Web Form Request has been spammed

swatisonee

This is the 1st time this has happened. A whole of junk has been spewed onto my webform and i have got some 10-20 such mails. The junk and the php scripts that form my web form are given below. Would anyone guide me as all the email addresses submitted have my own domain ie 23@abc.com, hug@abc.com etc .
My problem is i have to send back to the form submitted a copy of their form request so i assume the spambot got the id from there. How do i resolve this please ?

Thanks ! Swati

Date: 17 December 2006
A. Contact Data

Company Name: be6700@abc.com

Name of Person: not set is\r\nContent-Transfer-Encoding: quoted-printable\r\nContent-Type: text/html\r\nSubject: using a much higher temperature where the\r\nbcc: caluyeda@yellowijds.com\r\n\r\nto the main categories, some processing choices\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n4289728e2aa302b142899f5a0f8e9804\r\n.\r\n be6700@abc.com

Company Address:
be6700@abc.com
not set
not set
be6700@abc.com

be6700@abc.com

Area Code: be6700@abc.com
Business Phone: be6700@abc.com

Fax: be6700@abc.com

E-mail Address: be6700@abc.com

B. Service Required

Remark: be6700@abc.com

File attached:

File a.php

<? include("variables.php"); ?>

<style>
.details {border:1 solid black; background-color:f3e9d0; display:none; padding:6 2 2 6; margin: 0 0 0 0;}
</style>
<LINK REL="stylesheet" HREF="/uim/common/us.css" TYPE="text/css">


<SCRIPT LANGUAGE="JavaScript">
 <!-- Begin 

function togglea()
{
if (aa.style.display=="block")
{
aa.style.display="none";
return;
}
if (aa.style.display=="none") aa.style.display="block";
}

function toggleb()
{
if (bb.style.display=="block")
{
bb.style.display="none";
return;
}
if (bb.style.display=="none") bb.style.display="block";
}

function togglec()
{
if (cc.style.display=="block")
{
cc.style.display="none";
return;
}
if (cc.style.display=="none") cc.style.display="block";
}

function toggled()
{
if (dd.style.display=="block")
{
dd.style.display="none";
return;
}
if (dd.style.display=="none") dd.style.display="block";
}

function togglee()
{
if (ee.style.display=="block")
{
ee.style.display="none";
return;
}
if (ee.style.display=="none") ee.style.display="block";
}


</script> 

<div align="left">   

<table border="0" cellpadding="5" cellspacing="5" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">   

  <tr>       <td width="15%" bgcolor="#6666FF">&nbsp;</td>     

  <td width="85%" align="left" valign="top">

<p><P>

<table width=575><tr><td width=365>
<b>Please fill in the following details</td><td><font face=verdana size=-1><a href="servcont.pdf" target="_blank"><b>View our Service Contracts</b></a></font></b></td></tr></table> <p><p>
 <form enctype="multipart/form-data" method="post" action="service_process.php">

<table border="0"> 
<tr>
<tr>
<tr>

<tr><b><font color=blue>Contact Data</font></tr>

<tr><td>Name of Company:</td><td><input type="text" name="company_name" size="20"><font color="orange"> Mandatory field</font></td> 

<tr><td>Last Name:</td><td><input type="text" name="last_name" size="20"><font color="orange"> Mandatory field</font></td>

<tr><td>First Name:</td><td><input type="text" name="first_name" size="20"><font color="orange"> Mandatory field</font></td> 

<tr><td>Business City:</td><td>
<select name="biz_city">
<option value="">[Select One]
 <?php

mysql_connect("localhost", $dbname, $dbpasswd )
    	or die ("Unable to connect to server.");

mysql_select_db($database)
    	or die ("Unable to select database.");

$result = mysql_query("SELECT * FROM `Towns`");

if ($myrow2 = mysql_fetch_array($result)) {

  do {

printf("<option>
  %s", $myrow2["City/Town"]);

  } while ($myrow2 = mysql_fetch_array($result));

} 
?>
</select>



</td> 


<tr><td>Business Street:</td><td><input type="text" name="biz_street" size="20"></td>

<tr><td>Business Postal Code:</td><td><input type="text" name="biz_post_code" size="20"></td> 

<tr><td>Business Country:</td><td><input type="text" name="biz_country" size="20"></td>

<tr><td>Area Code:</td><td><input type="text" name="area_code" size="20"><font size=-1> Without Zero </font><font color="orange"> Mandatory field</font></td> 

<tr><td>Business Phone:</td><td><input type="text" name="biz_phone" size="20"><font color="orange"> Mandatory field</font></td> 

<tr><td>Email Address:</td><td><input type="text" name="email" size="20"><font color="orange"> Mandatory field</font></td>

<tr>
<tr>
<tr>
<tr>
<tr>

<tr><td><b><font color=blue>Service Required</font></td><td></td></tr>
<tr>
<tr>
<tr>
<tr><td></td><td><input type=checkbox name=a onClick="javascript:togglea()"> For contracted commissioning and startup, please check here

<div class=details id=aa style="DISPLAY:none">
<table>
<tr><td>Model:</td><td><input type=text name=a1 size=20><font color="orange"> Mandatory field</font></td></tr>
<tr><td>Machine Serial No.:</td><td><input type=text name=a2 size=20></td></tr>
<tr><td>Order Confirmation #:</td><td><input type=text name=a3 size=20></td></tr>
<tr><td valign=top>Detailed Information:</td><td><textarea name=a4 rows=4 cols=50></textarea></td></tr>



</table>
</div></td></tr>
<tr><td></td><td><input type=checkbox name=b onClick="javascript:toggleb()"> To request a warranty service, please check here

