Contact us form was attacked

blackhorse

"Contact us" form was attacked.

Usually the attacks on the form were email header injection attacks.

My form was already protected from email header injection attacks.

Now I found this form was attacked in a hard way.

The attack is not an email header injection attack, this attack is sending valid data (so it will pass my validation checking) one copy (one email as the sender), a time to my "contact us" form.

And my "contact us" form is not designed to reply to the sender. So this attack will not generate email sent out form my server.

All it did is pile up thousands emails on our info@mysite.com.

My question is what the purpose of this attack for? they have no financial benefits.

And how to prevent this kind stupid attack? every simple online form has to use visual confirmation now?

Many visual confirmations are already broken by hackers too. They just didn't bother to attack them yet due to there are so many easy forms without visual confirmations. Visual confirmation more like "I don't have to run faster than the bear, I just have to run faster than you."

Even we add visual confirmation to all the forms of all the sites we run on our server, still if one hacker decided that he would use these tools available now to broke our visual confirmation a few months later, than what should I do?

Are there any other ways to stop it?

Thanks!

Horizon88

Set a time limit in a session variable. Limit it to two minutes between messages, which should foil most bots, lengthen it as needed. A CAPTCHA is also another viable option, although probably not necessary for your form, yet, at least.

NogDog

It may just be a "script kiddie" trying to be annoying. However, it could also be a "bot" trying to relay spam through your mailer. When you say that your form is protected against injection attacks, do you just filter out suspect data then go ahead and process it anyway, or do you reject all the input and return an error? If you go ahead and process, then a spammer might think his stuff is getting through, whereas if you reject the entire transaction and return an error, he'll know right away it's not working. In fact, you might want to just return a 404 header in cases where you detect any attempt at header injection.

As far as dealing with script kiddie vandals or denial of service attacks, you might have to go the 'captcha' route or some other "trick" to make it difficult for automated submissions. You also might want some sort of header redirect on success so that the simplest of attacks -- the refresh button/key -- cannot be used to keep resubmitting the form.

blackhorse

I throw out an error and exit the page if the field was not valid. And it is not an email header injection attacks.

I checked out these emails, in a 3 days range, a few thousands email. Not too intense, the session approach may not stop them.

Every copy, the sender is a different valid email (of course a fake one).

In the comments fields, they put in some links. And every email they give different links, gambling, sex, canadian medicine, mortgage etc.

It looks like they were just sending me (info@mysite.com) a few thousands different spam emails with different spam content.

My guess is that the robot may search around the web and mistakely take my "contact us" form as a forum/blog response form. And think their post will be posted either in a forum or a blog.

If some stupid robots out there like this, we have to treat every form as a forum/blog response page and add visual confirmation etc. on?

So to fence this off, how can I tell that robot "hey, this is not a forum response page, stop sending me the post which will not be posted."?

Or I have to use Captcha? which free scripts you suggest? the one from http://www.captcha.net/ ?

Horizon88

you can use a captcha, or do something similar without a real captcha:
If you are a human, please enter the word "hello" in the box below.

And name the input field something like "email" or "last_name", something a bot might automatically fill in with default data, then if it's anything but hello, redirect them somewhere else.

blackhorse

Many sites have contact us form before. But do we really need it? It basically ask people to email us. Just display an email address (encrypted to prevent email harvesting) will do too.

email header injection attacks target on the "contact us" forms. I have the codes preventing that.

Now, a bot sends thousands posts to my "contact us" form and think it was some kind forum/blog etc. No validation checking can prevent stupid bot to do that.

For every simple "contact us" form, we need add captcha?

Do we really need these "contact us" forms?

Thanks!

blackhorse

ha, i know why they attack my contact us form now.

it was a "contact us" form really, but the page was named as guestbook.php. so it was an innocent victim because it has a wrong name.

there were bots there specially attacked these guestbook, usually they are informal and easy targets.

http://en.wikipedia.org/wiki/Guestbook

A guestbook is a logging system that allows visitors of a website to leave a public comment. Traditionally, the term applied to the actual ledgers held, for that same purpose, at B&Bs and museums.

It is possible in some guestbooks for visitors to express their thoughts about the site or its subject. Generally, they do not require the poster to create a user account, as it is an informal method of dropping off a quick message.

clank

Found it necessarry to avoid using words like forms, emails etc on the pages and names, can't make it that obvious for them!!

Blackhorse, any tips/improvements you can add to my script? Need the captcha and some validation. Problem is my forms keep changing hence have to change the validation also?
http://phpbuilder.com/board/showthread.php?t=10350264

benracer

You could use a random math question like 2 + 4

blackhorse

Clank, I have installed recaptcha first, it is too hard to read the image by human, because the bots keep on finding way to read the image, then they keep on making the image hard to read. I am afraid in the not so far future. bot's technology could grow to a level that even human cannot read the image, but bot will be able. Then what?

I think I will have to deal with the form spam issue our own ways. If you don't have to use a contact us form, don't. Such as a simple contact us form, could be replaced just by a mail hidden (prevent email harvest) email address.

Don't post the user input if we don't have to. If we have to, then only let sign up members post. Limit the comments length, add spam control database etc. on these comments.

Write your own captcha etc.