Jump to content

email script compromised


Hooch
 Share

Recommended Posts

*** Here's a link to the fix for email bots ****** http://www.zentyx.com/stuff/tuts/email/ ***Hello all. This is a bit of a tall order, but could someone take a few minutesand let me know if something here is "bot" accessible? I am getting Spam sent via this form.The following code shows everything used to send the email.

<?PHP//Link used to the email pageecho "<a href=\"email.php?id=1\" >email</a>";//Here is the email page//--email.php--$result = mysql_query("SELECT * FROM `users` WHERE `id` = '".$_GET['id']."' LIMIT 1")or die(mysql_error()); $r = mysql_fetch_array($result);?>  <form action="email2.php" method="POST">  <input type="hidden" name="id" value="<?PHP echo $r['id']; ?>" />  <br />  Your name:<input type="text" name="name" size="20" class="txtbox" value="<?PHP echo $_SESSION['s_name'];?>"/>   <br />  Your email:<input type="text" name="email" size="20" class="txtbox" value="<?PHP echo $_SESSION['s_email'];?>"/>   <br />  Subject:<input type="text" name="subject" size="20" class="txtbox" value="<?PHP echo $_SESSION['s_subject'];?>"/>  <br />  Comments:<textarea name="comments" rows="8" cols="30" class="txtbox" value=""><?PHP echo $_SESSION['s_comments'];?></textarea>  <br />  <input type="submit" class="txtbox" name="submit" value="Send Email" />  </form> <?php//Here is the meat of the code//--email2.php--session_start();session_register("s_name"); $s_name = $_POST['name']; session_register("s_subject");$s_subject = $_POST['subject'];session_register("s_email");$s_email = $_POST['email']; session_register("s_comments");$s_comments = $_POST['comments']; if ($s_comments !== "" && $s_name !== "" && $s_subject !== "" && $s_email !== ""){include 'includes/db.php';$id = $_POST['id'];$result = mysql_query("SELECT * FROM `users` WHERE `id` = '".$id."' LIMIT 1")or die(mysql_error()); $r = mysql_fetch_array($result);if ($_POST['submit']){//From visitor$id = $_POST['id'];$name = $_POST['name'];$email = $_POST['email'];$subject = $_POST['subject'];$comments = $_POST['comments'];//From DB$db_id = $r['id'];$db_firstname = $r['firstname'];$db_lastname = $r['lastname'];$db_email = $r['email'];//set up info$nowDay = date("m.d.Y");$nowClock = date("H:i:s");$to = $db_email;$subject = $subject;$message = $comments;$site = 'http://www.site.com';@$comments =// we now generate a nice form for emailing"Message sent: $nowDay at $nowClock:\n\n"."------------------------- Senders Info -------------------------\n\n"."From: $name\n"."Location: email page\n"."Email: $email\n"."About: $subject\n\n"."--------------------------- COMMENTS ---------------------------\n\n".$message."\n\n\n"."----------------------------------------------------------------\n\n".$site;// The URLs matched so send the emailmail($to, $subject, $comments, "From: $name <$email>");?> Thank you for your inquiry.<br />Your email has been sent to <?PHP echo $r['username'];?><?phpsession_destroy();unset($_SESSION['s_name']);unset($_SESSION['s_email']);unset($_SESSION['s_subject']);unset($_SESSION['s_comments']);} else { echo "<center><p>Error!</p>";}} else {echo "<center><p>You forgot a mandatory field.</p><br>";echo "<a href=\"email.php?id=".$id."\">Back</a>";}?>

Thank you for all your help and time.Hooch

Link to comment
Share on other sites

I was thinking as long as I had the email hidden by using a DB I was okay.I now have a random number addition that the user needs to complete.If it is correct you can continue.

