Reply to Re: Contact Form Spam

Your name:

Reply:


Posted by Manuel Lemos on 01/24/08 04:44

Hello,

on 01/24/2008 02:40 AM Shelly said the following:
>>> The email is only sent to the site owner, so the spammer has no way of
>>> knowing what the email should look like. That tells me that they have
>>> to be going through the form. Yet the proper email has an echo of
>>> generated security code. The spam email has that field empty. So,
>>> that says he can't be going through the form.
>>> It seems to me that they must:
>>> 1 - Somehow diverting a legitimate email so that copy is sent to
>>> them.
>>> 2 - Using that email copy to create a template and modify the output
>>> so that junk is sent.
>>> I really don't know how they are doing it.
>> If you are not using a good CAPTCHA, I am not sure what you mean by
>> security codes.
>>
>> Anyway, I suspect that your code has a common vulnerability of contact
>> forms which is to not properly encode information that goes to message
>> headers. This means that if the abuser inserts a well throught character
>> sequences, he may make your script compose a message that uses your mail
>> server to send spam to anybody in the world.
>>
>> It is hard to advise without seeing your script. Anyway, I recommend
>> using a component that knows how to properly encode or escape malicious
>> character sequences to avoid abuses like your suffering.
>>
>> I use this MIME message composing and sending class that is well aware
>> of all the e-mail standards that are necessary to compose messages
>> properly. You may want to use it to avoid the abuses.
>>
>> http://www.phpclasses.org/mimemessage
>>
>
> I use the class htmlMimeMail from http://www.phpguru.org/ by Richard

I have not studied that class. I don't know if it properly encodes
message headers.


> Heyes. The security code is just a randomly generated string of 6
> characters. I am not using a CAPTCHA. I guess I will have to.

That may explain it. Even some CAPTCHAs can be bypassed with good OCR
scripts. But even a basic CAPTCHA can raise the bar hard enough to make
your abuser give up.

--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация