Hi All,

We have a top priority since a while and still did not find the solution: spammers are using our forms to send phishing and other spamming around the world. This is a disaster and we are receiving complains from receivers. It is also a contro-marketing issue relevant to many webmasters.
Is there anyone who can help?
The following is the html code for forms on our sites, can you help?

<form action="formmail.php" method="post">

<font face="Arial">

<input type="hidden" name="recipient" value="email@website.com,email2@website.com" style="font-weight: 700">

<input type="hidden" name="subject_prefix" value="Suggest a site ">

<input type="hidden" name="subject" value="Suggest a site ">

<input type="hidden" name="email_regex" value="^[_a-z0-9-]+(\.[_a-z0-9-]+)*@([0-9a-z](-?[0-9a-z])*\.)+[a-z]{2}([zmuvtg]|fo|me)?$">

<input type="hidden" name="date_regex" value="$[0-9{4}-[0-9]{2}-[0-9]{2}$l">

<input type="hidden" name="redirect" value="http://www.website.com/formreply.htm">

</font><div align="center"><table border=0 cellspacing=5 cellpadding=5>

<tr>

<td><font face="arial" size="2" color="gray"><div align=left><b>Suggested Website</div></font></td><td><div align=left><INPUT style="FONT-WEIGHT: 700" type=text size=30 maxlength=40 value="http://" name="Suggested Website"></div></td></tr>

<tr>

<td valign="middle"><font face="arial" size="2" color="gray"><div align=left><b>Comment</b></div></font></td>

<td><textarea name="comment" rows="5" cols="40"></textarea></td></tr>



<tr>

<td><font face="arial" size="2" color="gray"><div align=left><b>Name</div></font></td><td><div align=left><INPUT style="FONT-WEIGHT: 700" type=text size=30 maxlength=40 name=Name></div></td>

</tr>

<tr>

<td><font face="arial" size="2" color="gray"><div align=left><b>E-mail</div></font></td><td><div align=left><INPUT style="FONT-WEIGHT: 700" type=text size=30 maxlength=40 name="email"></div></td></tr>

<tr><td><font color="gray"><div align=left><b>Age<b></font></div>

</td><td><div align=left><hr width="50%" align="left"><font color="#000066">

<input type=radio name="eta" value="0-15">&nbsp;0-15<br>

<input type=radio name="eta" value="16-25">&nbsp;16-25<br>

<input type=radio name="eta" value="26-35">&nbsp;26-35<br>

<input type=radio name="eta" value="36-45">&nbsp;36-45<br>



<input type=radio name="eta" value="46-55">&nbsp;46-55<br>

<input type=radio name="eta" value="55+">&nbsp;55+<br></font><hr width="50%" align="left"></div></td></tr>

<tr><td><font face="arial" size="2" color="gray"><div align=left><b>Where did you hear about us:</b></div><br><div align=left><b>If other, please specify</b></div></font></td><td>

<div align=left><SELECT NAME="Where did...">

<OPTION SELECTED>&nbsp;&nbsp;- - Select - -</OPTION>

<OPTION>Search engine</OPTION>

<OPTION>Web advertising</OPTION>

<OPTION>Link from other site</OPTION>

<OPTION>Press article</OPTION>



<OPTION>E-mail</OPTION>

<OPTION>Newsletter</OPTION>

<OPTION>Other</OPTION>

</SELECT>

<br><br>

<input type=text name="If other, please specify" size=35 maxlength=40 value=" "></div>

</td>

</tr>

<br>

<tr><td></td><td><div align=left><input type="submit" value="submit"><input type="reset" value="reset"></div></td></tr>

</table>

</div>

</form>

Thanks!
Jon

You can help yourself by not putting the email address in the form!!!!

Your server side form processing should be able to handle the requests by hard coding the email address into the programming logic, not the form

beyond that, you can add verification like CAPTCHA etc to stop bots auto-posting

the problem is, now your email is out there, spammers can send out stuff and spoof your email address

More care should have been taken at the start

http://www.phpclasses.org/browse/class/63.html#C

Northie's right -- this is a case of "close the gate now that the horse is already gone".

Northie!

Thanks for the support and apologize if I'm back on the forum after a long while.

We will try to fix our problems soon.

I am in a similar position.  Just recently, I've been receiving all these "automated" spam submissions through one of our forms.  I am not using php though.  Here is some of the code:

<form name="formmail" action="/cgi-bin/formmail.pl" method="post">

<input type=hidden name="recipient" value="kphillips@marketingsupportnetwork.com">

<input type="hidden" name="subject" value="Act! Newsletter Signup">

<input type=hidden name="redirect" value="http://www.certifiedactconsultants.com/email-thank-you.htm">

Is there some type of CAPTCHA I can usewith this?  Do you know where to get it?  If so, do I still need to type my email address out of this code and do something with "hard coding the email address into the programming logic, not the form"?