<?PHP  	srand(time());	$random1 = (rand()%9);	session_register("r_1");	$r_1 = $random1; 	$random2 = (rand()%9);	session_register("r_2");	$r_2 = $random2; 	print $r_1." + ".$r_2." = <input type=\"text\" name=\"answer\" size=\"1\" class=\"txtbox\"/>";	$answer = $random1 + $random2;	session_register("s_answer");	$s_answer = $answer; 	?>

This goes above the submit button of the email form.Then on email2.php

if ($_POST['answer'] == $_SESSION['s_answer']){ onto the rest of the code

How would this do?

Link to comment
Share on other sites

Also, search the web for captchas - they are quite useful as well, as they cannot be read by a bot like text.

Link to comment
Share on other sites

Thanks guy. I'm not sure validating the email would do anything since those spam emails had possible valid emails in them. They were very random looking emails..but would pass any email validationscript I'm sure.
Right, but the script wouldn't know which field to put the email address in. It looks at your form and sees fields called "email", "subject", "comments" etc and fills each of them out. If you randomize the names of everything it won't know which field to put the email address in so presumably it would fail validation. And it wouldn't require an actual user to do anything different because they see the "Email:" prompt on the screen and don't care what the field name is called.
Link to comment
Share on other sites

Here's an update. I went and changed all the fields names to a random sequence as per Guy'sinstruction. I tried to send an email myself and it worked. Now the emails are still coming, but with no information. So the bot must be addingmy 2 random numbers correctly. Is this something bots can do? Or would the jerk who is behind this have to codehis bot specifically for adding numbers? Jlhaslip I am not following you on the hidden email. Could you please explain more?***Update cont'd*** I just implemented a validation script for emails. It checks to see if the domain exists. Very nice tutorial I found. I found it on another tutorial site so I probably should not showthe link. But there are plenty of tuts out there in Google land. So with the scrambled text fields and this validation here's hopingall is better. Thanks for all the help everyone..I'll keep you posted. Once it's working flawlessly I can post the full code if anyone is interested. Hooch

Link to comment
Share on other sites

Jlhaslip I am not following you on the hidden email. Could you please explain more.
I'll try...Now that you have 'scrambled' the actual tags for the fields, add one back into the form which is a 'hidden' input named "email".as you process the fields prior to sending the email, the first thing you check is this hidden 'email' filed in the POST array, and if there are any contents in it, you know that a Bot is sending mail, because a Human can't see it to complete the field.Also, you might want to check this page to see if it may help you: http://www.jlhaslip.com/samples/email/You should be able to adapt the code according to your needs.
Link to comment
Share on other sites

I remember that discussion, that was a good idea. But instead of using a hidden element, use a normal text element with some styling to remove it from the page. A bot might skip hidden elements.<input type="text" name="email" style="display: none;">

Link to comment
Share on other sites

I agree with justsomeguy, and it would be great if you could let us know how these changes work for you.You could always add the additional field later if you continue to have problems.

Link to comment
Share on other sites

The only thing I'm thinking about is auto-form fillers, like the Google toolbar will automatically fill in fields with names that it has saved. So you might get some false positives here from people who actually did fill it in. So, if they fail the test don't just automatically boot them or ban their IP or give them a nasty message, they still need some way to submit. In that case you might need to have a confirm button that they click again to send the mail (everything gets submitted in hidden inputs) or another test like the math test.Or, in addition to a hidden email field, also have a hidden subject field. Auto-form fillers would not use a subject field, and bots still would.

Link to comment
Share on other sites

Right now with the scrambled fields the spam has stopped. I'll add that hidden email ina few days. I'm too busy with other stuff right now. I'll keep you posted, and thank you all for the help.Once it's working I will have a link to the whole code on my siteso people can use it. Hooch I had some time tonight so I made the code up. I decided to go with the hidden email field only. Then I puta friendly reply about my email security and please goback to refill the form. I mentioned to clear the form too.I have a button for that. Not one bit of spam since I made the scrambled fields. WOOHOO!!! Thanks again guys.

Edited by Hooch
Link to comment
Share on other sites

  • 4 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...