Because i had a small amount of spam via a DHTL Menu that sent mail via mailto: i changed it to a PHP script that was supoosed to be anti spam etc.
Now i get loads of spam! For now i have removed the link to the contact form from the sitemap.php file. (I assume the spam scripts wont find it other than that as my site uses a DHTMLL menu),
I am guessing in your first paragraph, you mean you received spam? If so, this was simply because the email address appeared within the content on the web page. The scripts that collect email addresses simply look for something@somewhere and add any it finds to its list.
For your second paragraph, you would need to post the code to get specific help with it. In this case it is possible that only you are receiving spam, but it is also possible that email header injection is occurring and you are getting just one of many copies of each spam message that is being sent.
The coding for any menu you have is probably not the key to finding your form. Just looking at each page for the word "contact" and seeing if there is a form will let someone pick out the action= URL that they can attempt to abuse.
__________________
Error checking, error reporting, and error recovery. If your code does not have these to get it to tell you why it is not working, what makes you think someone in a programming forum will be able to tell you why it is not working???
This is the code. I use it on 2 of my sites and now it seems i get more spam than ever sincing using a contact form compared to when i used a basic mailto: button.
<?php
if (isset($_POST["op"]) && ($_POST["op"]=="send")) {
/******** START OF CONFIG SECTION *******/
$sendto = "john@###.co.uk";
$subject = "Re: ###### WebSite!";
// Select if you want to check form for standard spam text
$SpamCheck = "Y"; // Y or N
$SpamReplaceText = "*content removed*";
// Error message prited if spam form attack found
$SpamErrorMessage = "<p align=\"center\"><font color=\"red\">Malicious code content detected.
</font><br><b>Your IP Number of <b>".getenv("REMOTE_ADDR")."</b> has been logged.</b></p>";
/******** END OF CONFIG SECTION *******/
$name = $HTTP_POST_VARS['name'];
$email = $HTTP_POST_VARS['email'];
$message = $HTTP_POST_VARS['message'];
$headers = "From: $email\n";
$headers . "MIME-Version: 1.0\n"
. "Content-Transfer-Encoding: 7bit\n"
. "Content-type: text/html; charset = \"iso-8859-1\";\n\n";
if ($SpamCheck == "Y") {
// Check for Website URL's in the form input boxes as if we block website URLs from the form,
// then this will stop the spammers wastignt ime sending emails
if (preg_match("/http/i", "$name")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$email")) {echo "$SpamErrorMessage"; exit();}
if (preg_match("/http/i", "$message")) {echo "$SpamErrorMessage"; exit();}
// Patterm match search to strip out the invalid charcaters, this prevents the mail injection spammer
$pattern = '/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i'; // build the pattern match string
// Check for the injected headers from the spammer attempt
// This will replace the injection attempt text with the string you have set in the above config section
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$email = preg_replace($find, "$SpamReplaceText", $email);
$name = preg_replace($find, "$SpamReplaceText", $name);
$message = preg_replace($find, "$SpamReplaceText", $message);
// Check to see if the fields contain any content we want to ban
if(stristr($name, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($message, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
// Do a check on the send email and subject text
if(stristr($sendto, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
if(stristr($subject, $SpamReplaceText) !== FALSE) {echo "$SpamErrorMessage"; exit();}
}
// Build the email body text
$emailcontent = "
-----------------------------
T####### Contact Form
-----------------------------
Name: $name Email: $email Message: $message
_________________________
";
// Check the email address enmtered matches the standard email address format
if (!eregi("^[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,6}$", $email)) {
echo "<p>It appears you entered an invalid email address</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($name)) {
echo "<p>Please go back and enter a Name</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($message)) {
echo "<p>Please go back and type a Message</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
elseif (!trim($email)) {
echo "<p>Please go back and enter an Email</p><p><a href='javascript: history.go(-1)'>Click here to go back</a>.</p>";
}
// Sends out the email or will output the error message
elseif (mail($sendto, $subject, $emailcontent, $headers)) {
echo "<br><br><p><b>Thank You $name</b></p><p>Thanks for the e-mail - I will read A.S.A.P</p>";
echo "<META HTTP-EQUIV=\"refresh\" content=\"3;URL=http://www.t#######.co.uk\">";
}
I am guessing you found this script on some script depository and it claimed to prevent spam?
This code perhaps confirms something I have suspected, that spammers create code with specific filenames/content signatures that allows them to more easily find and send spam through, and post their code in the various script depositories. The other "simple" scripts that are posted in script depositories, that don't have any error checking, are that way because the author does not know any better.
Anyway, the following line places the $email field into the $headers variable near the start of the code and most of the checking that is done does not stop the script from reaching the mail(...) function call.
PHP Code:
$headers = "From: $email\n";
Just some comments about what the code is or is not doing -
It does stop execution if "http" is found in the fields. So what, just create spam that does not have this spelled out. This is the only test were it actually stops. All other tests allow it to reach the mail(...) function call.
It does replace some dangerous characters and phrases, but in the case of the $email variable, this does not protect anything since the raw $email variable has already been placed into the $headers variable.
Edit: Upon further review of the code - removed comments about the email address format check as they might have been incorrect.
Finally, one of my standard recommendations for "contact us" forms. Place the entered email address into the message body (which it already is in this case) and make the From: address in the mail header be the same as your To: address. Make this look like an email to yourself from yourself. This avoids problems of having a form field being placed into the header field.
__________________
Error checking, error reporting, and error recovery. If your code does not have these to get it to tell you why it is not working, what makes you think someone in a programming forum will be able to tell you why it is not working???
I played with this code some and noticed one additional possible problem - I don't know if doing the following in the mail(...) header is an actual exploit.
The checking for valid format of the email allows a % sign. I don't know if this is allowed by standards (I personally don't allow it in an email address.) But allowing a % would allow any URL encoded character in the email variable. The code does allow things like BCC%3Asome%40place.com, where the %3A is a ":" and %40 is an "@" and this becomes BCC:some@place.com. \n's could be entered as %0A... As I said, the code allows this to occur, but I don't specifically know or test if the mail(...) function takes this and decodes the %xx values.
Edit: Using image verification will stop automated scripts and securing the code will prevent automatic/manual sending to email addresses other than the one in the TO field.
__________________
Error checking, error reporting, and error recovery. If your code does not have these to get it to tell you why it is not working, what makes you think someone in a programming forum will be able to tell you why it is not working???
Last edited by mab; 11-28-06 at 03:01 AM.
Reason: added info
Linear Mode