This is all new to me... help!

A while back I didnt know how to implement captcha for a contact us form, so all i did was have 3 radio buttons:

I am:  a robot (button) a human (button) none of the above (button)

the robot button was checked by default.

If($button != "human"){
header("some spam poisoner site that would fill their DB with imaginary email addresses");
}

worked a treat. Very simple and never got one spam email out of it. Had quite alot of traffic to that page too.

I like matt cutts version on his blog:  4+6=(answer)
very effective.

I am:  a robot (button) a human (button) none of the above (button)

while this effective for people spamming the web site form recipent, this is not the roblem this person is having.

He's having a problem that is fast growing all over the world.

Spammers are using your server to send out their spams all over the world. The spammers aren't using the form they're using the formail.pl program as it is named a standard name and placed in a standard location on most open source servers.  It's cost you bandwidth and can get you marked as a spammer by e-mail servers all over the world.

The solution is kinda secret and really easy but I don't want to list it here as I don't want the spammers to know what it is.  So please PM me or contact me through e-mail (better - I check it more often) and I'll tell you.

Oh heck, I'll go ahead and say it as it probably isn't something they haven't already figured out and it's hard to beat even if they know it.

First make sure you have formmail.pl configured properly so that it only allows it to send e-mail to e-mail addresses on the same domain as it is called from, Also configure it to only be called from the domain name that your form is on. 
For Extra Security:
Just copy your formmail.pl to your cgi-bin, and rename it to something else.  like secure.pl or biteMeSpammers.pl or JenniferLoveHewittStalksMe.pl 

For EXtra Extra security:
Rename it every month (don't forget to update the code in your form too!

Northie wrote:

http://www.phpclasses.org/browse/class/63.html#C

Thanks for the link Northie...I wasn't aware of this site.  Enjoyed it.

I found something on creating a formmail.code file that stores a word that the user is told to enter.  I.e.

Type "1234" in this box to prove you're a human being:

<input type="text" name="secretfield">

and the formmail.code file would only contain "secretfield: 1234"

But they don't tell you what the rest of the code needs to be to make this work.  Does anyone know anything about this and what the rest of the html code should look like?  And, also, is this a good route to take?  It seems like a simple yet effective method.

I found this tidbit of code months ago while researching how to combat spam and have no idea if it has been the deciding factor on my minimal spam count through these sites.

<meta name="no-email-collection" value="http://www.yourwebsitehere.com">

The biggest problem I've encountered with this line is when you go to validate the site and it considers it an "error."

---->  Curiousity question:  Why don't the various validation/verification methods work to defeat this issue, such as having a random combination of letters and numbers pop up and the user must type in the letters exactly as they appear?*  I thought that was the whole point to having such a feature on your site...

*  These situation stinks when it comes to deciphering whether the symbol is the letter "O" or the number "0"! 

thebjer wrote:

Northie wrote:

http://www.phpclasses.org/browse/class/63.html#C

Thanks for the link Northie...I wasn't aware of this site.  Enjoyed it.

I use that site alot. it looks God awful and its full of intrusive advertising and popups, but the resources are great!

I switched to http://nms-cgi.sourceforge.net/ London Perl Mongers a few years back and that seems to work fine.

Don't use form mail or CGI for sending emails

It is full of security holes

It always has been, it always will be

switch away from CGI and get yourself a PHP (or ASP if you really have to) mailing script

Don't use form mail or CGI for sending emails
It is full of security holes
It always has been . .
switch away from CGI and get yourself a PHP . . mailing script

1. Original F/m version(s) - agreed.
2. Link posted above - disagree.

it always will be

The Perl version I referred to above hasn't been cracked since installation in November 2003 and there have been many attempts, from serious to amateur.
All I've done since then is implement an updated version, nothing else.
For anyone who doesn't know PHP and hasn't the time to learn it - back then I was learning HTML and CSS, didn't even know what<p></p> meant , the Perl fixed-up version(s) will do the job fine.

Northie wrote:

Don't use form mail or CGI for sending emails

It is full of security holes

It always has been, it always will be

switch away from CGI and get yourself a PHP (or ASP if you really have to) mailing script

This is the best PHP form script I could find:


http://jimsun.linxnet.com/SCForm.html

Lots of features (including optional Captcha), free, relatively easy to use.

Bob