Announcement

**Mike Hughes** · 11-Sep-2006, 05:44 PM

I think Matthew probably has the wrong end of the stick. AFAIK the actinic mail form cannot be used to spam anyone other than the website owner.

Mike

**mj2003** · 12-Sep-2006, 08:19 AM

Have you actually tried it? Enter your own (not web site related) email address, then enter a message. Then click send. You'll get a thank you message to your email address. That allows people to spam.

Fortunately, Actinic have a change in the works so that we can have this fixed. I'd leave it to them to release the details, except that it is remarkably simple so I'll thank Chris and Tibor for taking this seriously and identifying the solution:

In MailForm.pl, locate the words "thank you". The next block of text should be removed or commented out with #. Job done, form leak fixed.
As Tibor says, you as a merchant may still get spam emails, but no emails
will be sent to the world in your name.

Thank you all.

Matthew

**los_design** · 12-Sep-2006, 08:25 AM

Does the mailform.pl need to be changed in each site set up or is there a global file within the v8 folder?

Regards

**Mike Hughes** · 12-Sep-2006, 09:14 AM

OK. Matthew I see what you're saying. The form reply was revealing your email address and you're concerned that this would then be used by spammers in the 'from' message of the email.

I'm not sure that's such a big problem (or that its now solved) as anyone who wants to do this can still just spam the mailform with a message saying "I couldn't find your shipping charges on the website. Can you tell me what they are?" and the vast majority of people are going to send a reply email of one kind or another.

The only way to prevent this is to use some kind of captcha test on the form to block the spammy submisisons. I notice that los designs have a test of some kind on their mailform. It might be worth asking them how they've done it.

Mike

**siwalker** · 12-Sep-2006, 09:31 AM

Originally posted by olderscot

OK. Matthew I see what you're saying. The form reply was revealing your email address and you're concerned that this would then be used by spammers in the 'from' message of the email.

No, I believe what Matthew is saying is that because the contents of the 'Message' input of the mail form are echoed to the email address supplied, the form can be used to send anything to any email address.
By simply commenting out the acknowledgment the problem is solved. However, there must be a way of sending a simple acknowledgment without including the original message, which would obviate the problem in a slightly more user-friendly manner. My Perl isn't up to the job however.

A CAPTCHA would seem a rather over-the-top solution, especially given the number of would-be enquirers who can't actually spell their own email addresses

simon

**Mike Hughes** · 12-Sep-2006, 11:23 AM

Sorry if I've been slow on this. So people have been using the form to send spam using the 'from' email address as the destination for the spam.

I agree that a simple "Thank you for contacting us. We usually reply to all messages within 24 hours." type reply would be an easy solution.

Mike

**mj2003** · 13-Sep-2006, 02:26 PM

Originally posted by olderscot

Sorry if I've been slow on this. So people have been using the form to send spam using the 'from' email address as the destination for the spam.

I agree that a simple "Thank you for contacting us. We usually reply to all messages within 24 hours." type reply would be an easy solution.

Mike

That would indeed be an acceptable solution, but I'm happier with nothing at all since a lot of people get their addresses wrong in forms. Basically anything that stops the body being whatever the spammer wants to send stops the main problem.

Matthew

**Mike Hughes** · 13-Sep-2006, 02:39 PM

I did see a nice solution on someones website where after completing the form a page was displayed that echoed the message content and said something along the lines of 'thank you for your message. We'll get back to you shortly'.

That way, no emails are sent and the customer knows that the message was received.

Mike

**pinbrook** · 13-Sep-2006, 02:58 PM

8.02 has now been announced with this issue seemingly fixed.

A useful form if anyone is interested with creates a PHP form inc capchta can be fonnd at http://www.dagondesign.com/articles/...mailer-script/

**los_design** · 13-Sep-2006, 03:33 PM

where and when has this been announced Jo?

Regards

**pinbrook** · 13-Sep-2006, 03:41 PM

I got an email from actinic ....

**Bruce** · 13-Sep-2006, 03:55 PM

Actinic v8.0.2 will be released into full production on Thursday 14th September.

Details of changes in v8.0.2

1. The script ShippingTemplate.pl is now upgraded when upgrading from earlier versions of Actinic.
2. The Java Script files are now upgraded when upgrading from earlier versions of Actinic.
3. The script used for the �Contact Us� email can no longer be used for sending SPAM.
4. Fragments no longer get �lost� when moving their parent section.

Kind regards,

**los_design** · 13-Sep-2006, 03:55 PM

Any dates mentioned or has it been release?

Kind Regards

**Shentonbooks** · 13-Sep-2006, 05:48 PM

Suggested replacement script for disguising email address

sorry to be thick but its not obvious to me in which template or design setting etc the script quoted by Bruce should be inserted . Thanks

**mj2003** · 13-Sep-2006, 06:12 PM

Originally posted by Shentonbooks

sorry to be thick but its not obvious to me in which template or design setting etc the script quoted by Bruce should be inserted . Thanks

MailForm.pl - it is in the site directory.

Announcement

Contact Form Spam

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment