automated email spam via my website email forms

Maljonic

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,297
I keep getting emails on maljonic's dreams like someone filled in the form here: http://www.maljonicsdreams.com/contact.htm but the address from is always something at maljonicsdreams.com like I sent it myself. I'm getting about 50 of these a day now and it's a bit annoying, is there anything I can do to stop these? :)
 

Shovel

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,350
Yeah, add some validation into your form.

Take a look at the comments forms on MeyerWeb and note the idiot-proof question it asks you (‘What colour is an Orange’). You have to pick ‘Orange’ from the drop down for the form to be submitted. A human can do it, a robot cannot.
 

Maljonic

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,297
Thanks, I had thought of something like that after I posted this thread, like maybe having a compulsory radio button or check box, in fact I'll go and try it now. :)
 

Maljonic

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,297
Okay, I can't see the orange thing you're talking about, all I see it 'what is Eric's name?'

Anyway, can you tell me how to do this; I'm sure it's very easy but I can't figure it out? :)
 

SheepCow

Bringer of Code
Joined
Dec 22, 2003
Messages
1,365
add in the text box then stick something like this in your PHP script:

PHP:
<?php

if (strtolower(trim($_POST['stupidbot'])) != 'orange')
    die('you do not know what colour an orange is, you do not deserve to have access to a computer.');

?>
 

SheepCow

Bringer of Code
Joined
Dec 22, 2003
Messages
1,365
strtolower and trim just make it all lowercase and remove any whitespace around the text, covers you incase they do "Orange" or " oraNgE" etc.
 

Shovel

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,350
Mal - ‘What is Eric's name’ appears to be the new question. It used to be ‘What colour is an orange’ but he seems to be varying it. It's the same principal, though.
 

JingleBells

FH is my second home
Joined
Mar 25, 2004
Messages
2,224
I could have sworn I posted to this already.

I was going to suggest the use of a CAPTCHA, however these are not good for accessibility, and some even cause problems for people with colour blindness. I did see a site once that had about 5 forms, of which only one was the real one, the other 4 were all hidden with css/javascript in the hope that robots would try and use one of the fake ones, can't remember where though, I read far too many sites a day :(
 

Maljonic

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,297
I think they all sound like good ideas, but I don't quite get how to implement any of them. I can't see the connection between the form field and the php script that sheepcow has posted - I don't see how adding that to my php script will make it work?

I'm just using this at the moment:

Code:
<?
  $email = $_REQUEST['email'] ;
  $message = $_REQUEST['message'] ;
  

if (!isset($_REQUEST['email'])) {
    header( "Location: http://www.maljonicsdreams.com/oops.htm" );
  
  }
  elseif (empty($email) || empty($message)) {
    header( "Location: http://www.maljonicsdreams.com/oops.htm" );
  }
  else {

    mail( "feedback@maljonicsdreams.com", "Maljonic's Dreams Feedback",
  
  
$message, "From: $email" );
    
  header( "Location: http://www.maljonicsdreams.com/thankyou.htm" );
}
?>
 

SheepCow

Bringer of Code
Joined
Dec 22, 2003
Messages
1,365
PHP:
<?
  $email = $_REQUEST['email'] ;
  $message = $_REQUEST['message'] ;
  

if (!isset($_REQUEST['email'])) {
    header( "Location: http://www.maljonicsdreams.com/oops.htm" );
  
  }
  elseif (empty($email) || empty($message)) {
    header( "Location: http://www.maljonicsdreams.com/oops.htm" );
  }
  else {

      if (strtolower(trim($_POST['stupidbot'])) != 'orange') {
             header( "Location: http://www.maljonicsdreams.com/oops.htm" );
             die();
      }

    mail( "feedback@maljonicsdreams.com", "Maljonic's Dreams Feedback", $message, "From: $email" );
    
  header( "Location: http://www.maljonicsdreams.com/thankyou.htm" );
}
?>

Then you have this on your form:

Code:
What colour is an Orange?
<input type="text" name="stupidbot" value="" />
 

Maljonic

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,297
Thanks a lot, I'll give that a go.

