email script compromised

[Hooch]

*** Here's a link to the fix for email bots ****** http://www.zentyx.com/stuff/tuts/email/ ***Hello all. This is a bit of a tall order, but could someone take a few minutesand let me know if something here is "bot" accessible? I am getting Spam sent via this form.The following code shows everything used to send the email.

<?PHP//Link used to the email pageecho "<a href=\"email.php?id=1\" >email</a>";//Here is the email page//--email.php--$result = mysql_query("SELECT * FROM `users` WHERE `id` = '".$_GET['id']."' LIMIT 1")or die(mysql_error()); $r = mysql_fetch_array($result);?>  <form action="email2.php" method="POST">  <input type="hidden" name="id" value="<?PHP echo $r['id']; ?>" />  <br />  Your name:<input type="text" name="name" size="20" class="txtbox" value="<?PHP echo $_SESSION['s_name'];?>"/>   <br />  Your email:<input type="text" name="email" size="20" class="txtbox" value="<?PHP echo $_SESSION['s_email'];?>"/>   <br />  Subject:<input type="text" name="subject" size="20" class="txtbox" value="<?PHP echo $_SESSION['s_subject'];?>"/>  <br />  Comments:<textarea name="comments" rows="8" cols="30" class="txtbox" value=""><?PHP echo $_SESSION['s_comments'];?></textarea>  <br />  <input type="submit" class="txtbox" name="submit" value="Send Email" />  </form> <?php//Here is the meat of the code//--email2.php--session_start();session_register("s_name"); $s_name = $_POST['name']; session_register("s_subject");$s_subject = $_POST['subject'];session_register("s_email");$s_email = $_POST['email']; session_register("s_comments");$s_comments = $_POST['comments']; if ($s_comments !== "" && $s_name !== "" && $s_subject !== "" && $s_email !== ""){include 'includes/db.php';$id = $_POST['id'];$result = mysql_query("SELECT * FROM `users` WHERE `id` = '".$id."' LIMIT 1")or die(mysql_error()); $r = mysql_fetch_array($result);if ($_POST['submit']){//From visitor$id = $_POST['id'];$name = $_POST['name'];$email = $_POST['email'];$subject = $_POST['subject'];$comments = $_POST['comments'];//From DB$db_id = $r['id'];$db_firstname = $r['firstname'];$db_lastname = $r['lastname'];$db_email = $r['email'];//set up info$nowDay = date("m.d.Y");$nowClock = date("H:i:s");$to = $db_email;$subject = $subject;$message = $comments;$site = 'http://www.site.com';@$comments =// we now generate a nice form for emailing"Message sent: $nowDay at $nowClock:\n\n"."------------------------- Senders Info -------------------------\n\n"."From: $name\n"."Location: email page\n"."Email: $email\n"."About: $subject\n\n"."--------------------------- COMMENTS ---------------------------\n\n".$message."\n\n\n"."----------------------------------------------------------------\n\n".$site;// The URLs matched so send the emailmail($to, $subject, $comments, "From: $name <$email>");?> Thank you for your inquiry.<br />Your email has been sent to <?PHP echo $r['username'];?><?phpsession_destroy();unset($_SESSION['s_name']);unset($_SESSION['s_email']);unset($_SESSION['s_subject']);unset($_SESSION['s_comments']);} else { echo "<center><p>Error!</p>";}} else {echo "<center><p>You forgot a mandatory field.</p><br>";echo "<a href=\"email.php?id=".$id."\">Back</a>";}?>

Thank you for all your help and time.Hooch

[justsomeguy]

It doesn't look like there's any code there to stop bots from submitting info, or to try to detect if the user is a bot or not.

[Hooch]

I was thinking as long as I had the email hidden by using a DB I was okay.I now have a random number addition that the user needs to complete.If it is correct you can continue.

<?PHP  	srand(time());	$random1 = (rand()%9);	session_register("r_1");	$r_1 = $random1; 	$random2 = (rand()%9);	session_register("r_2");	$r_2 = $random2; 	print $r_1." + ".$r_2." = <input type=\"text\" name=\"answer\" size=\"1\" class=\"txtbox\"/>";	$answer = $random1 + $random2;	session_register("s_answer");	$s_answer = $answer; 	?>

This goes above the submit button of the email form.Then on email2.php

if ($_POST['answer'] == $_SESSION['s_answer']){ onto the rest of the code

How would this do?

[justsomeguy]

You can do something like that. It also might be as easy as making the field names random. Instead of naming the email field "email" name it "sj24jd5k3l" and then don't send the email unless they fill in a valid address in that field.

