Web Design Forums

d*d · 19-09-2005, 05:27

I have a contact page on my site which has a form with the usual fields for name email address phone number and a text box to add comments, over the weekend I have had seven emails sent from my site which look as though code is bieng entered into the comments box, the code to me is completely illegible :-

Content-Type: multipart/mixed; boundary="===============0493523298=="
MIME-Version: 1.0
Subject: d99191ca

This is a multi-part message in MIME format.

--===============0493523298==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

iadjih
--===============0493523298==--

does this mean anything to anyone????

Brown · 19-09-2005, 05:31

yes, spammers are trying to use your contact form to send spam email. do you have any validation on your form?

aspiramedia · 19-09-2005, 05:41

I have this too. 100 emails a day! GRRRR! Anyone know enough php to stop this happening?

pgo · 19-09-2005, 05:43

Quote:

Originally Posted by aspiramedia

I have this too. 100 emails a day! GRRRR! Anyone know enough php to stop this happening?

Good God man! Just edit your mailing script and use "if" statements on the different inputs. If there's no email address entered, send them back. If there's no name entered, send them back. If there's no subject entered, send them back. And so on.

If I don't know PHP and I was able to do it, anyone can.

gray · 19-09-2005, 05:58

http://www.designateonline.com/forum...pic.php?t=8676

d*d · 19-09-2005, 06:14

Quote:

Originally Posted by Brown

yes, spammers are trying to use your contact form to send spam email. do you have any validation on your form?

only basic stuff, to make sure the email adress is an email adresss and the phone number is a number but the comments box is anything goes at the moment

Dusteh · 19-09-2005, 06:37

Am I correct in thinking this attack only works if any part of your form enters info into the sender/bc/cc/title areas of an email?

If you hardcode these or leave them blank and just allow info into the emails content then this will not be a problem?

Prole · 19-09-2005, 07:35

i had this too. they automatically fill in every contact form line with an email address, so i'm guessing if you make sure one of them is a phone number then it should prevent the spam.

Rakan · 19-09-2005, 09:45

I personally don't know PHP but I use ASP, and the way I avoid code injection is by encoding all inputs... i.e. Server.HTMLEncode(INPUTTED_DATA_VARIABLE_GOES_HERE )

I'm pretty sure PHP has something like this...

19-09-2005, 05:27	#1 (permalink)
d*d Moderator Join Date: Oct 2004 Location: Bristol Posts: 3,393	Am I under attack? I have a contact page on my site which has a form with the usual fields for name email address phone number and a text box to add comments, over the weekend I have had seven emails sent from my site which look as though code is bieng entered into the comments box, the code to me is completely illegible :- Content-Type: multipart/mixed; boundary="===============0493523298==" MIME-Version: 1.0 Subject: d99191ca This is a multi-part message in MIME format. --===============0493523298== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit iadjih --===============0493523298==-- does this mean anything to anyone????

19-09-2005, 07:35	#8 (permalink)
Prole Right turn, Clyde Join Date: Mar 2003 Posts: 371	i had this too. they automatically fill in every contact form line with an email address, so i'm guessing if you make sure one of them is a phone number then it should prevent the spam. __________________ everything was great til i got here

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

19-09-2005, 05:31	#2 (permalink)
Brown volkswagen yellow & gold Join Date: Apr 2003 Location: london, england. Posts: 6,147	yes, spammers are trying to use your contact form to send spam email. do you have any validation on your form?

19-09-2005, 05:41	#3 (permalink)
aspiramedia Unregistered user Join Date: Aug 2005 Posts: 312	I have this too. 100 emails a day! GRRRR! Anyone know enough php to stop this happening?

19-09-2005, 05:58	#5 (permalink)
gray i still want paying Join Date: Oct 2003 Location: newcastle, uk Posts: 4,768	http://www.designateonline.com/forum...pic.php?t=8676

19-09-2005, 06:37	#7 (permalink)
Dusteh Sir digby chicken caesar Join Date: Sep 2004 Posts: 5,289	Am I correct in thinking this attack only works if any part of your form enters info into the sender/bc/cc/title areas of an email? If you hardcode these or leave them blank and just allow info into the emails content then this will not be a problem?

19-09-2005, 09:45	#9 (permalink)
Rakan Senior Member Join Date: Mar 2005 Posts: 567	I personally don't know PHP but I use ASP, and the way I avoid code injection is by encoding all inputs... i.e. Server.HTMLEncode(INPUTTED_DATA_VARIABLE_GOES_HERE ) I'm pretty sure PHP has something like this...

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)