News:

Go to HostNed.com
Welcome.  This is a place to get user-to-user support, learn more, and share ideas.  If you can't find your answers here, feel free to ask by creating a new topic or visit the support ticket system at https://my.hostned.com :)  Have fun here!

Main Menu

web forms being hijacked by spammers

Started by twilitestudios, April 20, 2006, 07:55:36 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

twilitestudios

Please Help!!!!

I have lots of accounts here at hostned and one of them was suspended due to spam bots hijacking my form or script or however it works.
I have tried about 5 different php scripts, jmail, and some other supposedly "secure" scripts...
When I change the form script, it helps for a little while and then BAM!  it happens again.

Can someone please get me a SECURE script for my web forms or help me in finding one?
I can't afford to have my client's accounts shut down...
I have linux accounts as well as windows!

Cheers

Dynaweb

This is a big concern lately.  Security on websites is very similar to other forms of security -- there are no absolutes.  The game is to stay ahead of the bad guys.  In order to do that you must identify your vulnerabilities and secure them.  I believe a big loophole lately is with Email Injection where a spammer inserts potentially thousands of BCC lines into the form via an external script.  If your web form does not prevent against this then you will need to modify it for sure.  Other common vulnerabilities include:
- Naming your web forms "formtoemail" or "mailform" or like that.  That is just inviting for spammers looking for a new exploitable.
- Leaving email addresses "out in the open" where spambots can easily scoop them up.
- Leaving "testing" versions of form-to-email scripts up by mistake.  While you have forgotten they are there, spammers use google to find and exploit them!
- Forgetting to exclude your contact-me pages from search engine listings using either robots.txt or meta tag exclusion methods.

HostNed has a web dev team so they can evaluate and secure your forms for you if it is something that is too technical for you to do yourself.

Dynaweb

Our affiliate DynaWeb Designs has released their SFEPS Form to Email Script.  It is very secure and easy to set up.  Give it a try and let us know how you like it.

RedRaven

    <META name="robots" content="all">
    <META name="robot" content="noindex,nofollow">

Dynaweb

This is a thoughtful addition to any page that has a web form on it.  Keeping the result from listing on the search engine results reduces exposure to the bots and scumbags.

RedRaven

Yeah...
I code in VBscript amonst others (15+ languages), and sometimes I will use the replace function to replace things like "SELECT/DELETE/UPDATE/.....etc." with "XXXXX" well you get the idea.
Once it "hits" the database it will be just "data".
By doing this it changes any SQL injection attempts.

Also, watch out for apostrophy's.
They can deliniate the input.
Some DBMSs use double apostrohpy's ==> ''
to get around that prob.
(I know it looks like a quote, but it's 2 apo's.....)

Remember, coding is like doing a magick trick.
Only you know what's going on.
The user is one-step-behind.
But that doesn't mean they won't mess up your work.

For the email problem, he/she could parse the imput field and count the number of "@" signs.
If there are more than the developer is expecting then let error-code he/she writes for it will take over.

Don't know, just a thought.

Red.... ;D