Edit: thanks, I did it. :)
 

Maljonic

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,297
SheepCow said:
add in the text box then stick something like this in your PHP script:

PHP:
<?php

if (strtolower(trim($_POST['stupidbot'])) != 'orange')
    die('you do not know what colour an orange is, you do not deserve to have access to a computer.');

?>
I've just come back to this again and tried to integrate into my dating site feedback form, but it doesn't quite work right and I can't see why - I'm obviously doing something slightly wrong.

This is the code with the above inserted:

PHP:
<?php
if ( !defined( 'SMARTY_DIR' ) ) {
	include_once( 'init.php' );
}

$cmd = $_POST['cmd'];
if (strtolower(trim($_POST['stupidbot'])) != 'orange'){

    die('you do not know what color an orange is, you do not deserve to have access to a computer.');

} elseif ( $cmd == 'posted' ){

	$txttitle = trim($_POST['txttitle']);
	$txtname = trim($_POST['txtname']);
	$txtemail = trim($_POST['txtemail']);
	$txtcountry = trim($_POST['txtcountry']);
	$txtcomments = trim($_POST['txtcomments']);

	$From    = $config['admin_email'];
	$To      = $config['feedback_email'];
	$Subject = str_replace('SITENAME',$config['site_name'],get_lang('email_feedback_subject'));


	$message = get_lang('feedback_email_to_admin', MAIL_FORMAT);
	$message = str_replace('#txttitle#',$txttitle,$message);
	$message = str_replace('#txtname#', $txtname,$message);
	$message = str_replace('#txtemail#',$txtemail,$message);
	$message = str_replace('#txtcountry#', $lang['countries'][$txtcountry],$message);
	$message = str_replace('#txtcomments#', $txtcomments, $message);
	$message = str_replace('#SITENAME#',$config['site_name'],$message);

	$success= mailSender($From, $To, $To, $Subject, $message);

	$t->assign( 'success', $success );
}

$t->assign('rendered_page', $t->fetch('feedback.tpl') );

$t->display( 'index.tpl' );
exit;
?>

It just displays a blank page with the message: 'you do not know what colour an orange is, you do not deserve to have access to a computer.' before letting you see anything else. I mean it's not showing the form or anything and just running as if the question was answered wrong.

You can see this page is supposed to have the contact form on it:

http://www.dream-dating.org/feedback.php

Can anyone see what is wrong with the code?
 

Shovel

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,350
It's because you're evaluating the Orange field even if someone hasn't submitted the form, so it's happening on every page load. You need to change the code as follows, I think:

PHP:
$cmd = $_POST['cmd']; 
if ($cmd == 'posted'  && strtolower(trim($_POST['stupidbot'])) != 'orange')
{ 
    die('you do not know what color an orange is, you do not deserve to have access to a computer.'); 
} 
elseif ( $cmd == 'posted' )
{
  …
}

I'd also suggest you drop the rude error message and perhaps just have it fail silently. Remember, a spam bot can't read, so there's no point it being there and you just run the risk of offending a legitimate user who typos the word orange or accidentally misses it.
 

Maljonic

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,297
Thanks, that works great. Of course I wouldn't leave a message as rude as that in there. There is still a message though in case people miss the box or make a spelling mistake:

You do not know what color an orange is? Please go back and try again - the answer is orange by the way.

I'm trying to learn too much in one go I think and it's befuddling my brain. I bought a book on Saturday for learning PHP with MYSQL so I can have a go at that scoreboard thing in the other thread, and be able to do other similar, simple stuff. I'm also learning Action Script for Flash, which is pretty similar but it's a bit much for me to do all at the same time. I've been putting one book down and picking another up on the two seperate subjects - back and forth all day.

I should stick to one at a time. :)
 

SheepCow

Bringer of Code
Joined
Dec 22, 2003
Messages
1,365
Rude messages are hillarious, but yes, you must change them when you move to production environments -- forgetting them can get you fired! :)
 

Users who are viewing this thread

Top Bottom