Getting bombed here...

zoobie

Hard to believe anyone would make a page and post it to my php mailer on a non-profit site...yet that's what's happening. I'm getting 30 empty emails a day since they can also send bcc's.

Anyone have a snip laying around that prevents this?

It's been a year plus and all I can remember is some sort of referrer or something mispelled [HTTP_REFERER]...

I also recall it was unreliable and hope that by now, newer versions of php have more stability.

Maybe something newer?

Thanks for any help.

drew010

the referer can be spoofed easily, or omitted thats why its unreliable.
try to secure the form so they can't send email to anyone they choose if thats the problem.

zoobie

I just made a basic form and mimicked how they're spamming me by posting it to my mailer script.

Looks like the current method may be the enter the numbers/letters thing from an image but I really don't want that.

Is there another way?

Thanks

drew010

is the form a contact form to send you messages from your site or is it all purpose where they enter the recipient?

zoobie

They send me messages from my site. I wrote it myself a few years ago. I'm now thinking of:
Setting a session on my form's contact.php page.
Not changing the form's action=inc/mailer.php but rather changing it's script to register the session for 10 seconds and send to confirm.php.
confirm.php checks to make sure there's a session going, mails me the message, and returns the sender to a thank you page.
If a session is not going, the message isn't sent but the thank you page is still shown convincing the lame spammer his email was indeed sent.

This way, the spammer will spend untold of hours thinking he's sending me spam when I won't get anything not legit.

It's not perfect but it's getting there. But what happens when he posts to inc/mailer.php? I hope the session isn't set. I've forgotten a lot in a year or two.

Anyone with any more ideas?

Thanks

drew010

well, the spammer most likely wont keep track of the session cookie so that wont do any good. if they are sending you messages, you should hardcode their email in, then why would they want to spam you with it? unless its a person that you know and is just trying to spite you.

zoobie

oic.

Well, your guess is as good as mine as to why someone would spam a non-profit site that promotes artistic performances. It costs me $10 a month just to keep it up.

They are posting their own form to my mailer.php script. I could validate it but I see where they have filled in all fields so that won't work, either.

drew010

id recommend creating a database table with one field to store their ip, and the other to hold the timestamp of when the last ip sent a message. on each send, query the db for that ip and then compare timestamps, see if they sent the form less than like 60 or 90 seconds ago, and if so just give an error and then exit, so no more code is executed.

zoobie

I don't know much about db's...

Maybe a simpler method would be to slip in a hidden form field when little spammy has passed out from drinking his case of beer...and always show the thank you page.

Something tells me east coast so 2:30a.m. mountain should work...

Scarey to think you have to outcode and outsmart them.

Still, with all you can do with php, you'd think there was a better way.

Thanks

zoobie

An end note...

Woke up this morning...got an email...thought "oh no..."...turned out to be legit. I can't recall belly laughing this early in the morning. Sweet...

Sad to think some people's internet life consists of sending spam all day...As least this method will keep the poor fool at bay until I think of something else.

AbusiveWombat

zoobie wrote:
I don't know much about db's...

Maybe a simpler method would be to slip in a hidden form field when little spammy has passed out from drinking his case of beer...and always show the thank you page.

Something tells me east coast so 2:30a.m. mountain should work...

Scarey to think you have to outcode and outsmart them.

Still, with all you can do with php, you'd think there was a better way.

Thanks

I think the hidden form field is too easy for the spammer to fix on his page. He may not fix it on the first day but he may figure it out within a month or two. He may also be aliasing the html on your form page to his page. In that case, he won't miss a beat.

I like the idea of setting a session variable on your form page, and checking for it in your email script.

zoobie

Yes...I'm glad you brought that up.

Could someone clarify why the session method won't work? I've used them before and can't think why it wouldn't.

Thanks

PS - He's always getting the thank you page so there's no reason to check the form. I also read where spammers usually last 6 months or so until even they get tired of their lameness.

zoobie

Turns out this is spreading like a bad rash across internet forums. People are going ga ga writing huge scripts. This is going to be HUGE seeing as most forms are not secure. We didn't know there was gaping hole using the email's header injection method. Here, our sites can be shut down because the spamming is coming from our site. When the copycats get a hold of this, it will be a worldwide emergency.

I just read 20 pages of this at webmasterworld
&
http://www.anders.com/cms/75

Isn't the internet fun? Ugh...

AbusiveWombat

zoobie wrote:
Turns out this is spreading like a bad rash across internet forums. People are going ga ga writing huge scripts. This is going to be HUGE seeing as most forms are not secure. We didn't know there was gaping hole using the email's header injection method. Here, our sites can be shut down because the spamming is coming from our site. When the copycats get a hold of this, it will be a worldwide emergency.

I just read 20 pages of this at webmasterworld
&
http://www.anders.com/cms/75

Isn't the internet fun? Ugh...

Thanks for the heads up.