• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 252
  • Last Modified:

Stopping SPAM that comes through forms on a web page??

I installed a simple 'contact us' form on a clients site, using the hosts auto-install of formmail.pl.  visitor could fill out a few fields and hit submit and it would email the data to client.  However client started getting SPAM via this form, so I disabled it, uninstalling formmail.pl to make sure.  Recently I need to use a different form, however, so I reinstalled formmail.pl (again through host's auto install feature) and immediately client started getting spam submissions again.  It looks like it's from a spider that searches for pages with forms then fills them out with self-promotion and other garbage.

The strange thing is that these spam messages seem to be still be coming from the previous Contact Us page, although I have tried to delete every page that might still have the form data on it.

My question is - is there any way to tell which page on a site is generating an email, just from the email itself, or fom the site logs...?  If not, is there any way to search an entire directory for the culprit page?  Or does anyone else have any other advice on stopping the spam-through-forms problem??
0
masterree
Asked:
masterree
  • 2
  • 2
3 Solutions
 
Adam314Commented:
To stop it on a new form:
One way would be to look for invalid type things in the form.  For example, if you have a phone number field, look for only digits, dashes, or parens.  If there is other types of characters, display a page saying that the form contains invalid data.  
Another way would be to have an image with some text in it, and have the user type the text they see in the image.  If what they type is not correct, do not allow the form to be processed.

To find out where current spam is coming from:
You could look through the access logs.  Look for entries that access pages that could send mail.  Look for entries around the time that the e-mail was sent.  You might also want to change the e-mail that is sent so it says the page that the form is on.
0
 
mjcoyneCommented:
For the mail to get to your client, it has to be sent via your machine.  So, you need to institute standard spam handling procedures that will analyze the email before your machine forwards it to your client -- things like spamassassin, reverse DNS lookups, greylisting, etc.  The full litany of spam measures need to be applied before you decide to send the mail out -- otherwise you're just an open relay.

Also, you could institute a requirement that the user input a series of random characters displayed as a graphic on the page, for example -- something to make sure that there's a readl human at the other end.

As to the lost web page -- how do you know it's even on your machine?  If you put up a web page that has forms to be filled in and then a submit button to be clicked, I don't even have to visit your page to use it -- I can DL a copy to my machine and use it from there.  Heck, I don't even need the web page -- all I need to know is what variable names are needed and what order they're expected in and the address used to submit the data, and I can send an email that appears to have come from your page...
0
 
masterreeAuthor Commented:
"how do you know it's even on your machine?  If you put up a web page that has forms to be filled in and then a submit button to be clicked, I don't even have to visit your page to use it -- I can DL a copy to my machine and use it from there.  Heck, I don't even need the web page -- all I need to know is what variable names are needed and what order they're expected in and the address used to submit the data, and I can send an email that appears to have come from your page..."

mjcoyne - are you sure about this?? I'm pretty sure there are safeguard in place on the servers where the site is hosted that won't allow this to happen.  But if so how could I institute the random character graphic that you mention, to thwart the spam, since as you say i might not even have control of the form any more.  I don't have the expertise to modify the perl script, nor do I want to.
0
 
masterreeAuthor Commented:
i stand corrected.  I just tested it from my local machine and sure enough it sent the info and worked fine.  If that's the case, then, that someone/something hijacked the form and sends it remotely... how about if I hide the perl script in a sub directory.  That way whatever form they hijacked would now be useless?   Then I would be starting fresh with a new form and I could institute a graphic random number checker or something to thwart the spam-bots...  Yes?  No?  Maybe?

I also need to figure out how to do a graphic validation for the form - can anyone point me in the right direction to learn how to do that?
0
 
mjcoyneCommented:
It's called a CAPTCHA system (Completely Automated Public Turing test to tell Computers and Humans Apart), developed by Carnegie Mellon University.  See http://www.captcha.net/ and http://en.wikipedia.org/wiki/Captcha for more info.

For Perl implementations, see:

http://captchas.net/sample/perl/
http://search.cpan.org/~unrtst/Authen-Captcha-1.023/Captcha.pm
http://search.cpan.org/~geoff/WebService-CaptchasDotNet-0.06/CaptchasDotNet.pm
http://search.cpan.org/dist/Captcha-reCAPTCHA/lib/Captcha/reCAPTCHA.pm
http://bumblebeeware.com/captcha/

amongst others (Google "Perl CAPTCHA).
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now