[Hooch]

Thanks guy. I'm not sure validating the email would do anything since those spam emails had possible valid emails in them. They were very random looking emails..but would pass any email validationscript I'm sure.

[Synook]

Also, search the web for captchas - they are quite useful as well, as they cannot be read by a bot like text.

[Hooch]

I guess I could have a few random pictures, say a car, truck and a horse.Give each a value, then ask the user to select the correct answer.This would be a quick easy way to stop bots?

[Synook]

You can download some captchas from the web for free, try http://recaptcha.net/

[primefalcon]

One thing I also do is take the ip address of every user, if I get 1 spammer.I actualy ban that ip address from seeing the form or submitting a form again

[justsomeguy]

Thanks guy. I'm not sure validating the email would do anything since those spam emails had possible valid emails in them. They were very random looking emails..but would pass any email validationscript I'm sure.

Right, but the script wouldn't know which field to put the email address in. It looks at your form and sees fields called "email", "subject", "comments" etc and fills each of them out. If you randomize the names of everything it won't know which field to put the email address in so presumably it would fail validation. And it wouldn't require an actual user to do anything different because they see the "Email:" prompt on the screen and don't care what the field name is called.

[jlhaslip]

Then name a hidden field "email" and check to see if there is any information in that field and then you know it was a bot, so drop the form submission.

[Hooch]

Here's an update. I went and changed all the fields names to a random sequence as per Guy'sinstruction. I tried to send an email myself and it worked. Now the emails are still coming, but with no information. So the bot must be addingmy 2 random numbers correctly. Is this something bots can do? Or would the jerk who is behind this have to codehis bot specifically for adding numbers? Jlhaslip I am not following you on the hidden email. Could you please explain more?***Update cont'd*** I just implemented a validation script for emails. It checks to see if the domain exists. Very nice tutorial I found. I found it on another tutorial site so I probably should not showthe link. But there are plenty of tuts out there in Google land. So with the scrambled text fields and this validation here's hopingall is better. Thanks for all the help everyone..I'll keep you posted. Once it's working flawlessly I can post the full code if anyone is interested. Hooch

[jlhaslip]

Jlhaslip I am not following you on the hidden email. Could you please explain more.

I'll try...Now that you have 'scrambled' the actual tags for the fields, add one back into the form which is a 'hidden' input named "email".as you process the fields prior to sending the email, the first thing you check is this hidden 'email' filed in the POST array, and if there are any contents in it, you know that a Bot is sending mail, because a Human can't see it to complete the field.Also, you might want to check this page to see if it may help you: http://www.jlhaslip.com/samples/email/You should be able to adapt the code according to your needs.

[justsomeguy]

I remember that discussion, that was a good idea. But instead of using a hidden element, use a normal text element with some styling to remove it from the page. A bot might skip hidden elements.<input type="text" name="email" style="display: none;">

[jlhaslip]

Yes, that is what I meant, not a Hidden input tag. Thanks for clarifying that.

[Hooch]

So with the scrambled fields and that "hidden" email field, this shouldbe enough to catch most email bots? That addition field I added is not neaded now, correct? Thanks, Hooch

[justsomeguy]

I would say take off the addition field, if you randomize the name and include a trap email field I think that's probably enough, and it won't require users to do anything differently.

[jlhaslip]

I agree with justsomeguy, and it would be great if you could let us know how these changes work for you.You could always add the additional field later if you continue to have problems.

[justsomeguy]

The only thing I'm thinking about is auto-form fillers, like the Google toolbar will automatically fill in fields with names that it has saved. So you might get some false positives here from people who actually did fill it in. So, if they fail the test don't just automatically boot them or ban their IP or give them a nasty message, they still need some way to submit. In that case you might need to have a confirm button that they click again to send the mail (everything gets submitted in hidden inputs) or another test like the math test.Or, in addition to a hidden email field, also have a hidden subject field. Auto-form fillers would not use a subject field, and bots still would.

[Hooch]

Right now with the scrambled fields the spam has stopped. I'll add that hidden email ina few days. I'm too busy with other stuff right now. I'll keep you posted, and thank you all for the help.Once it's working I will have a link to the whole code on my siteso people can use it. Hooch I had some time tonight so I made the code up. I decided to go with the hidden email field only. Then I puta friendly reply about my email security and please goback to refill the form. I mentioned to clear the form too.I have a button for that. Not one bit of spam since I made the scrambled fields. WOOHOO!!! Thanks again guys.

[Hooch]

I seem to have had luck with the fixes you guys have helped me with.*** Here's a link to the fix for email bots ****** http://www.zentyx.com/stuff/tuts/email/ ***Again thanks for all the help.