tags:

views:

101

answers:

2
+3  Q: 

are these attempted injections on my contact form?

Hi folks, I have a PHP contact form mailer on my website. The contents don't store in a database, but are emailed directly to me. I have received a couple strange contacts in the last few days.

The user has to fill in name, email, confirm email subject and message.

I have a javascript security in place that verifies an email is typed in the same twice, and checks for the @ and the dot. Also, required fields are checked with javascript.

Here is the most recent message-you can see it is a bunch of bogus links, etc. Is this anything I should be concerned of from a security standpoint? 

Name: fvjnqazcy

Email: [email protected]

Email confirm: [email protected]

Phone: 47668113220

Subject: uSMvoegKPt

Message: KU17Gd  <a href="http://lsyixbpcjddi.com/"&gt;lsyixbpcjddi&lt;/a&gt;,
[url=http://sojlxycrnxlb.com/]sojlxycrnxlb[/url], [link=http://wesixtcvuzbj.com/]wesixtcvuzbj[/link], http://dcgfyjhpfpbx.com/
+8  A: 

It looks more like a spammer to me. If you have more of these messages than you can handle, you need to add a CAPTCHA to your contact form. I don't think it's intended to exploit a potential security issue in your application though.

Mehrdad Afshari  2010-02-24 23:59:13
It's strange to me that the links and email don't actually go anywhere. I don't understand how a spammer would benefit from this?
Joel  2010-02-25 00:01:31
@Joel: Maybe the spammer is testing to see if can add something to your page by filling out that form and then use the actual URL if it worked.
Mehrdad Afshari  2010-02-25 00:03:16
Often a contact form will send an e-mail to the person who filled it out. Spammers use this tactic to find live e-mail addresses. I'll 2nd adding a captcha. After I added one, it killed the bots, but not the live spammers.
iKnowKungFoo  2010-02-25 00:06:30
Ah good point...I have seen those on comment pages, etc. Makes sense.
Joel  2010-02-25 00:07:08
If (when) it gets out of hand, I'll look into a captcha. I hate them, but I'll probably try and impliment one of those x + y = z type ones...
Joel  2010-02-25 00:08:37
@Joel, are you sure that the To/CC/BCC address can't be manipulated to send spam to more than just you (injecting headers)? It would be bad if you acted as an open mail relay for phishing emails.
mar  2010-02-25 00:33:54
That would certainly be bad...how can I check this?
Joel  2010-02-25 03:28:51
@Joel - you could try to exploit it yourself and add email headers by injection newline (\r\n). Just add an email account that you control and see if you get a copy in that account. Or if the site is public, point me to it.
mar  2010-02-25 04:36:17
Instead of the capthca, why dont try the honeypots technique? it doesnt annoy your user and it safe against all bots.
DaNieL  2010-02-25 09:21:37
+2  A: 

Yeah, I agree with Mehrdad, it just looks like a random spam bot. Don't ask why they are doing that; I don't think there is a real reasoning for them to add spam..

I have a javascript security in place that verifies an email is typed in the same twice, and checks for the @ and the dot. Also, required fields are checked with javascript.

You really shouldn't do any important checks with JavaScript. Or at least not without testing them on the server side as well.

JavaScript is easily disabled and then all your checks will fail. Especially bots never interpret JavaScript, so all your checks won't be made and all input is just accepted as it is.

To prevent spam in general you should gradually add more security checks on the server side. One rather hard option is adding a CAPTCHA, but moving those checks to your server first will probably help as well (given that the bot enters two different email addresses).

poke  2010-02-25 00:12:19

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases