Website form being spammed...

Sic

Sic

Soldato
Joined
9 Nov 2004
Posts
15,365
Location
SO16
the problem is that filling out a checkbox is just like filling out any other section of a form, but it's boolean so it makes it even easier to fill out. whilst it's a nice idea, it'd only take a slight alteration to a script to check it, or if a human is entering the details, there's nothing you can do about it really.

can you post one of the emails you're getting? when i was getting spammed (again, even though i already have a CAPTCHA!! :() i noticed that because i was using htmlentities it was kicking out ampersands when they were trying to use php in my form fields, so i (Beansprout found me the code for ampersands) blocked ampersands from passing through the form, and also blocked the buy's email address for good measure.

i would also advise running your $_POST variables through htmlentities as well as stripslashes. you could also save yourself some space by doing it all at once.

ie:

Code:
$message = stripslashes(htmlentites($_POST['message']));

i think that's right...not done any PHP in a couple of months :o
 
Associate
OP
Joined
26 Dec 2003
Posts
2,260
Location
UK
code now looks like this

<?php
$my_email = "Query'at'smg-computers.com";
$email = $_POST['Email'];
$subjectcmp = $_POST['Subject'];
$comments = $_POST['Comments'];

// This line prevents values being entered in a URL

if ($_SERVER['REQUEST_METHOD'] != "POST"){exit;}

$message = "";

// This line prevents a blank form being sent

while(list($key,$value) = each($_POST)){if(!(empty($value))){$set=1;}$message = $message . "$key: $value\n\n";} if($set!==1){header("location: $_SERVER[HTTP_REFERER]");exit;}

$message = $message;
$message = stripslashes($message);

$subject = "SMG Query - " . stripslashes($_POST['Subject']);
$headers = "From: " . (stripslashes(htmlentities($_POST['Email']))) . "\n" . "Return-Path: " . (stripslashes(htmlentities($_POST['Email']))) . "\n" . "Reply-To: " . (stripslashes(htmlentities($_POST['Email']))) . "\n";

if ($email && $subjectcmp && $message && $comments != NULL )
{
if (strstr($email, "'at'smg-computers.com"))
{
echo "Invalid Email Address" ?> <a href="javascript:history.go(-1)" onMouseOver="self.status=document.referrer;return true"> <br>Back </a> <?php ;
exit;
}
else
{
mail($my_email,$subject,$message,$headers);
}
}
else
{
echo "Make sure all fields are filled in." ?> <a href="javascript:history.go(-1)" onMouseOver= "self.status=document.referrer;return true"> <br>Back </a> <?php ;
exit;
}

?>

It now compares the email address isn't my own and check the fields aren't blank. I've removed the checkbox check as I'm hoping I don't need to include it anymore.


reset: as2677'at'smg-computers.com

Name: as2677'at'smg-computers.com

Confirm: as2677'at'smg-computers.com

Comments: as2677'at'smg-computers.com

Email: as2677'at'smg-computers.com

Subject: and
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: could not afford for the
bcc: [email protected]

8b13864ee0469736d57002df9366cb42

That's what the spam looks like aswell.

All of the emails are BCC'd to the same email address aswell.
 
Last edited:

Sic

Sic

Soldato
Joined
9 Nov 2004
Posts
15,365
Location
SO16
is it always to that same email address everyday?

if it is, i'd block that. or

Code:
if stristr($email, smg-computers.com) die ("not today Zurg!");
again, i think that's right
 
Associate
OP
Joined
26 Dec 2003
Posts
2,260
Location
UK
it's always to the domain 'at'smg-computers.com, but the first parts are different. Usually a random word followed by random numbers. Hopefully blocking my domain will work as only I use my domain, and i'm not gonna email myself :p

Cheers for the help Sic. I'm wondering if there's any kind of script to mess with the persons computer, or maybe obtain more information about the person spamming me? Ie, if the person tries to send an email using 'at'smg-computers, it's no doubt the spammer, so could I use php or javascript to load some kind of webpage (;)) or run some kind of process on their machine?
 

Sic

Sic

Soldato
Joined
9 Nov 2004
Posts
15,365
Location
SO16
lol...you could redirect them to another page, but it would really do anything because chances are it's unmonitored.

if you insert that piece of code i gave you in #24, that'll search for the phrase "smg-computers.com" in the email string, and if that's found, it'll display that lovely message
 
Associate
OP
Joined
26 Dec 2003
Posts
2,260
Location
UK
I'm sure there's a site (probably loads of them), that repeatedly opens internet browsers. Maybe it would take his computer down? Maybe those websites display nasty images and rude sounds aswell :D
 

Sic

Sic

Soldato
Joined
9 Nov 2004
Posts
15,365
Location
SO16
there's a site that knocks out Phishing sites by repeatedly refreshing them IIRC. besides, if you retaliate, you're just as bad as him. assuming it's a he
 
Associate
OP
Joined
26 Dec 2003
Posts
2,260
Location
UK
Well if it took his PC down, it would stop him spamming other people (again, assuming its a he :p). It would teach him a lesson for spamming me in the first place (maybe)! I hate spammers :mad: And spamming a spammer doesn't make me a spammer :D
 
Soldato
Joined
3 Aug 2005
Posts
4,534
Location
UK
If the bots are too smart for the checkbox technique, you could always move on to the "What colour is an orange?" method, whereby a user is required to answer a simple question with a single-word answer before submitting the form. Alternatively, you could generate a random letter and ask the user to copy that letter into a form field.

