1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Form abuse on website

Discussion in 'PHP' started by rederick, Aug 28, 2005.

  1. #1
    Hi , I have a website with contact forms on them, pretty basic forms, I use Javascript Validation for e-mail and phone and no blank name etc. Reciently I have been getting someone has been messing with my forms.. meaning I get like 20 + submissions at the same time, so It must be some kinda bot or something They look like this:

    sswyk@domainame.com
    Content-Type: multipart/mixed; boundary=\"===============0643992131==\"
    MIME-Version: 1.0
    Subject: 8ab51b10
    To: sswyk@domainame.com
    bcc: mhkoch321@aol.com
    From: sswyk@domainame.com
    
    This is a multi-part message in MIME format.
    
    --===============0643992131==
    Content-Type: text/plain; charset=\"us-ascii\"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    
    lxgs
    --===============0643992131==--
    other_than_domain
    sswyk@domainame.com
    
    Submit
    sswyk@domainame.com
    
    how
    sswyk@domainame.com
    
    lname
    sswyk@domainame.com
    
    phone
    sswyk@domainame.com
    
    qualify
    sswyk@domainame.com
    
    details
    sswyk@domainame.com
    
    fname
    sswyk@domainame.com
    Content-Type: multipart/mixed; boundary=\"===============0643992131==\"
    MIME-Version: 1.0
    Subject: 8ab51b10
    To: sswyk@domainame.com
    bcc: mhkoch321@aol.com
    From: sswyk@domainame.com
    
    This is a multi-part message in MIME format.
    
    --===============0643992131==
    Content-Type: text/plain; charset=\"us-ascii\"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    
    lxgs
    --===============0643992131==--
    
    
    email
    sswyk@domainame.com
    
    Code (markup):
    But this is not what they are suppose to look like .. fields like qualify are from a select box .. so there is no way the field should be an e-mail address. Has anyone ever had someone mess with their contact forms?

    Thanks
    Red.
     
    rederick, Aug 28, 2005 IP
  2. sarahk

    sarahk iTamer Staff

    Messages:
    28,052
    Likes Received:
    4,362
    Best Answers:
    123
    Trophy Points:
    665
    #2
    If your form is a get then they could just submit a custom url quite easily and not even touch your form. It should be a post!

    Make sure your real email address isn't a hidden field on the form, it should be tucked away safely in your php script.

    Sarah
     
    sarahk, Aug 28, 2005 IP
  3. rederick

    rederick Peon

    Messages:
    128
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #3
    I am using POST in the form and the email address is added in the form proccess file.

    I Have however found out that I am not the only one with this problem i yahoo'd and googled this email which came in the form submission "mhkoch321@aol.com" and came up with few threads about it and alot of guestbooks affected by this. anyways. How are they doing this , and what does it mean. They could be using the registered globals vunrebility? Or just Spammers. Thanks for you help :)

    EDIT: just found this ... http://securephp.damonkohler.com/index.php/Email_Injection
     
    rederick, Aug 28, 2005 IP
  4. dsr771

    dsr771 Peon

    Messages:
    65
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #4
    I have also seen this kind of probing. My site does not allow users to specify the from or to email address, so hopefully these emails didn't get out.

    Here's what I received: (note the bcc: and IP of posting: 216.72.177.4

    Url:
    Link_Url:
    Next:
    Content-Type: multipart/mixed; boundary=\"===============0626292099==\"
    MIME-Version: 1.0
    Subject: dba04fdb
    To:
    bcc:
    From:

    This is a multi-part message in MIME format.

    --===============0626292099==
    Content-Type: text/plain; charset=\"us-ascii\"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit

    ulgntwtle
    --===============0626292099==--

    B1:
    email:
    Subject:

    IP: 216.72.177.4
     
    dsr771, Aug 28, 2005 IP
  5. rederick

    rederick Peon

    Messages:
    128
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Here is how to fix it... looks like this will work.

    http://www.phpfreaks.com/forums/index.php?showtopic=66987&st=0&p=272101&#entry272101
     
    rederick, Aug 28, 2005 IP
    ian_ok likes this.
  6. ian_ok

    ian_ok Peon

    Messages:
    551
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    0
    #6
    ian_ok, Aug 29, 2005 IP
  7. Gmorkster

    Gmorkster Peon

    Messages:
    202
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Gmorkster, Aug 29, 2005 IP
  8. rederick

    rederick Peon

    Messages:
    128
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #8
    I have added some code to my website's contact form proceess scripts to attempt to strip out the headers . I Hope these changes will make the spam e-mails harmless. I am still not totally conviced however that I have solved this problem.

