Problems with spamming through PHP contact forms and POST data

brianbehrens

I get a lot of spam emails through PHP contact forms that I post on sites.

It seems like all my accounts with 1and1 particuallarly get a lot of spam through contact forms.

Does anyone know any way to stop it. Is there something in like a php.ini file I can set or some type of validation that can be added to the form?

It's driving me nuts. And it happens a lot on clients sites as well, but all ones that are hosted by 1and1.

1and1 tells me there's no real solution. I think that's bullshit.

This is virtually the php that I use to do so:

<?php
if(($POST[name]) || ($POST[email]) || ($POST[inquiryText])){
$name = $POST[name];
$email = $POST[email];
$subject = "Website Contact Form";
$comments= $POST[inquiryText];

                    $message ="$name has contacted you.\r\nEmail: $email\r\n\n$comments";

                    $name=trim($name);
                    $email=trim($email);

                    $toaddress='blah@blah.net';

                    mail($toaddress,$subject,$message,"From: $email");

                    echo "<span class='descriptionDetails'>$name, your contact has been sent.</span>";
        }else{
                    echo '<span class="descriptionDetails">Please complete and submit the form below.</span>';
        }

?>
<form name="contact" id="contact" method="post" action="contact.php" onSubmit="return confirmSubmit();" onReset="return confirmReset();">
<p> Name:<br />
<input name="name" type="text" id="name" size="25" maxlength="75" />
<br />
<br />
E-mail:<br />
<input name="email" type="text" id="email" size="25" maxlength="75" />
</p>
<p>Enter Your Comments / Questions:<br />
<textarea name="inquiryText" cols="30" rows="8" id="inquiryTextNEW13579"></textarea>
</p>
<p>
<input type="submit" name="Submit" value="Send Contact" />  <input type="reset" name="reset" value="Reset Contact" />
</p>
</form>

I was thinking there may be a way to see if the post data is coming from my domain?

bretticus

yeah, it's very easy to inject headers into those forms. I've had issues with this for all my company client's legacy contact forms. Here's how I stop it

function safeHeaderFilter($string)
	{
                $badStrings = array("Content-Type:",
	         "MIME-Version:",
	         "Content-Transfer-Encoding:",
	         "bcc:",
	         "cc:");
		foreach (badStrings as $badstring) {
			if ( strpos($string, $badstring) !== false ) {
				notifyAdmin("Header injection attempt!", "Header injection attempt: found <<$badstring>> in <<$string>>.");
				exit("Header injection attempt!");
			}
		}
		return $string;
	}

of course notifyAdmin() is just a wrapper for mail() that doesn't allow outside header injection and notifies me so I can take necessary action.

In your example just do:

mail($toaddress,$subject,$message,"From: " . safeHeaderFilter($email));

MarkR

Simply make absolutely sure there is no way for the (ab)user to specify "From", "to", "Subject" or any other header.

As a double check, also check that none of those contains newlines or any other control character.

I always use a common mail wrapper function which performs these checks and does some other useful things (e.g. in development mode sends mails to a fixed address regardless of who they were originally destined for)

Mark

bretticus

MarkR wrote:
I always use a common mail wrapper function which performs these checks and does some other useful things.
Mark

As do I, it's a mail class that emulates basic features of phpmailer (It did not appear to have header-injection protection at the time) The main purpose for me though was to catch header injection attempts. In fact, I run "to", "subject", "body"...everything through the filter function/method. However, it's that forth optional parameter that is for "additional headers." Have you caught people injecting headers through one of the first three parameters? It dawned on me I've never tested it that way.

