email form - strange problem

[richcleverley]

Hi,

I have an email form on my site which does occasionally send me some spam messages. I have thought about putting somesort of security on it (captcha etc.) but not got round to it yet.

The strange thing is that I am also getting contact form spam from another page that doesn't even have a form on it. It obviously uses the php form mailer script I am using because of the way the mail is formatted, but the script tells me it is coming from a page without a form.

Here are the url's

http://www.ictechinformatique.com/contact.html

- the page with the form

http://www.ictechinformatique.com/design.html

- the page where the email is purporting to come from; see no contact form at all.

Can anyone shed any light on this?

Richard

 

[jpadie]

not without seeing the code you use to generate each page

 

[richcleverley]

The pages themselves are just html, but the contact form links to this code to handle the email.

// ------------- CONFIGURABLE SECTION ------------------------

// $mailto - set to the email address you want the form
// sent to, eg
//$mailto		= "youremailaddress@example.com" ;

$mailto = 'info@ictechinformatique.com' ;

// $subject - set to the Subject line of the email, eg
//$subject	= "Feedback Form" ;

$subject = "ICi Technology Contact" ;

// the pages to be displayed, eg
//$formurl		= "[URL unfurl="true"]http://www.example.com/feedback.html"[/URL] ;
//$errorurl		= "[URL unfurl="true"]http://www.example.com/error.html"[/URL] ;
//$thankyouurl	= "[URL unfurl="true"]http://www.example.com/thankyou.html"[/URL] ;

$formurl = "[URL unfurl="true"]http://www.ictechinformatique.com/newsite/contact/contact.html"[/URL] ;
$errorurl = "[URL unfurl="true"]http://www.ictechinformatique.com/newsite/contact/error.html"[/URL] ;
$thankyouurl = "[URL unfurl="true"]http://www.ictechinformatique.com/newsite/contact/feedback.html"[/URL] ;

// -------------------- END OF CONFIGURABLE SECTION ---------------

$name = $_POST['name'] ;
$email = $_POST['email'] ;
$comments = $_POST['comments'] ;
$http_referrer = getenv( "HTTP_REFERER" );

if (!isset($_POST['email'])) {
	header( "Location: $formurl" );
	exit ;
}
if (empty($name) || empty($email) || empty($comments)) {
   header( "Location: $errorurl" );
   exit ;
}
if (get_magic_quotes_gpc()) {
	$comments = stripslashes( $comments );
}

$messageproper =

	"This message was sent from:\n" .
	"$http_referrer\n" .
	"------------------------- COMMENTS -------------------------\n\n" .
	$comments .
	"\n\n------------------------------------------------------------\n" ;

mail($mailto, $subject, $messageproper, "From: \"$name\" <$email>\nReply-To: \"$name\" <$email>\nX-Mailer: chfeedback.php 2.02" );
header( "Location: $thankyouurl" );
exit ;

?>

Thanks,

Richard

 

[jpadie]

looks like your code is insecure as you are not testing the value of $_POST['email'] to ensure that it does not have any nefarious characters.

i'd guess your form is being spoofed.

captcha may stop span but you need to fix the code to stop it being used as a remailer.

 

[richcleverley]

Thanks for that.

I'll sort it out next when I get back from a business trip. More annoying than anything else.

Richard

 

[Dhagaxtuur]

Besides email validation sugested by jpadie, I would also sugest that you do referer validation to make sure fields are posted from your domain name or contact page. If that does not work. You might do image validation.