We help IT Professionals succeed at work.

Protect ASP Contact form from being hi-jacked by spammers

webdude
webdude asked
on
Medium Priority
264 Views
Last Modified: 2008-03-17
Well,

I posted this question a little while back here:
http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_21779509.html

It seemed like it worked and I awarded the points but unfortunately it happened again.  Last night the same problem happened.

Is there ANY way to stop this from happening????

Thanks again,

-webdude
Comment
Watch Question

Commented:
Do you know for sure that it was successful, or was it just attempted?  Keep in mind that an attempt will still send an email to the script's default mail recipient with the attempted hijack displayed in the message subject and body.  Realistically, if the user input is filtered on the server side before the information is passed to the script, then it's not really possible for a spammer to hijack it.  If you're unsure about the implementation, post your whole script.

Author

Commented:
So how can I tell if its an attempt or a success?  I received 4 emails (which I think my host limits it to that), just like I receieved 4 last time too.  How can I tell if 4,000 emails were sent out or how many ever the scriot sends?

Commented:
If you see "BCC" and/or other email addresses in the message body, then the attempt was unsuccessful.  If the formatting looks correct in the email, then there's still something wrong.  

Author

Commented:
actually I deleted the emails and deleted them from the deleted items folder too in case anything contained a virus ;(

well, if it happens again I guess I will keep watch on that..

if interested, I just posted a different questions here:
http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_21798543.html

Should be some fast easy points for you! ;)

Author

Commented:
Got 2 more spams this morning.  Here is a copy / paste of one esw.  (myserver.com was used in place of my real domain)

************************************************

Contact Name: manoover2972@myserver.com

Title: he
Content-Type: multipart/alternative;
boundary=a8b3310f5b0505eda2bff6c0f84734edMIME-Version:1.0
Subject: watch them they are true moralists. t isbcc:magnetic54@SexMagnet.com
 
This is a multi-part message in MIME format.--a8b3310f5b0505eda2bff6c0f84734edContent-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0Content-Transfer-Encoding:7bit
 
s etters were the subject of conversation, and now the conversation took the same direction. t was often renewed. tto was a very frequent guest--a8b3310f5b0505eda2bff6c0f84734ed--.Company: manoover2972@myserver.com

E-Mail: manoover2972@myserver.com

Phone: manoover2972@myserver.com

Contact By: manoover2972@myserver.com

Comments: manoover2972@myserver.com


************************************************

My form only asks for the 5 fields:

Contact Name:

E-Mail:

Phone:

Contact By:

Comments:


so the stuff in the middle is beyond me.  So since there is no BCC field, does that mean it is being sent out to multiple places using my domain?

Author

Commented:
Actually missed this line that has bcc in it.

Subject: watch them they are true moralists. t isbcc:magnetic54@SexMagnet.com

but its isbcc: not bcc:

that matter?
Commented:
Hi Webdude-

You're seeing the "BCC" in the subject line because their attempt to insert a line break there failed.  This was a test to see if they could send the form to themselves at the "magnetic54@SexMagnet.com" address, forcing the BCC into the header.  Typically you'll see someone test it a couple of times and then move on when it doesn't work.  As long as you're filtering your input to the mail script with that regex, nothing is going to get through.  

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
ok, then you get more points from me ;)

thanks again for the confirmation.

Now all you havr to do is help me on this one:
http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_21798543.html


;)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.