Solved

Web Form Spam - WHAT TO DO?

Posted on 2014-04-19
8
333 Views
Last Modified: 2014-05-08
Hi all - I have several web clients that are getting Spam/Junk sent to them via the Web Form on their Website, several times a day. (See below for example).  They all are using the Email Reply script from MSA (Matts Script Archive). Does anyone  have a solution for this? I am thinking:
1. Use an Updated or more secure & recent web reply script?
2. Rename the html & the Script, just to slow them down a little?
2. Use CAPTCHA
3. ???
Any help is appreciated !
Thanks
- B
-------------------------------------
Name: rikky

Address_1: ldEtxTfhemVqY

Address_2: hLGsgvrBIEviBBCsc

City: New York

State: NY

Zipcode: 98143

Country: USA

Email: goodsam@gmail.com

Phone: 734

Fax: 630

Item_1: GZWlhmlzDn

Item_2: NzCnRKqamYViiyFb

Item_3: hwEoZpsTB

Net_price: 96

CA_sals_tax: siNzOqIuCdM

Total_invoice: 6

S1: Punk not dead <a href="
http://www.pinballvalencia.com/evento-futuro-6o-torneo-de...
a/ ">generic provera</a> body fluid contaminated with blood (saliva in
dental procedures), and, in emergency situations, <a href="
http://cursosinglesdublin.com/academia-ingles-dublin/ ">cefixime price</a>
Eligibility Clarification Code The Eligibility Clarification Code is used
to indicate:
<a href=" http://www.qzland.com/a/shichangfenxi/ ">where to buy
levothyroxine</a> spent participating in service learning activities.
<a href="
http://www.englishcoursesengland.net/courses-to-learn-eng...
">stromectol online</a> Check your software to make sure

Check: ON

Credit_Card_Type: Visa

Name_on_Card:

Expires: VoLIRVCNnYpLRg

B1: Submit
0
Comment
Question by:bleggee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40010907
I almost always delete 'formmail.pl' or any of it's relatives when I take on a new account.  It is one of the most frequently spammed and hacked scripts on the web.  There is an updated version called "nms FormMail" which is available from Matt's Script Archive http://www.scriptarchive.com/nms.html and http://nms-cgi.sourceforge.net/scripts.shtml.  I don't know of a version that can use a Captcha.

When I am writing the code, I create the original form in HTML and the response page in PHP where I can check and filter the submissions.  It is possible to do that with Perl but you would have to be a decent Perl programmer to do that or to modify 'formmail.pl' to do that.
0
 
LVL 1

Author Comment

by:bleggee
ID: 40010942
Hi Dave - Thx - I went straight to update the script with NMS ... and you know what? I thought you had nailed it for me ... but it turns out I AM using NMS Formmail. Just never knew.
Any other suggestions?
0
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 40010989
I would at least use the captcha.  I don't know perl very well, but you may need to start a new question to modify the script to accept a captcha or use php.  In either case, you can make sure to accept data only from the form, use the captcha.  Another thing I do is to capture the IP and use a webservice to get the location of the IP and send that to the site owner as that can help weed out spam in their inbox.   I have been using smart ip http://smart-ip.net/geoip-xml/xx.xxx.xxx.xxx but I notice the service has been down and need to find a new one.
0
Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40010999
Like I said, I never use Formmail, I write my own code.  Formmail accepts virtually any variables you send to it.  There is a line in the code that you can change to limit the referrers that post to it and that might help some.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 40011055
instead of captcha, simple questions such as "root square of 9" in human language are quite efficient as well and much less annoying for the user.

also make sure the referral is on the original site, and corresponds actually to a page where there is a link to the mail stuff

one method is to use cookies : most automated tools don't handle them yet properly

same applies (more efficiently) to javascript. check that it is present and enabled.

one nice and easy way is to store the timestamp when the page was loaded. robots will submit the page instantaneously, humans will require at least 5 seconds to send an email.

more seriously, then there is a wide range of much more efficient methods

one of them is to generate a token in the link that points to the page (?token=12345) and check that one of the allowed tokens was used. you need quite a long validity duration for the token.

note that if you don't want to store and check the token, smartass methods based on the current timestamp work pretty well :

example generate a token that is the md5 encryption of "salt" concatenated with the timestamp corresponding to the current minute (timestamp - timestamp % 60)

on the remote side, you brute-force check that the token is allowed, if not, remove 60 to the current timestamp and try again. iterate let's say 30 times for a 30 minutes duration token

in would-be php code, try something like this

# salt
$salt="yadaa";

Open in new window


# generation
$tok=time();$tok=$tok-$tok%60;
$tok=md5($salt.$tok);

Open in new window


# check
$i=0;
$trashthemail=true;
$tok=time();$tok=$tok-$tok%60;
while($i<30)
  if($RECEIVED_TOKEN===md5($salt.$tok)){$trashthemail=false;break;}
  else {$tok=$tok-60;$i++;}

