Announcement

**AndrewPK** · 31-Aug-2006, 10:10 AM

yeah, i just started getting the same thing,
just seem to be random names but with the same message
and with some random sentances at the bottom of the email (i am guessing these have something to do with getting through spam filters)

**pinbrook** · 31-Aug-2006, 10:36 AM

I've noticed that actinic forms send an acknowledgement of receipt of form filling, this contains the address

I don't know if this is being used as a vulnerability

**Mike Hughes** · 31-Aug-2006, 10:37 AM

I guess you need to add a 'captcha' test.

Mike

**petesouthwest** · 31-Aug-2006, 10:41 AM

Originally posted by olderscot

I guess you need to add a 'captcha' test.

Mike

I enquired about that a while ago, but with no replies. Do you know how easy it would to integrate one?

Pete

**Bruce** · 04-Sep-2006, 04:31 PM

That is one for the wish list. Checking with development if there is something we can do.

Kind regards,

**mj2003** · 07-Sep-2006, 03:59 PM

We are being used for this too - lots today. This is a major flaw in Actinic, and I'm surprised it is there. Basic formmail security issue. Obviously someones found Actinic is popular and is now sending betting spam to people. I'd appreciate any clues on how to remove the email link completely until this is fixed. I presume it is the same in v8, or should I upgrade immediately?

Matthew

**los_design** · 07-Sep-2006, 04:09 PM

Hi Guys

I do not think that this is appropriate for the wishlist I would say it needs to go to the top of an urgent security update?

JMHO

Regards

**Owen Drumm** · 07-Sep-2006, 04:09 PM

Design Options > Navigation and remove the Contact us details or if you have hard coded it remove the NETQUOTEVAR:NAVBMAIL.

**mj2003** · 07-Sep-2006, 04:10 PM

I just worked out it is Act_ContactUs.html, and can of course comment out the form, but that doesn't stop any of the spammers as they will be calling the Perl directly with a Post. Fixing this spam leak should be a high priority - the form must never send to anyone other than a designated destination otherwise it is a spammers paradise.

**mj2003** · 07-Sep-2006, 04:11 PM

Originally posted by Owen Drumm

Design Options > Navigation and remove the Contact us details or if you have hard coded it remove the NETQUOTEVAR:NAVBMAIL.

Does that stop the perl, or just hide the link. The spammers don't care about the link, they go direct to the form script.

Matthew

**Bruce** · 08-Sep-2006, 09:19 AM

A temporary work around would be to substitute the Contact us link with the following code, it will look like a normal link to customers, but will protect your email address:

<script type=text/javascript>
var _u = "sales";
var _d = "domain.co.uk";
var _l = _u + "@" + _d;
var _m = "click to email us";
document.write("<a href='mailto:"+_l+"'>"+_m+"</a>");
</script>

Change the 'sales' and 'domain.co.uk' to your own email address.

Kind regards,

**mj2003** · 08-Sep-2006, 09:27 AM

Bruce,

Thanks for the info, but that doesn't solve the problem. Once a spammer has identified your site as an Actinic site, they can access the .pl file directly. No fiddling with the form will help. The fix has to be to the script that does the emailing, and it just has to not email the email address, only yours.

Matthew

**mj2003** · 11-Sep-2006, 09:51 AM

I'm assured, outside of this thread, that this is being looked at seriously. I hope the script gets significantly tightened to only send to the vendor and never to the outside world. Thanks!

Matthew

**siwalker** · 11-Sep-2006, 05:33 PM

Can someone confirm that the Actinic mail script is actually insecure? If this is the case I need to get it removed from my site. I can't believe such a basic security issue would have gone unfixed for so long.

simon

Announcement

Contact Form Spam

Contact Form Spam

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment