Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 8 years ago.
Improve this question
I have a static website hosted on Apache to which I need to add a contact form that allows the user to enter their email address, name, and a message. I know nothing about PHP, so I've had a look a couple of contact form tutorials.
However, none of the tutorials I've looked at mention how to configure the mail server, account, password that is used to send the email (using the mail function). In my case I would like to use a GMail account.
The documentation page for mail() has several usage examples. mail() will always send via the local server and there is no way to change that. If you're on shared hosting and the server has a poor reputation for spam, you're stuck with that.
PHPMailer is much more configurable, and you can set it up to send via Gmail's servers by using your username and password.
HTML5 form validation is worth diddly-squat when you're posting data to a server-side form handler. If you don't validate it server-side you're just going to have a form that's wide open for abuse.
The less information you let a user specify in the email, the better. This is not [only] because I hate users, it's because if you let a user specify the To, From, Subject, and Body fields you've basically just put up a "Free Lunch!" sign for every spammer on the internet.
Captcha. Rate-limit. Non-negotiable.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
I have a various joomla and static websites and messages from the contact form on those sites will be send to my mail.lately i received various spams flooded my mail then i add captcha with those forms.now my mail is free from spammers.
But my question is how do they compromised my site? its like 100 of mails within few minutes. so it cannot be done manually
they must have added some kind of script. how do they do it? i searched google i cannot come up with good result.
Your site is not compromised. The captcha simply prevents a bot from submitting the form over and over again. It's the same as if a human quickly filled out the form and clicked submit and did this over and over again. There's not any kind of a security breach. Captchas are pretty good at preventing bot spam.
One clever thing you could do is make a hidden input field and make it very appealing for bots to fill it out, no validation or anything and label and name like "Last Name", something that is common, but that you aren't already using. When the form is submitted that value will be sent to the server. Since a person couldn't have seen the input, the only way it will be filled out is if a bot found it in the document and filled it out. So, if you find this value, don't send the mail. More on this here (click).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
Hello I have a custom simple contact form where users can send emails, I get a email when this contact form is used.
But now i got like 400 mails in 1 hour from 3 contact forms from my website. And the mails contain strange data I have attached a image showing the emails i got
i also got mails with things like \\\\\\\' oR \\\\\\%\\\\\'=\\\\\\2 in it or stuf like 2=7 etc...
what is this ?
Whenever you expose a form over the web, it is going to be found by bots. The bots will dump rubbish into your form and see if they can post it. Sometimes it is just garbage and other times it will contain links or other spam.
Most basic bots can be defeated by having a form element that fails validation if anything is entered - as bots normally put garbage in all fields. In your case, you could discard forms that don't contain a valid email address and it would solve quite a lot of the problem.
You could add a Captcha / Recaptcha - but they are a real problem for humans using your form - so think carefully before you go down this route.
The most reliable and hassle free way to go is normally to ask people to create a basic account with your website. That way, if they start spamming you, you can hell-ban them (i.e. make them think they can still submit the form, but discard it from spam user accounts).
The spam problem won't simply go away if you defeat the bots - as search-engine-optimisation consultants are happy to hand-crank entries thinking you'll then hand them money for their dodgy servies.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
I've got a website in which there is a simple "Newsletter" signup form. The form is setup via a Wordpress plugin called "Contact Form 7". When the form is submitted, I get an e-mail of the persons name and their e-mail address rather than sticking it in a database (as the client has requested). All of the form submission code is written in PHP.
There's an issue with spam (always 5 e-mails at a time and 4 days apart) in which random-character names are input with legitimate e-mail addresses.
However, the bit that's getting me is that these bots aren't submitting from the form on the actual website.. they're somehow bypassing it and submitting elsewhere. When a form is submitted via the website, I am e-mailed debugging information regarding the submission. With these bot/spam submissions, there is no debug information e-mailed to me.
I cannot figure out how they are managing this. My first thought was that they were accessing the scripts/PHP files directly, so I blocked direct access to the entire contact form root.. but I am still getting the spam.
Any suggestions?
We managed to find where the e-mail was coming from via the logs.
It was coming from an old instance of the website via our previous web hoster (where the site was before we moved it). We have simply deleted that instance.
All should be well!
Thanks for the help, guys.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I am new in codeigniter framework.i want to verify email address which is inputted by users.Actually i want to be sure that the inputted email address is real and existing email address without sending any email.is it possible?if it is possible please help me.I want to do it using codeigniter framework.
Thank you.
There's not going to be a way to confirm that an email address exists and is actually used by someone without sending an email to them to confirm it. Even if it doesn't bounce, that doesn't mean it's "real", it might just be forwarded to another address, silently discarded, or any number of things.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I am not php expert but managed to create self-registration form with captcha which adds users to MySql was very pleased with myself for doing this!!!!
I am now getting bombarded with false hotmail accounts being registered on site for spam or links
I would like to stop this even if just block all hotmail accounts by just adding to php all I can find is 'new' code which no good as uses different variable etc?
If I post my code could anyone add new to do this?
The easiest thing I'd suggest you to do would be to add a new column in your database called 'activation' and automatically set it to 'false', when the user signs up it will send them an email with an activation link, when they click the link it will send them to a page where it will change the value of the column from 'false' to 'true', but add another line in your code to say if it is false they're not allowed to sign in.
Take a look at this website to get a little more about this. You can learn a little more about it and how to restrict certain emails etc...
Also try some JavaScript validation. It should work just the same! Find the basics about JavaScript validation, click here!
Best of luck!