Hi , I have a website with contact forms on them, pretty basic forms, I use Javascript Validation for e-mail and phone and no blank name etc. Reciently I have been getting someone has been messing with my forms.. meaning I get like 20 + submissions at the same time, so It must be some kinda bot or something They look like this: sswyk@domainame.com Content-Type: multipart/mixed; boundary=\"===============0643992131==\" MIME-Version: 1.0 Subject: 8ab51b10 To: sswyk@domainame.com bcc: mhkoch321@aol.com From: sswyk@domainame.com This is a multi-part message in MIME format. --===============0643992131== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit lxgs --===============0643992131==-- other_than_domain sswyk@domainame.com Submit sswyk@domainame.com how sswyk@domainame.com lname sswyk@domainame.com phone sswyk@domainame.com qualify sswyk@domainame.com details sswyk@domainame.com fname sswyk@domainame.com Content-Type: multipart/mixed; boundary=\"===============0643992131==\" MIME-Version: 1.0 Subject: 8ab51b10 To: sswyk@domainame.com bcc: mhkoch321@aol.com From: sswyk@domainame.com This is a multi-part message in MIME format. --===============0643992131== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit lxgs --===============0643992131==-- email sswyk@domainame.com Code (markup): But this is not what they are suppose to look like .. fields like qualify are from a select box .. so there is no way the field should be an e-mail address. Has anyone ever had someone mess with their contact forms? Thanks Red.
If your form is a get then they could just submit a custom url quite easily and not even touch your form. It should be a post! Make sure your real email address isn't a hidden field on the form, it should be tucked away safely in your php script. Sarah
I am using POST in the form and the email address is added in the form proccess file. I Have however found out that I am not the only one with this problem i yahoo'd and googled this email which came in the form submission "mhkoch321@aol.com" and came up with few threads about it and alot of guestbooks affected by this. anyways. How are they doing this , and what does it mean. They could be using the registered globals vunrebility? Or just Spammers. Thanks for you help EDIT: just found this ... http://securephp.damonkohler.com/index.php/Email_Injection
I have also seen this kind of probing. My site does not allow users to specify the from or to email address, so hopefully these emails didn't get out. Here's what I received: (note the bcc: and IP of posting: 216.72.177.4 Url: Link_Url: Next: Content-Type: multipart/mixed; boundary=\"===============0626292099==\" MIME-Version: 1.0 Subject: dba04fdb To: bcc: From: This is a multi-part message in MIME format. --===============0626292099== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit ulgntwtle --===============0626292099==-- B1: email: Subject: IP: 216.72.177.4
Here is how to fix it... looks like this will work. http://www.phpfreaks.com/forums/index.php?showtopic=66987&st=0&p=272101&#entry272101
You wouldn't believe how long I've been looking for the code on how to fix this, I think Google was thinking of banning mr from it search page because of repertition of searches! Thnaks a million. Ian
There's a mass probing script kiddie tool in the wild, I've heard a lot of similar "attacks" have been reported... Edited: Have a look at http://www.google.com/search?q=mhkoch321@aol.com
I have added some code to my website's contact form proceess scripts to attempt to strip out the headers . I Hope these changes will make the spam e-mails harmless. I am still not totally conviced however that I have solved this problem. Red.
Ok .. how about this... I am still getting many contact form submissions from this spammer or whatever/whoever they are. What if before I send the emails I can check to see if the IP address of the person sending the form resolves with a reverse DNS lookup. I still do not have the IP of whatever is sending these forms, but i would think that it is spoofed anyways. SO.. if the IP does not have reverse dns lookup, then either it is from a missconfigured server, or it is spoofed ? As you can see I am getting desperate. Thanks for the help Red.
Red, The rob is being sent from infected machines, and also could be using a proxy so no good banning IP addresses. I've just finished putting my code together with a lot of help from about 5 other forums it's not tested 100% if you want you can see it is here: Note my last reply in removing the else from the else if statement which is where the error occurs. http://forums.digitalpoint.com/showthread.php?t=26583 Ian
Ah , yes thanks ... good point. I guess that there is no way to stop it from submitting 20 or so forms a day... :-( , besides taking down the forms.
Yes if you implement the code on the page I linked too, it stops all / \ % : ; ' in which ever field you want thuis preventing the injection. It can also stop the code from running if it finds Content-Type or any other set of characters. Ian
Thanks, so just make the code die, if it finds those characters in any of the fields. I am using phpMailer for alot of my forms http://phpmailer.sourceforge.net/ ... I don't know if that has this kind of protection built into it, if not it would be a great addition to the project ...
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay That's a big thread on this too...recently I have a bot hitting one of my forms as well. I wonder about this...I prefer not to say what I really suspect is happening but I suggest if you are getting this type of probing to look well at your server for other activity. Please look in your tmp directories where PHP uses for temp uploading. Also consider adding image validation for your forms...this of course would kill any bot activity immediately.
Hi, Thanks for your Post, that is some really usefull information on this situation, looks like there is many others with this same problem, I have all my form fields all checked for /r /n , and Content-Type bcc: cc: and all that, if it finds anything like that then the script dies. It seems to be working so far, as I have not recieved the 30+ emails I was getting when this whole thing started. Question for you ... What am I looking for in my tmp directories? Most of my forms do not have input type="file" but there are a couple that do. If you prefer not to say publically in the forum perhaps you could PM me? Thanks Red.
Hi Loads of reports and info on this topic here too: http://www.anders.com/cms/75 I have a working form that seems to have culled it now using stripslashes in PHP. Drop me a line if you the code for a basic contact form. Mike
Yup, I've had the same problem on a couple of different forms. The tips here have worked so far. I'm also curious about the possible tmp directory problems with file upload forms. I haven't had any problems with those forms yet (at least that I know about) and hopefully won't. Chris
It's not too difficult. Look into different php captcha implementations, for instance: http://www.captchas.net/sample/php/ Captchas can be defeated, but probably not by the run of the mill script kiddie. Incidentally, is there a way to just in general to reject a form submission like this that doesn't come from an actual form submission on your site? I.E. someone codes a bot to submit to a form, and it rejects it, while it accepts the form input if it comes from the actual page on your site?