Receiving blank emails from submit form 2

[3112005]

I keep receiving blank emails from my online submit form on my website. I thought it was people using it without javascript enabled, so I redirected them to a different page so they could not, but I am still receiving them.

Does anyone know why?

Thanks!
</>
[link to form] "

http://www.afsfilters.com/partsandservices.asp"

</>

 

[jmille34]

spiders

 

[3112005]

How do I stop them? Or can I?

Thanks again!

 

[1DMF]

I have started getting spam in my guestbook in similar mannor, I guess that's why those security images like when you sing up for hotmail are becoming more nad more of a neccesity.

You could track IP and see if it is always originating from the same and ban it.

http_referer may also be an option.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.

 

[3112005]

I have a bunch of mailto links on the contacts page and those people don't get blank emails or spam... I wonder why the form is.

 

[1DMF]

mailto are uised to send you spam, forms especially for guestbooks are used to advertise other peoples sites and gain extra hits regarding search engines - 2 seperate problems altogether!

i just sent a test - was the email filled in ok ?

also are you locking it down to POST only, a program may be firing your code via GET.

It's becoming a real pain on the internet, i've even changed the name of my script as i started getting so many 'bots' spaming it!

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.

 

[3112005]

Yes the email was filled in ok.

Yes POST only....

<form action="/gnrlfeedback/send.asp" name = ContactUs
onsubmit="return validate_form(this)"
method="post">

<URL to Formhtm>

http://www.afsfilters.com/gnrlfeedback/form.htm

<CODE for Send.asp>
<%@ Language=VBScript %>
<%
Dim objMail
Dim crlf
Dim strBody

crlf = Chr(10) & Chr(13)
Set objMail = CreateObject("CDONTS.NewMail")
objMail.From = "ContactUs"
objMail.To= "email@sample.com"
objMail.Subject= Request.Form("AFS Contact Us Form")
strBody = "Name: " & Request.Form("Name") & crlf
strBody = strBody & "Company: " & Request.Form("Company") & crlf
strBody = strBody & "Title: " & Request.Form("Title") & crlf
strBody = strBody & "Street: " & Request.Form("Street") & crlf
strBody = strBody & "City: " & Request.Form("City") & crlf
strBody = strBody & "State: " & Request.Form("State") & crlf
strBody = strBody & "Zip: " & Request.Form("Zip") & crlf
strBody = strBody & "Phone: " & Request.Form("Phone") & crlf
strBody = strBody & "Fax: " & Request.Form("Fax") & crlf
strBody = strBody & "Email: " & Request.Form("Email") & crlf
strBody = strBody & "Helicopter(s)in Use: " & Request.Form("Helicopter") & crlf
strBody = strBody & "General Comments: " & Request.Form("Comments") & crlf


objMail.Body= strBody
objMail.Send
Set objMail = Nothing
Response.Write "Message sent. Redirecting to confirmation page."
Response.Redirect "

http://www.afsfilters.com/gnrlfeedback/confirmation_page.htm"

%>

 

[1DMF]

but what if i copied your form, removed the JS for validation and submitted it blank - do you do serverside verification of details before running your code?

might be the only way to be sure!

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.

 

[jmille34]

To stop blank submissions, you can set up your backend script to abort if it receives no form fields or if they're all blank. To stop spam, you're really quite stuck. The security images are the best way I know of, but you can never stop people from manually entering the spam into it.

Here's one idea. It's a little cheesy, but basically you give a fake action="" in your form tag to fake out the spider, and then you use javascript to set it to the real action page when the user clicks submit.

Note: I use ColdFusion, so I initially set the form to use action="donothing.cfm" (which I would create as an empty script to prevent 404's), and then the onclick event of the submit button changes it to "form.cfm". To add a layer of complexity (and a slight odor of cheese), I make an array of characters and then string them together to make the literal string "form.cfm". Of course if the spider is smart enough, it will figure this out, but that is the way of things.

<html>
<head><title>test</title></head>
<body>
<form action="donothing.cfm" method="post">
<input type="text" name="t1" value="t1"><br>
<input type="text" name="t2" value="t2"><br>
<input type="text" name="t3" value="t3"><br>
<input type="submit" onclick="dostuff(this.form);">
</form>
<script>
function dostuff(obj) {
	ar=new Array("f","o","r","m",".","c","f","m");
	str="";
	for(i in ar) {
		str=str + ar[i];
	}
	obj.action=str;
}
</script>
</body>
</html>

 

[1DMF]

very cheesy, but I guess it would work, unless then the bots can work out what you've done by checking onclick info for exactly that.

I have the feeling no matter what you do to stop these evil spammers, they are only a few lines of code behind you!

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.

 

[cLFlaVA]

3112005,

consider using captchas.

Also, the method I use, while not as high-tech, still is effective. I created a form element, just a plain text box, then hid it using CSS. Then, on the server side, I test to see if that form element has been filled in. If it has, I disregard the whole submission, because spiders like to fill in all the fields with garbage.

you can see what I did here:

http://coryarthus.com/comments/112

just do a view > source, and search for the string "strVerify".



*cLFlaVA
----------------------------
[tt]somebody set up us the bomb![/tt]

[URL unfurl="true"]http://www.coryarthus.com/[/url]

 

[3112005]

Does big companies like say Cingular have these same issues, or do they have a prevention method.

I am not familiar with security images, is that like what you see when you buy tickets from ticketmaster.com or when I login to my bank account and it asks you to type the letters/numbers that you see in a distorted image?

Thanks!

 

[1DMF]

yes - click the link cLFlaVa posted it's very interesting reading.

only thing is it looks like there is a bunch of people out there that have written code to beat captchas already so not sure there is much point in using them.

It all depends on what bot is hitting your form and the complexity levels of it, and if it's one of those assholes who actively go about manually spamming people sites then there is nothing a captcha system can do, you just have to keep on top of the junk manually.

The best solution is for there to be a prison sentence for prooved spammers, that might stop them , when someone goes to prison for a year for spamming, they might think twice about doing it themselves, but alas I think proper , enforcable regulation of the internet is just a pipe dream, like eradicating viruses and hackers.


"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.