Page 1 of 1

Spam what to do next?

Posted: Sun Dec 10, 2006 8:50 am
by Addos
http://www.leedaviesracing.com/guestbook_sign.php

I've been playing around with setting up my own 'Captura' and
despite successfully getting it to run the script ok I'm still getting hit
by spam. Has anyone got any ideas? I cant understand with all the
conditional statements in run in the form fields plus the image to insert text from, spam is still
getting through. I can supply code no problem if necessary.

Thanks for any help

B

Posted: Sun Dec 10, 2006 8:53 am
by feyd
Did you use an existing captcha routine?

We'll probably need to see full code.

Posted: Sun Dec 10, 2006 9:46 am
by aaronhall
Are you checking that the same form data hasn't already been submitted?

Posted: Sun Dec 10, 2006 12:20 pm
by Addos
Hi ya,
Thanks for the reply. This is the code I'm using to enter the details. I know there are probably better ways but I'm only learning PHP for the last 6 months so be patient.

Code: Select all

<?php //session start for captcha
 session_start();

// Test whether the POST array has been set and makes certain 
// variables are initialzed with no content.
$pattern = '/^\w[-.\w]*@([-a-z0-9]+\.)+[a-z]{2,4}$/i';
if ($_POST && array_key_exists('sendCom',$_POST)) {
  $nomessage='';
  $error=array();
  $error_email=array();
  $message='';
  $GuestEmail= $_POST['GuestEmail'];
  $trimmedGuestDetails = $_POST['GuestDetails'];
// Trim out white space and srtip out unwanted HTML 
  $trimmedLocation=trim(strip_tags($_POST['GuestLocation']));
// Check each field and build errors array if problems found
if (isset($_POST['GuestDetails']) && !empty($_POST['GuestDetails'])) {
 $trimmedGuestDetails=trim(strip_tags($_POST['GuestDetails']));
  }
else {
  $nomessage = 'Message Required';
  }
if (isset($_POST['GuestName']) && !empty($_POST['GuestName'])) {
  $trimmedGuestName=trim(strip_tags($_POST['GuestName']));
  }
else {
  $error['GuestName'] = 'Name Required';
  }
 	// run Captcha
 if (md5($_POST['code']) != $_SESSION['key']) {
	  $error_code = 'Incorrect entry. Try again!';
	}
// Removes HTTP:// or http:// and strips white space and unwanted html tags
	 $url = trim(strip_tags($_POST['GuestWebsite']));
	 if (strpos(strtolower($url), 'http://') ===0) {
	 $url = substr($url, 7);
	}
 if (empty($_POST['GuestEmail'])) {// validation of email if inserted otherwise ignore
	 } else {
	 if (!preg_match($pattern,$GuestEmail)) $error_email['invalid'] = 'ERROR! Your email address seems to be invalid. <br> It should be similar to the following: info@me.com';
     }
	 }
	
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
if (!$nomessage && !$error)  {
if (!$nomessage && !$error_email)
if (!$nomessage && !$error_code)
//if (!$nomessage && !$nospam) 

 {
// If no errors, send email 
	mail($to,$subject,$message,$headers);	etc...
				
		  $insertSQL = sprintf("INSERT INTO guestbook (GuestName, GuestLocation, GuestDetails, GuestWebsite, GuestEmail, ip, GuestDate) VALUES (%s,%s, %s, %s, %s, '".$_SERVER['REMOTE_ADDR']."', CURDATE())",
                       GetSQLValueString("$trimmedGuestName", "text"),
                       GetSQLValueString("$trimmedLocation", "text"),
                       GetSQLValueString("$trimmedGuestDetails", "text"),
                       GetSQLValueString("$url", "text"),
                       GetSQLValueString($_POST['GuestEmail'], "text"));

  mysql_select_db($database_davies, $davies);
  $Result1 = mysql_query($insertSQL, $davies) or die(mysql_error());

  $insertGoTo = "guestbook.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}}}?>
This is the captura code thats in a separate page under the root folder.

Code: Select all

<?php
//Start the session so we can store what the code actually is.
session_start();

//Now lets use md5 to generate a totally random string eg f918f 4b8ead7cbbe96fa003abc32dec1

$md5 = md5(microtime() * mktime());
/*
We dont need a 32 character long string so we trim it down to 5 eg f918f of above
*/
$string = substr($md5,0,5);
/*
Now for the GD stuff, for ease of use lets create
 the image from a background image.
*/

$captcha = imagecreatefrompng("image.png");

/*
Lets set the colours, the colour $line is used to generate lines.
 Using a blue misty colours. The colour codes are in RGB
*/

$black = imagecolorallocate($captcha, 0, 0, 0);
$line = imagecolorallocate($captcha,233,239,239);

/*
Now to make it a little bit harder for any bots to break, 
assuming they can break it so far. Lets add some lines
in (static lines) to attempt to make the bots life a little harder
*/
imageline($captcha,0,0,39,29,$line);
imageline($captcha,40,0,64,29,$line);
imageline($captcha,20,0,14,31,$line);
imageline($captcha,10,0,1,31,$line);
/*
Now for the all important writing of the randomly generated string to the image.
*/
imagestring($captcha, 5, 20, 10, $string, $black);

/*
Encrypt and store the key inside of a session
*/

$_SESSION['key'] = md5($string);

/*
Output the image
*/
header("Content-type: image/png");
imagepng($captcha);
?>

Posted: Sun Dec 10, 2006 12:26 pm
by aaronhall
I wonder if you read my question..

Posted: Sun Dec 10, 2006 12:37 pm
by Addos
Are you checking that the same form data hasn't already been submitted?
Hi Aaron,
Only getting to reply to this now too!

I’m not sure I follow what you ask me. In the database usually the values are all ‘null’ which really baffles me as I have statements running to try and stop this. When I do get a run of similar email addresses showing up in the database or anything else I usually run something like

Code: Select all

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
if ($_POST['GuestEmail'] !== 'rgergerger')
if ($_POST['GuestEmail'] !== 'radtt@hotmail.com')
if ($_POST['GuestEmail'] !== 'jryfibofbvc')
if ($_POST['GuestEmail'] !== 'red@red.com')
if ($_POST['GuestEmail'] !== 'red%40red.com')
if ($_POST['GuestEmail'] !== 'dim@serbin.com')
if (!$nomessage && !$error)  {
if (!$nomessage && !$error_email)
if (!$nomessage && !$error_code)
and this quite often can be successful for a good time but lately nothing I do is stopping the database from being breached.

Let me know more if you can.
Thanks a mil

Posted: Sun Dec 10, 2006 2:20 pm
by nickvd
I was having the same spam problem on my email contact form... the solution i used was not to use standard names for the input elements... the spam bots will search out any input fields named "name, email, contact, etc..." so i just changed the names to "input_1, input_2" etc... it stopped the spam cold...

Posted: Sun Dec 10, 2006 6:29 pm
by Luke
nice little trick, that has always worked for me