The forums have permanently moved to This forum will be kept around in read-only mode for archival purposes. To learn how to continue using your existing account on the new forums, check out this thread.

Results 1 to 13 of 13

Thread: Sending Spam with Contact Form

  1. #1

    Sending Spam with Contact Form

    If I get a note from my website saying that my feeback form did all this (below), what should I do? How do I secure my feedback form? Seems like people like to hack websites and screw you over. I've seen people make the user add two numbers to prevent getting spammed. But isn't that kind of lame - forcing your users to do menial tasks.

    it has come to our notice that a script you placed on your 1&1 web space
    (contract id: 9047769) is being abused for the delivery of spam
    The following script has therefore been disabled to prevent further abuse
    of our infrastructure:
    Please also allow us to refer you to our T&C: section 7.14
    Thank you for your understanding. Please secure your scripts against
    unauthorized usage from third parties.
    1&1 Internet Inc.
    Abuse Department

  2. #2

  3. #3
    PHP Code:
    // main code for register.php
    function secCode()
    // import constant variables
    $to "";
    $name $_POST['name'];
    $email $_POST['email'];
    $subject $_POST['subject'];
    $comment $_POST['comment'];
    // ask for text
                    <form name=\"form1\" method=\"post\" action=\"index.php?sec=contact\">
                      <table width=\"450\" border=\"0\" align=\"center\" cellpadding=\"5\" cellspacing=\"1\" class=\"tableA\">
                        <tr bgcolor=\"
                          <td width=\"156\" valign=\"top\">Name</td>
                          <td width=\"279\"><input name=\"name\" type=\"text\" value=\"
    $name\" size=\"40\" maxlength=\"40\"></td>
                        <tr bgcolor=\"
                          <td valign=\"top\">E-mail</td>
                          <td><input name=\"email\" type=\"text\" value=\"
    $email\" size=\"40\" maxlength=\"40\"></td>
                        <tr bgcolor=\"
                          <td valign=\"top\">Subject</td>
                          <td><select name=\"subject\">
                            <option selected>Select...</option>
                            <option>Website Feedback</option>
                            <option>Business Inquiry</option>
                          </select>      </td>
                        <tr bgcolor=\"
                          <td valign=\"top\">Message</td>
                          <td><textarea name=\"comment\" cols=\"38\" rows=\"10\" value=\"
                        <tr bgcolor=\"
                          <td valign=\"top\">&nbsp;</td>
                          <td><input type=\"submit\" name=\"Submit\" value=\"Submit\">
                          <input type=\"reset\" name=\"Submit2\" value=\"Reset\"></td>
    // send the message
    $message "Name: " $name ". " "Email: " $email ". " "Comment: " $comment;
    "<center>Message recieved.</center>");

  4. #4

  5. #5
    I can't isntall the patch because I don't own the server. So I should detect "bcc:" and "cc:" in the subject and reject those?

  6. #6
    Wiat, my code doesn't even allow the spammer to write their own subject. I have a drop down menu for choices. So how are they using my form to spam?

  7. #7

  8. #8
    God damn it. What am i supposed to do? Make them solve a randomized calculus problem before sending?

  9. #9
    just validate the data by making sure:
    - the submitted subject is in the list of potential subjects
    - the from email is an actual email address (use PEAR::Validate)

  10. #10
    How about I pregMatch all variables with "@"? Then reject the sending if I find it.

  11. #11

  12. #12

    You can use captcha

    Best Regards,

  13. #13
    Hmmm, that's really interesting Brian. I never knew how that worked.

    I've been trying to exploit my own site with that (using cURL), and I couldn't get it to like my data:

    curl -d "from_name=Jeff Wheeler& World&body=bcc:\nHello, body." -L
    (That fails, with HTTP 412.)

    Edit: I came really close with encoding the chars as HTML entities, and then sending them off in the subject, but Django cut everything after the newline.
    Last edited by Jeff Wheeler; January 13th, 2007 at 05:24 PM.

    K-Emmys-06: Best Footer; and K-Emmys-06: Most Active Member

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Home About Meet the Moderators Advertise

 Link to Us


Copyright 1999 - 2012