Open in new window

0
 
LVL 1

Author Comment

by:bleggee
ID: 40013866
Dave - do you happen to have one of your PHP scripts that I can use, even as a starting point?  I can modify an existing PHP script, but writing one from scratch for me would take me most of 2014 ...
0
 
LVL 53

Expert Comment

by:Scott Fell, EE MVE
ID: 40013890
0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40014145
This is the stock PHP email demo that I have posted here many times.  Save it as 'Email.php' because it posts to itself.  Put your email in after '$toText' so it will email to you for testing.
<?php
error_reporting(E_ALL);
ini_set('display_errors','1');

# some settings of POST vars
if (!isset($_POST['submit']))  $submit = ''; else $submit = $_POST['submit'];
if (!isset($_POST['subjectText'])) $subjectText = ''; else $subjectText = $_POST['subjectText'];
if (!isset($_POST['msgText'])) $msgText = ''; else $msgText = $_POST['msgText'];
if (!isset($_POST['ccText'])) $ccText = ''; else $ccText = $_POST['ccText'];
if (!isset($_POST['bccText'])) $bccText = ''; else $bccText = $_POST['bccText'];
if (!isset($_POST['nameText'])) $nameText = ''; else $nameText = $_POST['nameText'];
if (!isset($_POST['fromText'])) $fromText = ''; else $fromText = $_POST['fromText'];

if ($submit == "") {
    $title="Test Email Page";
    $announce="---";
}
else {
	if($fromText === "") die("No name!");
  $toText="youremail@yourdomain.com";
	$title="Test Email Page";
  $announce="Your Message has been Sent!";
	$header = "From: ".$fromText."\r\n";
//	$header .= "Cc: ".$ccText."\n";
	$header .= "Reply-To : ".$fromText."\r\n";
	$header .= "Return-Path : ".$fromText."\r\n";
	$header .= "X-Mailer: PHP\r\n";
	$header .= "MIME-Version: 1.0\r\n";
	$header .= "Content-Type: text/plain; charset=iso-8859-1\r\n";
//	ini_set(sendmail_from,$fromText);  
	mail($toText, $subjectText, $msgText, $header, '-f'.$fromText);
//	ini_restore(sendmail_from);
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title><?php echo($title)?></title>
<style type="text/css">
<!-- 
A:link { color: #999999; }
A:visited { color: #999999; }
A:hover {color: #0099ff;}
-->
</style>
<script type="text/javascript">
<!--
function check()
{
var at=document.getElementById("fromText").value.indexOf("@");
var eml=document.getElementById("fromText").value;
var nam=document.getElementById("nameText").value;
var alerttxt="";
var submitOK="true";

if (eml.length < 5 || at == -1)
    {
    alerttxt=alerttxt+"Please enter a valid e-mail address!\r\n";
    submitOK="false"
    //return false;
    }
if (nam.length < 3)
    {
    alerttxt=alerttxt+"Please enter your name.\r\n";
    submitOK="false"
    //return false;
    }
if (submitOK=="false")
    {
    alert(alerttxt);
    return false;
    }

}
// -->
</script>
</head>

<body bgcolor="#ddeedd">
<div align="center">
<table border="0" cellpadding="0" cellspacing="0" summary="" width="580">
<tr><td align="center">

<?php
if ($submit != "") {
   	echo ("To: ".$toText."<br>\r\nSubject: ".$subjectText."<br>\r\n".$msgText."<br>\r\n".$header);
		}
?>

<p><b><font color="#000000" size="5">Test Email</font></b></p>
<font size="4" color="#000000">

<form method="POST" action="Email.php" onsubmit="return check();">
    <p><font size="3"><b>Name: <input type="text" name="nameText" id="nameText" size="46"></b></font></p>
    <p><font size="3"><b>Email: <input type="text" name="fromText" id="fromText" size="46"></b></font></p>
    <input type="hidden" name="subjectText" value="Web Mail">
    <p><font face="Arial" size="3"><b>Message Text:</b></font></p>
    <p><font face="Arial" size="3"><b><textarea rows="6" name="msgText" cols="60"></textarea></b></font></p>
    <p><font size="3"><b><input type="submit" value="submit" name="submit" style="font-family: Arial; font-size: 12pt; font-weight: bold"></b></font></p>
    <input type="hidden" name="state" value="1">
  </form>
  <b><font face="Arial" size="4" color="#e00000"><?php echo($announce)?></font></b><br><br>

</font>
</td></tr>
</table> 
</div>

</body>
</html>

Open in new window

0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question