Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
I've got a website in which there is a simple "Newsletter" signup form. The form is setup via a Wordpress plugin called "Contact Form 7". When the form is submitted, I get an e-mail of the persons name and their e-mail address rather than sticking it in a database (as the client has requested). All of the form submission code is written in PHP.
There's an issue with spam (always 5 e-mails at a time and 4 days apart) in which random-character names are input with legitimate e-mail addresses.
However, the bit that's getting me is that these bots aren't submitting from the form on the actual website.. they're somehow bypassing it and submitting elsewhere. When a form is submitted via the website, I am e-mailed debugging information regarding the submission. With these bot/spam submissions, there is no debug information e-mailed to me.
I cannot figure out how they are managing this. My first thought was that they were accessing the scripts/PHP files directly, so I blocked direct access to the entire contact form root.. but I am still getting the spam.
Any suggestions?
We managed to find where the e-mail was coming from via the logs.
It was coming from an old instance of the website via our previous web hoster (where the site was before we moved it). We have simply deleted that instance.
All should be well!
Thanks for the help, guys.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I'm in the process of learning more PHP. I've not really done any PHP before, only enough for basic emailing on contact forms. In the past when I've made such forms I've occasionally had spam emails come through via that script. From the frequency of the emails and the content it is very much apparent that it isn't someone coming on the website and spamming via the form but rather they know the url of the php file and are submitting data to it via that in some way; what is the best way to prevent this sort of thing happening.
If you're in your very early stages of PHP (or programming in general) I would recommend that you create an input in your form which you hide or move off screen using css.
This would mean that no real user would fill this, but when when a bots comes to your page and submit the form, they would fill it in with some garbage data.
In your php code handling the submission, simply check to see if this field has been submitted or not. If it has then you know it was not a real person, so discard the submission and do not proceed further with sending the email.
Note: I'm only recommending the approach above for learning purposes and for tiny projects that are not really in production use. If you need a more robust solution, then look into some sort of capcha solution or some javascript that adds some csrf type of checks to your form.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I have a various joomla and static websites and messages from the contact form on those sites will be send to my mail.lately i received various spams flooded my mail then i add captcha with those forms.now my mail is free from spammers.
But my question is how do they compromised my site? its like 100 of mails within few minutes. so it cannot be done manually
they must have added some kind of script. how do they do it? i searched google i cannot come up with good result.
Your site is not compromised. The captcha simply prevents a bot from submitting the form over and over again. It's the same as if a human quickly filled out the form and clicked submit and did this over and over again. There's not any kind of a security breach. Captchas are pretty good at preventing bot spam.
One clever thing you could do is make a hidden input field and make it very appealing for bots to fill it out, no validation or anything and label and name like "Last Name", something that is common, but that you aren't already using. When the form is submitted that value will be sent to the server. Since a person couldn't have seen the input, the only way it will be filled out is if a bot found it in the document and filled it out. So, if you find this value, don't send the mail. More on this here (click).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
Hello I have a custom simple contact form where users can send emails, I get a email when this contact form is used.
But now i got like 400 mails in 1 hour from 3 contact forms from my website. And the mails contain strange data I have attached a image showing the emails i got
i also got mails with things like \\\\\\\' oR \\\\\\%\\\\\'=\\\\\\2 in it or stuf like 2=7 etc...
what is this ?
Whenever you expose a form over the web, it is going to be found by bots. The bots will dump rubbish into your form and see if they can post it. Sometimes it is just garbage and other times it will contain links or other spam.
Most basic bots can be defeated by having a form element that fails validation if anything is entered - as bots normally put garbage in all fields. In your case, you could discard forms that don't contain a valid email address and it would solve quite a lot of the problem.
You could add a Captcha / Recaptcha - but they are a real problem for humans using your form - so think carefully before you go down this route.
The most reliable and hassle free way to go is normally to ask people to create a basic account with your website. That way, if they start spamming you, you can hell-ban them (i.e. make them think they can still submit the form, but discard it from spam user accounts).
The spam problem won't simply go away if you defeat the bots - as search-engine-optimisation consultants are happy to hand-crank entries thinking you'll then hand them money for their dodgy servies.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 8 years ago.
Improve this question
I have a static website hosted on Apache to which I need to add a contact form that allows the user to enter their email address, name, and a message. I know nothing about PHP, so I've had a look a couple of contact form tutorials.
However, none of the tutorials I've looked at mention how to configure the mail server, account, password that is used to send the email (using the mail function). In my case I would like to use a GMail account.
The documentation page for mail() has several usage examples. mail() will always send via the local server and there is no way to change that. If you're on shared hosting and the server has a poor reputation for spam, you're stuck with that.
PHPMailer is much more configurable, and you can set it up to send via Gmail's servers by using your username and password.
HTML5 form validation is worth diddly-squat when you're posting data to a server-side form handler. If you don't validate it server-side you're just going to have a form that's wide open for abuse.
The less information you let a user specify in the email, the better. This is not [only] because I hate users, it's because if you let a user specify the To, From, Subject, and Body fields you've basically just put up a "Free Lunch!" sign for every spammer on the internet.
Captcha. Rate-limit. Non-negotiable.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Closed 9 years ago.
Improve this question
We cannot seem to figure out our problem with our form on our website. It works 100% correctly if someone goes directly to the website URL. We pay for Google Ads to direct people to our website. If someone clicks a paid Google Adword and go to our website - when they fill out the form the submit button does not work. We then receive about 30+ emails with the same request.
I have no idea how to address this problem. I have been searching the web but can't find similar problems.
We have tested the form by going directly to the website in Chrome, IE, Firefox, and Safari. These all work fine.
When someone goes through Google ads - NONE of these browsers work. Normally after the form is filled out and submitted, a pop up appears saying "Thanks for submitting...". When going through Google Ads the pop up does not appear and the form doesn't tell the user that it has been submitted and we get many duplicate requests emailed to us.
Any thoughts here? It sounds weird, but we have tested this thoroughly and these are the results we get.
We are using PHP & HTML.
Google ads usually adds GET parameters to your URL, maybe this is affecting your form.
For example if your form is located at
http://www.mydomain.com/page.php?id=123
Google ads may actually make a request for
http://www.mydomain.com/page.php?id=123&gclid=DPDCaYGxzrMCFcVY3godsiMAoA
More information from Google about why/when these query strings are added
https://developers.google.com/analytics/devguides/collection/gajs/gaTrackingCampaigns