Hi Pete,
> I am about to start on a long overdue project - proofing all the
contact
> forms across various sites against unwanted messages... note that I
am
> not using the dreaded S* word to avoid some people's s-blockers.
>
> The first thing is to understand the problem - how do they insert
their
> messages?
>
> I would have thought that POSTing to the thank-you page would be the
> easiest method for them. So I would have thought that they would
visit
> the email-me page, find the variable names, and save them, then
POST to
> the thank-you page, using the variable names.
>
> Yet, I see so many CAPTCHA forms, which won't stop this method.
>
> So am I misunderstanding what the problem is?
As far as I know the problem is another. These people will hardly
bother sending an unwanted message to the owner of the form as with a
lot of work (relatively) they reach only *one* person.
What they want is with minimum effort reach large numbers of persons.
So what they try is to have your script mail the submitted data to
more than just the intended destination.
This can be done by inserting extra recipients in the subject line or
body. Therefore you should verify this, and remove coding fom it.
If your form can be sent to a choice of recipients (say: public
relations / customer support / accounting) make sure you don't POST
the address but rather a code (numeric or so). It would be tempting
for them to construct a script that POSTS a different address and see
if it arrives.
If you insist in wanting to POST the real address, then do not just
send the mail to $_POST["recipient"] without checking if that
recipient is on an allowed list of recipients, for instance using
something like
if (in_array($_POST["recipient"], $allowed_recipients)) {
mail($_POST["recipient"], $Subject, $Message, $Header);
}
Although of course usually a contact form script just mails the
message to one fixed recipient and the recipient address is not
submitted through the form.
To avoid having a message sent to unwanted extra recipients, before
executing mail(), make sure that all parameters are cleaned and
contain nothing but harmless information and that nothing gets
inserted in the header that may make the mail arrive at another
destination than the intended one.
That way the only way to abuse the form is them typing in their
message in your form. They won't do that as even spending 30 seconds
of their time is too much for them, keeping in mind they have to
address millions of people to sell a few hundered pills, a few
financial malversations or some bullshit university diploma.
What they do try, is trying to find badly protected forms which they
can abuse to send their message to several thousands of other users
in an automated way.
For an example, see http://www.safalra.com/programming/php/contact-
feedback-form/, paying attention to the $crack variable that is set...
Marc
(PS: reposted this message as it didn't appear first time. Hope the
first post doesn't show up now it has been reposted...)
