Reply to Re: Contact Form Spam

Your name:

Reply:


Posted by Shelly on 01/24/08 04:49

On Jan 23, 11:44 pm, Manuel Lemos <mle...@acm.org> wrote:
> Hello,
>
> on 01/24/2008 02:40 AM Shelly said the following:
>
>
>
> >>> The email is only sent to the site owner, so the spammer has no way of
> >>> knowing what the email should look like. That tells me that they have
> >>> to be going through the form. Yet the proper email has an echo of
> >>> generated security code. The spam email has that field empty. So,
> >>> that says he can't be going through the form.
> >>> It seems to me that they must:
> >>> 1 - Somehow diverting a legitimate email so that copy is sent to
> >>> them.
> >>> 2 - Using that email copy to create a template and modify the output
> >>> so that junk is sent.
> >>> I really don't know how they are doing it.
> >> If you are not using a good CAPTCHA, I am not sure what you mean by
> >> security codes.
>
> >> Anyway, I suspect that your code has a common vulnerability of contact
> >> forms which is to not properly encode information that goes to message
> >> headers. This means that if the abuser inserts a well throught character
> >> sequences, he may make your script compose a message that uses your mail
> >> server to send spam to anybody in the world.
>
> >> It is hard to advise without seeing your script. Anyway, I recommend
> >> using a component that knows how to properly encode or escape malicious
> >> character sequences to avoid abuses like your suffering.
>
> >> I use this MIME message composing and sending class that is well aware
> >> of all the e-mail standards that are necessary to compose messages
> >> properly. You may want to use it to avoid the abuses.
>
> >>http://www.phpclasses.org/mimemessage
>
> > I use the class htmlMimeMail fromhttp://www.phpguru.org/by Richard
>
> I have not studied that class. I don't know if it properly encodes
> message headers.
>
> > Heyes. The security code is just a randomly generated string of 6
> > characters. I am not using a CAPTCHA. I guess I will have to.
>
> That may explain it. Even some CAPTCHAs can be bypassed with good OCR
> scripts. But even a basic CAPTCHA can raise the bar hard enough to make
> your abuser give up.

But with or without a CAPTCHA, they still need to get the text that is
checked by me before sending the email. I put that text (both what I
asked for and what they put in) into the email that is sent. The
email that we received from them had those fields empty. Wouldn't
they have been filled with their correct determination of the code?

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация