Page 1 of 1

[Solved] Spam getting through my forms

Posted: Wed Apr 12, 2006 3:11 am
by Addos
Hi,
I wonder if anybody can help me with a spam issue. I have a good few forms which in the last few hours are being hit with a lot of spam. What is puzzling me is that I have worked as hard as my knowledge of PHP will allow me to keep this at bay for quite a long time but recently I seem to be beaten. One method I have tried to use was to have a question that needed to be answered before the form will submit and I found once I started to get hit with spam I just had to change the question and it stopped…but not this time. I have even tried changing the names of the variables/fieldnames in the form/database this time but nothing works. In the database generally the fields are given a null value and I’m very confused as to how the validation in these forms is being by-passed. I capture IP’s but I know the limitations of these and recently they are all random. So looking at the code below can anyone see how this breech is being made and what could I do to change this.
Here is a sample of two sites that are being hit right now. http://www.garycarswell.com/guestbook.php
http://www.killiangalligan.com/guestbook.php

Any help would be much appreciated thanks
Brian

Code: Select all

<?php
// Test whether the POST array has been set and makes certain 
// variables are initialzed with no content.
$pattern = '/^\w[-.\w]*@([-a-z0-9]+\.)+[a-z]{2,4}$/i';
if ($_POST && array_key_exists('sendCom',$_POST)) {
  $nospam='';
  $nomessage='';
  $error=array();
  $error_email=array();
  $message='';
  $GuestEmail= $_POST['GuestEmail'];
 // Check each field and build errors array if problems found
if (isset($_POST['Guest_Details']) && !empty($_POST['Guest_Details'])) {
  $message=strip_tags($_POST['Guest_Details']);
  }
else {
  $nomessage = 'Message Required';
  }
if (isset($_POST['Guest_Name']) && !empty($_POST['Guest_Name'])) {
  $Guest_Name=trim($_POST['Guest_Name']);
  }
else {
  $error['Guest_Name'] = 'Name Required';
  }
  // Stop Robots spaming form
// Conditional check for empty fields
 $spammed = trim(strtolower($_POST['StopSpam']));
if ($spammed ==='thursday' && !empty($_POST['StopSpam'])) {
}else{
   $nospam = 'Answer Required';
 } 
   // Removes HTTP:// or http:// and strips white space
	 $url = trim($_POST['GuestWebsite']);
	 if (strpos(strtolower($url), 'http://') ===0) {
	 $url = substr($url, 7);
	}
 if (empty($_POST['GuestEmail'])) {// validation of email if inserted otherwise ignore
	 } else {
	 if (!preg_match($pattern,$GuestEmail)) $error_email['invalid'] = 'ERROR! Your email address seems to be invalid. It should be similar to the following: info@me.com';
     }
	 }
	
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
if (!$nomessage && !$error)  {
if (!$nomessage && !$error_email)
if (!$nomessage && !$nospam)   {
// If no errors, send email and redirect to acknowledgment page
 // User has entered an email address send mail
  						
	
	mail($to,$subject,$message,$headers);							
		  $insertSQL = sprintf("INSERT INTO tblguestbook (Guest_Name, GuestLocation, Guest_Details, GuestWebsite, GuestEmail, ip, GuestDate) VALUES (%s, %s, %s, %s, %s, '".$_SERVER['REMOTE_ADDR']."', CURDATE())",
                       GetSQLValueString($_POST['Guest_Name'], "text"),
                       GetSQLValueString($_POST['GuestLocation'], "text"),
                       GetSQLValueString($_POST['Guest_Details'], "text"),
                       GetSQLValueString("$url", "text"),
                       GetSQLValueString($_POST['GuestEmail'], "text"));

  mysql_select_db($database_carswell, $****);
  $Result1 = mysql_query($insertSQL, $****) or die(mysql_error());

  $insertGoTo = "guestbook.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}}}?>

Posted: Wed Apr 12, 2006 3:48 am
by malcolmboston
have you ever seen where the user has to quote the text on from an image, i know MSN sign-ups require this off-hand and theres a load more that do, this is fool-proof as computers cannot read them

look into that

Posted: Wed Apr 12, 2006 7:29 am
by BDKR
Here's what you're after.

http://captchas.net/sample/php/query.php
http://captchas.net/sample/php/

I implemented one on my blog and that pretty much shut that crap down. Instead, they started spamming my trackbacks.

:roll:

Posted: Wed Apr 12, 2006 7:42 am
by Addos
Thanks very much for all this help.
Regards
Brian

Posted: Wed Apr 12, 2006 7:47 am
by Weirdan
btw, $to, $subject and $headers variables are undefined in your script. If you have register_globals turned on on your server, you're vulnerable.

Posted: Wed Apr 12, 2006 7:59 am
by BDKR
Addos wrote:Thanks very much for all this help.
Regards
Brian
The bill is in the mail. :D

Good point Weirdan!

Posted: Wed Apr 12, 2006 8:14 am
by Roja
malcolmboston wrote:have you ever seen where the user has to quote the text on from an image, i know MSN sign-ups require this off-hand and theres a load more that do, this is fool-proof as computers cannot read them
Captchas have been massively defeated by computers using Optical Character Recognition (including the Captcha used for phpbb). Worse, they lock out visually impared users, and can be challenging for non-native english speakers. Even with the most typical user they can be difficult to use.

Moderation is the cure for spamming. When they see no return on their investment in time, they'll stop visiting.

Posted: Wed Apr 12, 2006 8:51 am
by Addos
What puzzles me is how can the question I set in the above code be answered by a computer to override the validation. I have no problem in making changes to the type of question but I wonder why if human intervention is needed how the spammers still get through.

Thanks again this is all very interesting
Brian

Posted: Wed Apr 12, 2006 9:47 am
by Roja
Addos wrote:What puzzles me is how can the question I set in the above code be answered by a computer to override the validation. I have no problem in making changes to the type of question but I wonder why if human intervention is needed how the spammers still get through.

Thanks again this is all very interesting
Brian
You only ask *one* question, its always the same.

So you just have a human visit it once, and add it to their form submission system. Boom, your "verification" is defeated.

Remember, spamming makes money. You can remove link value by using the nofollow tag on a hrefs submitted by users. You can alternatively just strip all tags. You can rotate your verification questions (100 questions is a nice round number).

But in the end, the best solution remains moderation before posting. A human doesn't care that much if their comment shows up right away (especially if you say so in the comment submission system). A spammer on the other hand, that never sees any of their posts show up, knows not to bother coming back.

Moderation for the win. Its consistent, doesn't have false-positives or false-negatives, and it removes all value for the spammer. All it takes is a little effort from the admin.