NogDog

If the problem is not email form hijacking (sending emails elsewhere via your form) but rather "spamming" in the sense of getting multiple unwanted emails from robots, then you probably need to add a "captcha" feature to your form (such as the "anit-spam" part of my Contact Me form). Searching on "captcha" should lead to many posts here, as well as articles on the web in general.

bretticus

NogDog wrote:
If the problem is not email form hijacking (sending emails elsewhere via your form) but rather "spamming" in the sense of getting multiple unwanted emails from robots, then you probably need to add a "captcha" feature to your form (such as the "anit-spam" part of my Contact Me form). Searching on "captcha" should lead to many posts here, as well as articles on the web in general.

good point, upon re-read, it appears he's just having his contact forms spammed. Since the CAPTCHA image method can be a little tricky to implement sometimes, I noticed in Drupal that you can just require a simple random math question like, "What is 5+2." So far, it's kept all the spam away.

NogDog

bretticus wrote:
... I noticed in Drupal that you can just require a simple random math question like, "What is 5+2." So far, it's kept all the spam away.

But that's not as fun as playing around with PHP's image functions. 🙂 However, it's probably more accessible since it will work on non-graphical browsers -- though of course the math-impaired might have a problem. 😉

bretticus

though of course the math-impaired might have a problem.

Right, it's a well known fact that most spammers are stoopid 😃

dotty

I don't really understand your code bretticus. :bemused: Can you explain what it is actually doing? Does it replace the former code for sending the form info or is it added to the code like this:


//anti-spam code 		

		function safeHeaderFilter($string) 
{ 
            $badStrings = array("Content-Type:", 
         "MIME-Version:", 
         "Content-Transfer-Encoding:", 
         "bcc:", 
         "cc:"); 
    foreach (badStrings as $badstring) { 
        if ( strpos($string, $badstring) !== false ) { 
            mail($toaddress,$subject,$body,"From: " . safeHeaderFilter($email)); 
            exit("Header injection attempt!"); 
        } 
    } 
    return $string; 
} 

//end anti-spam code
           //my original code

$header="MIME-Version: 1.0\r\n";
    		$header.="Content-type: text/html; charset=iso-8859-1\r\n";
			$header.="From: $email\nX-Mailer: PHP/" . phpversion()."\r\n";

if(mail("$toaddress,$subject,$body,$header))
			$message="Thank you ".$name." -  your enquiry has been sent.";
			header("Location: enquirysent.php?msg=".$message); 
	}

   //end my original code

Thank you,

cahva

Just run your $POST variables through that function:

$name = safeHeaderFilter($_POST[name]);
$email = safeHeaderFilter($_POST[email]);
$subject = "Website Contact Form";
$comments= safeHeaderFilter($_POST[inquiryText]);

bretticus

dotty wrote:
I don't really understand your code bretticus. :bemused: Can you explain what it is actually doing? Does it replace the former code for sending the form info...

Sure, I realize this function is a little confusing since if it finds foul play, it doesn't return anything. It could just as easily return a boolean and be called from an if statement. However, I either wanted to write less code or I may have had plans to just strip the bad stuff out in case I had a false positive. The explanations are intertwined with the code below:

<?php
function safeHeaderFilter($string)
{
    /*** Create an array of strings that pretty much always entail spamming attempts
     * when coming via remote user ***/
	$badStrings = array("Content-Type:",
         "MIME-Version:",
         "Content-Transfer-Encoding:",
         "bcc:",
         "cc:");
    /*** Loop though each "bad string", looking for it in the string parameter ***/
    foreach ($badStrings as $badstring) {
    	/*** This next statement does the looking ***/
        if ( strpos($string, $badstring) !== false ) {
        	/*** The suspect string or "bad string" was found, let's do somehting about it. 
        	 * First, we notify the admin so they can know somebody is trying to abuse 
        	 * our form for sending spam. ***/
            notifyAdmin("Header injection attempt!", "Header injection attempt: found <<$badstring>> in <<$string>>.");
            /*** Just exit from the script. No need to waste more resources on the spammer. ***/
            exit("Header injection attempt!");
        }
    }
    /*** Since we didn't exit, string must be okay, just send it back ***/
    return $string;
} 
?>