <a href="javascript:history.go(-1)" onMouseOver= "self.status=document.referrer;return true"> Back </a> <?php ;
exit;
}

?>

It now compares the email address isn't my own and check the fields aren't blank. I've removed the checkbox check as I'm hoping I don't need to include it anymore.

reset: as2677'at'smg-computers.com

Name: as2677'at'smg-computers.com

Confirm: as2677'at'smg-computers.com

Comments: as2677'at'smg-computers.com

Email: as2677'at'smg-computers.com

Subject: and
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: could not afford for the
bcc: [email protected]

8b13864ee0469736d57002df9366cb42

That's what the spam looks like aswell.

All of the emails are BCC'd to the same email address aswell.

Sic · 24 Nov 2005 at 11:04

is it always to that same email address everyday?

if it is, i'd block that. or

Code:

if stristr($email, smg-computers.com) die ("not today Zurg!");

again, i think that's right

Simmy · 24 Nov 2005 at 11:22

it's always to the domain 'at'smg-computers.com, but the first parts are different. Usually a random word followed by random numbers. Hopefully blocking my domain will work as only I use my domain, and i'm not gonna email myself

Cheers for the help Sic. I'm wondering if there's any kind of script to mess with the persons computer, or maybe obtain more information about the person spamming me? Ie, if the person tries to send an email using 'at'smg-computers, it's no doubt the spammer, so could I use php or javascript to load some kind of webpage (

) or run some kind of process on their machine?

Sic · 24 Nov 2005 at 11:39

lol...you could redirect them to another page, but it would really do anything because chances are it's unmonitored.

if you insert that piece of code i gave you in #24, that'll search for the phrase "smg-computers.com" in the email string, and if that's found, it'll display that lovely message

Simmy · 24 Nov 2005 at 11:59

I'm sure there's a site (probably loads of them), that repeatedly opens internet browsers. Maybe it would take his computer down? Maybe those websites display nasty images and rude sounds aswell

Sic · 24 Nov 2005 at 12:05

there's a site that knocks out Phishing sites by repeatedly refreshing them IIRC. besides, if you retaliate, you're just as bad as him. assuming it's a he

Simmy · 24 Nov 2005 at 12:22

Well if it took his PC down, it would stop him spamming other people (again, assuming its a he

). It would teach him a lesson for spamming me in the first place (maybe)! I hate spammers :mad:

And spamming a spammer doesn't make me a spammer

Al Vallario · 24 Nov 2005 at 13:45

If the bots are too smart for the checkbox technique, you could always move on to the "What colour is an orange?" method, whereby a user is required to answer a simple question with a single-word answer before submitting the form. Alternatively, you could generate a random letter and ask the user to copy that letter into a form field.

You should include a short paragraph that explains the purpose of these measures, so users don't think it's a bit of a joke and ignore them

robmiller · 24 Nov 2005 at 13:54

I don't see why, if a user can find your site and tell a bot to spam the form, they can't just tell it to add "answer=orange" along with the spam. It's not exactly rocket science.

What's the spam you're getting like? If it's trying to sell you crap and whatnot, then you can just write a blacklist of words that an email may not contain.

Sic · 24 Nov 2005 at 14:04

Al Vallario said:
If the bots are too smart for the checkbox technique, you could always move on to the "What colour is an orange?" method, whereby a user is required to answer a simple question with a single-word answer before submitting the form. Alternatively, you could generate a random letter and ask the user to copy that letter into a form field.

You should include a short paragraph that explains the purpose of these measures, so users don't think it's a bit of a joke and ignore them

the problem with doing things like that is it looks vile. imagine if you went to an e-store and they had something like that on their contact page. you'd think "what a bunch of morons!"

try and keep your fixes for stuff like that on the sever-side...imho

Al Vallario · 24 Nov 2005 at 15:28

robmiller said:
I don't see why, if a user can find your site and tell a bot to spam the form, they can't just tell it to add "answer=orange" along with the spam. It's not exactly rocket science.

Could pick one of a number of questions at random. Also, I'm no expert on the matter, but I doubt bots are individually programmed for each website they hit

Mr_L · 24 Nov 2005 at 16:15

Al Vallario said:
Could pick one of a number of questions at random. Also, I'm no expert on the matter, but I doubt bots are individually programmed for each website they hit

If someone is targeting a specific website they will be.

robmiller · 24 Nov 2005 at 16:25

Al Vallario said:
Could pick one of a number of questions at random. Also, I'm no expert on the matter, but I doubt bots are individually programmed for each website they hit

If you pick the question and put it on the site, it's possible to extract it and thus find the correct answer to the question.

It's pretty much impossible to block this way; your best bet is to go with a blacklist approach or a filter implementing Bayesian probability, but the latter is probably far beyond the scope of something like this.

I'd recommend examining the code of Spam Karma, a Wordpress comment spam filter, to see if you can implement something similar. It might be overkill, but you'll learn something and will probably be able to reuse your code in future.

akakjs · 24 Nov 2005 at 16:34

Try change the name of your form fields. and don't use stuff like 'email' as the id.

Chances are the bot is just parsing the form and finding the email address, then filling in the blanks from the form fields so use server side emailing if you can.

akakjs

Simmy · 24 Nov 2005 at 23:06

Ok, well I've added an email validation method and a check to make sure it's not using my email address. We'll see if this has worked tomorrow :\ *fingers crossed*

Thanks for all the suggestions so far. If this doesn't work, I'll try your other ideas

D4VE · 25 Nov 2005 at 10:31

Hope it works, then you can help me hehe

Simmy · 26 Nov 2005 at 13:10

Well, for the past 2 days I've been spam free, so the changes made must have had some effect. Lets hope it stays that way!

for D4VE and others who want to use it. These are the changes I made.

function check_email_address($email) {
// First, we check that there's one @ symbol, and that the lengths are right
if (!ereg("[^@]{1,64}@[^@]{1,255}", $email)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
}
}
}
return true;
}

When this function is called, it checks the email address is valid, so the spammer can't just put random junk as the email; it has to be a properly formatted email address. Now the code where I actually perform all the checks

if ($email && $message && $comments != NULL )
{
if (strstr($email, "@smg-computers.com"))
{
echo "Invalid Email Address" ?> <a href="javascript:history.go(-1)" onMouseOver="self.status=document.referrer;return true"> Back </a> <?php ;
exit;
}
else if (check_email_address($email))
{
mail($my_email,$subject,$message,$headers);
}
else
{
echo $email . ' is not a valid email address.'; ?> <a href="javascript:history.go(-1)" onMouseOver= "self.status=document.referrer;return true"> Back </a> <?php ;
exit;
}
}
else
{
echo "Make sure all fields are filled in." ?> <a href="javascript:history.go(-1)" onMouseOver= "self.status=document.referrer;return true"> Back </a> <?php ;
exit;
}

The first If statement checks that all fields in the form are filled in. If they're filled in, check the email address doesn't end with my domain name. If it doesn't, it then calls the check_email_address function to check the email address is valid. If it returns true (the email addy is valid), the email is sent.

Hope that helps some of you

I know it could probably be written much better than that, but it does the job.

Absomalutely · 26 Nov 2005 at 14:24

You say these are all coming 'from your domain name'. Why didnt you just set up a rule in outlook express / email of your choice to delete everything from your domain instead of your email address? Would have been a lot quicker and easier surely