You should include a short paragraph that explains the purpose of these measures, so users don't think it's a bit of a joke and ignore them :)
 
Soldato
Joined
26 Dec 2003
Posts
16,522
Location
London
I don't see why, if a user can find your site and tell a bot to spam the form, they can't just tell it to add "answer=orange" along with the spam. It's not exactly rocket science.

What's the spam you're getting like? If it's trying to sell you crap and whatnot, then you can just write a blacklist of words that an email may not contain.
 

Sic

Sic

Soldato
Joined
9 Nov 2004
Posts
15,365
Location
SO16
Al Vallario said:
If the bots are too smart for the checkbox technique, you could always move on to the "What colour is an orange?" method, whereby a user is required to answer a simple question with a single-word answer before submitting the form. Alternatively, you could generate a random letter and ask the user to copy that letter into a form field.

You should include a short paragraph that explains the purpose of these measures, so users don't think it's a bit of a joke and ignore them :)

the problem with doing things like that is it looks vile. imagine if you went to an e-store and they had something like that on their contact page. you'd think "what a bunch of morons!"

try and keep your fixes for stuff like that on the sever-side...imho
 
Soldato
Joined
3 Aug 2005
Posts
4,534
Location
UK
robmiller said:
I don't see why, if a user can find your site and tell a bot to spam the form, they can't just tell it to add "answer=orange" along with the spam. It's not exactly rocket science.
Could pick one of a number of questions at random. Also, I'm no expert on the matter, but I doubt bots are individually programmed for each website they hit ;)
 
Soldato
Joined
28 Jan 2005
Posts
3,732
Location
Worcester
Al Vallario said:
Could pick one of a number of questions at random. Also, I'm no expert on the matter, but I doubt bots are individually programmed for each website they hit ;)
If someone is targeting a specific website they will be.
 
Soldato
Joined
26 Dec 2003
Posts
16,522
Location
London
Al Vallario said:
Could pick one of a number of questions at random. Also, I'm no expert on the matter, but I doubt bots are individually programmed for each website they hit ;)

If you pick the question and put it on the site, it's possible to extract it and thus find the correct answer to the question.

It's pretty much impossible to block this way; your best bet is to go with a blacklist approach or a filter implementing Bayesian probability, but the latter is probably far beyond the scope of something like this.

I'd recommend examining the code of Spam Karma, a Wordpress comment spam filter, to see if you can implement something similar. It might be overkill, but you'll learn something and will probably be able to reuse your code in future.
 
Associate
Joined
18 Oct 2002
Posts
1,044
Try change the name of your form fields. and don't use stuff like 'email' as the id.

Chances are the bot is just parsing the form and finding the email address, then filling in the blanks from the form fields so use server side emailing if you can. :)

akakjs
 
Associate
OP
Joined
26 Dec 2003
Posts
2,260
Location
UK
Ok, well I've added an email validation method and a check to make sure it's not using my email address. We'll see if this has worked tomorrow :\ *fingers crossed*

Thanks for all the suggestions so far. If this doesn't work, I'll try your other ideas :)
 
Associate
OP
Joined
26 Dec 2003
Posts
2,260
Location
UK
Well, for the past 2 days I've been spam free, so the changes made must have had some effect. Lets hope it stays that way!

for D4VE and others who want to use it. These are the changes I made.

function check_email_address($email) {
// First, we check that there's one @ symbol, and that the lengths are right
if (!ereg("[^@]{1,64}@[^@]{1,255}", $email)) {
// Email invalid because wrong number of characters in one section, or wrong number of @ symbols.
return false;
}
// Split it into sections to make life easier
$email_array = explode("@", $email);
$local_array = explode(".", $email_array[0]);
for ($i = 0; $i < sizeof($local_array); $i++) {
if (!ereg("^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$", $local_array[$i])) {
return false;
}
}
if (!ereg("^\[?[0-9\.]+\]?$", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name
$domain_array = explode(".", $email_array[1]);
if (sizeof($domain_array) < 2) {
return false; // Not enough parts to domain
}
for ($i = 0; $i < sizeof($domain_array); $i++) {
if (!ereg("^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$", $domain_array[$i])) {
return false;
}
}
}
return true;
}

When this function is called, it checks the email address is valid, so the spammer can't just put random junk as the email; it has to be a properly formatted email address. Now the code where I actually perform all the checks

if ($email && $message && $comments != NULL )
{
if (strstr($email, "@smg-computers.com"))
{
echo "Invalid Email Address" ?> <a href="javascript:history.go(-1)" onMouseOver="self.status=document.referrer;return true"> <br>Back </a> <?php ;
exit;
}
else if (check_email_address($email))
{
mail($my_email,$subject,$message,$headers);
}
else
{
echo $email . ' is not a valid email address.'; ?> <a href="javascript:history.go(-1)" onMouseOver= "self.status=document.referrer;return true"> <br>Back </a> <?php ;
exit;
}
}
else
{
echo "Make sure all fields are filled in." ?> <a href="javascript:history.go(-1)" onMouseOver= "self.status=document.referrer;return true"> <br>Back </a> <?php ;
exit;
}

The first If statement checks that all fields in the form are filled in. If they're filled in, check the email address doesn't end with my domain name. If it doesn't, it then calls the check_email_address function to check the email address is valid. If it returns true (the email addy is valid), the email is sent.

Hope that helps some of you :) I know it could probably be written much better than that, but it does the job.
 
Associate
Joined
22 Aug 2004
Posts
462
Location
East Sussex
You say these are all coming 'from your domain name'. Why didnt you just set up a rule in outlook express / email of your choice to delete everything from your domain instead of your email address? Would have been a lot quicker and easier surely :p
 
Back
Top Bottom