In message <[EMAIL PROTECTED]>, Marc Boncz <[EMAIL PROTECTED]> writes >As far as I know the problem is another. These people will hardly >bother sending an unwanted message to the owner of the form as with a >lot of work (relatively) they reach only *one* person. >What they want is with minimum effort reach large numbers of persons.
Actually, I am aware of that issue, and have it covered. I am actually talking about the problem of having spam emails sent to the site owner, which I assume is done "automatically", as I can't see anyone sitting down and typing them in. >This can be done by inserting extra recipients in the subject line or >body. Therefore you should verify this, and remove coding fom it. Or in the "your email address" line... >For an example, see http://www.safalra.com/programming/php/contact- >feedback-form/, paying attention to the $crack variable that is set... This example is assuming that the sender sits down and types the message in - I am really not sure that this is what is happening. You know that you can POST to a remote site, as long as you know what the variable names are. This is the method that some genuine organisations use - I am thinking of e-commerce payment gateways, for example. And I am wondering if this is what is done. To hack the contact form, you just need to scrape the page, find the field names and "thank you" page, and POST direct. I am about to start an experiment on one of my pages, where the field names will be changed automatically, and see if it cuts the amount of incoming garbage. But I am not sure if I am going in the correct direction here. > >Marc > >(PS: reposted this message as it didn't appear first time. Hope the >first post doesn't show up now it has been reposted...) No, it didn't... <G> -- Pete Clark Sunny Andalucia http://www.hotcosta.com/comm_1.htm