<div class=details id=bb style="DISPLAY:none">
<table>
<tr><td>Model:</td><td><input type=text name=b1 size=20><font color="orange"> Mandatory field</font></td></tr>
<tr><td>Machine Serial No.:</td><td><input type=text name=b2 size=20></td></tr>
<tr><td>Order Confirmation #:</td><td><input type=text name=b3 size=20></td></tr>
<tr><td valign=top>Detailed Information:</td><td><textarea name=b4 rows=4 cols=50></textarea></td></tr>



</table>
</div></td></tr>

<tr><td></td><td><input type=checkbox name=c onClick="javascript:togglec()"> To request an out of warranty, service please check here

<div class=details id=cc style="DISPLAY:none">
<table>
<tr><td>Model:</td><td><input type=text name=c1 size=20><font color="orange"> Mandatory field</font></td></tr>
<tr><td>Machine Serial No.:</td><td><input type=text name=c2 size=20></td></tr>
<tr><td>Order Confirmation #:</td><td><input type=text name=c3 size=20></td></tr>
<tr><td valign=top>Detailed Information:</td><td><textarea name=c4 rows=4 cols=50></textarea></td></tr>



</table>
</div>

</td></tr>

<tr><td></td><td><input type=checkbox name=d onClick="javascript:toggled()"> To request a training visit, please check here

<div class=details id=dd style="DISPLAY:none">
<table>
<tr><td>Model:</td><td><input type=text name=d1 size=20><font color="orange"> Mandatory field</font></td></tr>
<tr><td>Machine Serial No.:</td><td><input type=text name=d2 size=20></td></tr>
<tr><td>Order Confirmation #:</td><td><input type=text name=d3 size=20></td></tr>
<tr><td valign=top>Detailed Information:</td><td><textarea name=d4 rows=4 cols=50></textarea></td></tr>



</table>
</div>

</td></tr>

<tr><td></td><td><input type=checkbox name=e onClick="javascript:togglee()"> To request a service contract quote, please check here

<div class=details id=ee style="DISPLAY:none">
<table>
<tr><td>Model:</td><td><input type=text name=e1 size=20><font color="orange"> Mandatory field</font></td></tr>
<tr><td>Machine Serial No.:</td><td><input type=text name=e2 size=20></td></tr>
<tr><td>Order Confirmation #:</td><td><input type=text name=e3 size=20></td></tr>
<tr><td valign=top>Detailed Information:</td><td><textarea name=e4 rows=4 cols=50></textarea></td></tr>



</table>
</div>

</td></tr>
<tr>

<tr>
<tr>
<tr>

<tr><td>Upload a file:</td><td><input name="userfile" type="file"><font size=-1> File size should not exceed 2MB</font></td></tr> 

<tr><td valign=top>Remarks:</td><td><textarea name="comment" cols=50 rows=5></textarea></td></tr>

</table> 
<input type=checkbox name="copy_comment"> Please check if you wish to receive a copy of this service intervention at the above mentioned email address

<p> <br><input type="submit" name="submit" value="Submit"> </p> </form> <p><p><a href="javascript: history.back()">Back</a>        </tr>     </table>   </div>

File b.php

Processes above and sends the email to us and the form submitter

Sangre

What you can do is use a php-generated image (with createimage() tags etc) to display a word. also write that random word into a database.

The user has to type in the word, and only if its the same as the word stored in your database, the form is send.

That way you should keep out 99% of the spambots. (only the real good who can recognize words on images are left over)

MarkR

I don't recommend using a CAPTCHA.

I'd just put something in a hidden field which makes it harder for the lamebots - like a timestamp and hash (which it refuses if it's more than a given age).

Another thing you could do is do rate-limiting.

Because your form isn't vulnerable to mail header injections (IS IT?), the lamebots won't try VERY hard to exploit it- as that's what they're trying to do.

Mostly lamebots go away after a while if they don't achieve what they're trying to (which is find a header-injection exploitable mail form).

Mark

swatisonee

My header is just this :

include ("protect.php") ;

this contains the db info. I didnt understand your suggestion of hidden fields or even about rate limiting. The latter is a term in physics isnt it ?

Thanks. Swati

Rodney_H_

Here is a good article that gives you an idea of some things SPAMMERS/BOTS are trying to do, which will give you insight into how to protect yourself: http://www.securephpwiki.com/index.php/Email_Injection

Hope that helps.

PS: Something I found helpful is to put a field in your form with a generic name value like "subject". Set it up like:

If the form is submitted with a value other than an empty string, it was sent by a BOT, not a human... and you can exit the script.

swatisonee

i think i have something similar in the php file that processes the above script - this line here i thought would help. Clearly it didnt.

$comment = (isset($_POST['comment'])) ? mysql_real_escape_string($_POST['comment']) : 'not set';
$copy_comment = (isset($_POST['copy_comment'])) ? mysql_real_escape_string($_POST['copy_comment']) : 'not set';

(if $copy_comment  == "not set" || $comment == "not set")  die ("Incorrect data cannot be accepted") ;

Rodney_H_

????

swatisonee, where did THAT snippet of code come from?

Are we talking emailing or are we talking a DB issue?

(If we are talking email, then why are you using the "mysql_real_escape_string()" function?? Or, are you doing both???? LOL)

swatisonee

Sorry ! i'm doing both !. thats what happens when one tries to post snippets of "relevant " code. The poster pre-decides what is supposedly relevant and the viewer wonders what its about !

What i do is this :

the form on the webpage is submitted by a user. The user and we get an email informing what stuff has been submitted. Simultaneouly, some part of the data goes into a "temporary" table in the db . if found ok it gets merged with a main table else it gets deleted.

Thanks !
Swati