|
Posted by Manuel Lemos on 01/24/08 01:47
Hello,
on 01/23/2008 11:31 PM Shelly said the following:
> I have a contact form. On this form there is a randomly generated
> string of characters that must be copied. If it is not typed
> properly, the form is not processed. If filled out correctly, an
> email is sent to the sender and a copy to the owner. All of the
> sending is done in php and no email addresses appear on the form (nor
> in the view source). Everything is done in php.
>
> What is happening is that junk filled forms are being sent and they
> are bypassing the security code requirement. To see what was
> happening, I included both the generated and typed codes in the email
> that is sent. When I fill it out, the email contains matching codes.
> The spam email has empty fields.
>
> Finally, I changed the form yesterday to include those security code
> echos. Today's spam has the changed form.
>
> Questions:
> 1 - How are they accessing the the code to generate these emails?
They may not necessarily be accessing your code. You just assumed that.
> 2 - How are they bypassing the check of the security code?
If you are using a image based CAPTCHA, there is code to brute force
guess the text in the CAPTCHA images using OCR (Optical Character
Recognition) solutions. Here is a simple OCR written in pure PHP.
http://www.phpclasses.org/phpocr
> 3 - Most importantly, what can I do to stop them?
Use a better CAPTCHA. Here are several CAPTCHA solutions that use more
advanced techniques. Some use more ofuscated images, others ask
subjective questions to the user, others use animated images, etc..
http://www.phpclasses.org/searchtag/CAPTCHA/by/package/tag/CAPTCHA/
--
Regards,
Manuel Lemos
PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
[Back to original message]
|