    Red.
     
    rederick, Aug 29, 2005 IP
  9. rederick

    rederick Peon

    Messages:
    128
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Ok .. how about this... I am still getting many contact form submissions from this spammer or whatever/whoever they are. What if before I send the emails I can check to see if the IP address of the person sending the form resolves with a reverse DNS lookup. I still do not have the IP of whatever is sending these forms, but i would think that it is spoofed anyways. SO.. if the IP does not have reverse dns lookup, then either it is from a missconfigured server, or it is spoofed ?
    As you can see I am getting desperate. ;)

    Thanks for the help :)

    Red.
     
    rederick, Aug 30, 2005 IP
  10. ian_ok

    ian_ok Peon

    Messages:
    551
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Red, The rob is being sent from infected machines, and also could be using a proxy so no good banning IP addresses.

    I've just finished putting my code together with a lot of help from about 5 other forums it's not tested 100% if you want you can see it is here: Note my last reply in removing the else from the else if statement which is where the error occurs.

    http://forums.digitalpoint.com/showthread.php?t=26583

    Ian
     
    ian_ok, Aug 30, 2005 IP
  11. rederick

    rederick Peon

    Messages:
    128
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Ah , yes thanks ... good point. I guess that there is no way to stop it from submitting 20 or so forms a day... :-( , besides taking down the forms.
     
    rederick, Aug 31, 2005 IP
  12. ian_ok

    ian_ok Peon

    Messages:
    551
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    0
    #12
    Yes if you implement the code on the page I linked too, it stops all / \ % : ; ' in which ever field you want thuis preventing the injection. It can also stop the code from running if it finds Content-Type or any other set of characters.

    Ian
     
    ian_ok, Sep 1, 2005 IP
  13. rederick

    rederick Peon

    Messages:
    128
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #13
    Thanks, so just make the code die, if it finds those characters in any of the fields. I am using phpMailer for alot of my forms http://phpmailer.sourceforge.net/ ... I don't know if that has this kind of protection built into it, if not it would be a great addition to the project ...
     
    rederick, Sep 1, 2005 IP
  14. RectangleMan

    RectangleMan Notable Member

    Messages:
    2,825
    Likes Received:
    132
    Best Answers:
    0
    Trophy Points:
    210
    #14
    http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

    That's a big thread on this too...recently I have a bot hitting one of my forms as well. I wonder about this...I prefer not to say what I really suspect is happening but I suggest if you are getting this type of probing to look well at your server for other activity. Please look in your tmp directories where PHP uses for temp uploading.

    Also consider adding image validation for your forms...this of course would kill any bot activity immediately.
     
    RectangleMan, Sep 7, 2005 IP
  15. rederick

    rederick Peon

    Messages:
    128
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #15
    Hi, Thanks for your Post, that is some really usefull information on this situation, looks like there is many others with this same problem, I have all my form fields all checked for /r /n , and Content-Type bcc: cc: and all that, if it finds anything like that then the script dies. It seems to be working so far, as I have not recieved the 30+ emails I was getting when this whole thing started.
    Question for you ... What am I looking for in my tmp directories? Most of my forms do not have input type="file" but there are a couple that do. If you prefer not to say publically in the forum perhaps you could PM me?
    Thanks
    Red.
     
    rederick, Sep 8, 2005 IP
  16. mikenco

    mikenco Guest

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #16
    Hi

    Loads of reports and info on this topic here too:
    http://www.anders.com/cms/75
    I have a working form that seems to have culled it now using stripslashes in PHP. Drop me a line if you the code for a basic contact form.

    Mike:cool:
     
    mikenco, Sep 12, 2005 IP
  17. sharpweb

    sharpweb Guest

    Messages:
    246
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #17
    Yup, I've had the same problem on a couple of different forms. The tips here have worked so far. I'm also curious about the possible tmp directory problems with file upload forms. I haven't had any problems with those forms yet (at least that I know about) and hopefully won't.

    Chris
     
    sharpweb, Sep 13, 2005 IP
  18. rederick

    rederick Peon

    Messages:
    128
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #18
    I like this Idea ... I wonder how hard something like that would be to implement?
     
    rederick, Sep 13, 2005 IP
  19. trevize

    trevize Active Member

    Messages:
    49
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    58
    #19
    It's not too difficult. Look into different php captcha implementations, for instance: http://www.captchas.net/sample/php/

    Captchas can be defeated, but probably not by the run of the mill script kiddie.

    Incidentally, is there a way to just in general to reject a form submission like this that doesn't come from an actual form submission on your site? I.E. someone codes a bot to submit to a form, and it rejects it, while it accepts the form input if it comes from the actual page on your site?
     
    trevize, Sep 14, 2005 IP
  20. r4c

    r4c Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #20
    Hi I got email but i've also got his AOL userid. Is this going to be them and is worth reporting?
     
    r4c, Sep 14, 2005 IP