Hi Pete, > I am about to start on a long overdue project - proofing all the contact > forms across various sites against unwanted messages... note that I am > not using the dreaded S* word to avoid some people's s-blockers. > > The first thing is to understand the problem - how do they insert their > messages? > > I would have thought that POSTing to the thank-you page would be the > easiest method for them. So I would have thought that they would visit > the email-me page, find the variable names, and save them, then POST to > the thank-you page, using the variable names. > > Yet, I see so many CAPTCHA forms, which won't stop this method. > > So am I misunderstanding what the problem is?
As far as I know the problem is another. These people will hardly bother sending an unwanted message to the owner of the form as with a lot of work (relatively) they reach only *one* person. What they want is with minimum effort reach large numbers of persons. So what they try is to have your script mail the submitted data to more than just the intended destination. This can be done by inserting extra recipients in the subject line or body. Therefore you should verify this, and remove coding fom it. If your form can be sent to a choice of recipients (say: public relations / customer support / accounting) make sure you don't POST the address but rather a code (numeric or so). It would be tempting for them to construct a script that POSTS a different address and see if it arrives. If you insist in wanting to POST the real address, then do not just send the mail to $_POST["recipient"] without checking if that recipient is on an allowed list of recipients, for instance using something like if (in_array($_POST["recipient"], $allowed_recipients)) { mail($_POST["recipient"], $Subject, $Message, $Header); } Although of course usually a contact form script just mails the message to one fixed recipient and the recipient address is not submitted through the form. To avoid having a message sent to unwanted extra recipients, before executing mail(), make sure that all parameters are cleaned and contain nothing but harmless information and that nothing gets inserted in the header that may make the mail arrive at another destination than the intended one. That way the only way to abuse the form is them typing in their message in your form. They won't do that as even spending 30 seconds of their time is too much for them, keeping in mind they have to address millions of people to sell a few hundered pills, a few financial malversations or some bullshit university diploma. What they do try, is trying to find badly protected forms which they can abuse to send their message to several thousands of other users in an automated way. For an example, see http://www.safalra.com/programming/php/contact- feedback-form/, paying attention to the $crack variable that is set... Marc (PS: reposted this message as it didn't appear first time. Hope the first post doesn't show up now it has been reposted...)