Announcement

**I-CC** · 13-Sep-2006, 07:15 PM

If I am following this thread correctly, is the issue that has been discovered, that there is not referrer checking being conducted on mailform script, and thus it can be called from external to the hosting provider, i.e. were saying, someone creates a html page with the forms from the contact us page on it, populates it with all the email addresses and then submits it from his spammers desktop and out through your websites mailling facilities???

Wowsers, thought this would have been covered in the mailform as a basic entity to be honest.

So, if I have understood this right and people are struggling to secure the form, then try this:

Open the MailForm.pl file in your site1 folder and locate the line:

#?use CGI::Carp qw(fatalsToBrowser);

and place the following just above it...

if (($ENV{'HTTP_REFERER'}) &&
($ENV{'HTTP_REFERER'} !~ /^http:\/\/www.yourdomain.tld/)) {
# Cause an Internal Server Error or do something smarter if you wish#
exit;
}

Replace yourdomain with your real domain name

and tld with your ext, i.e. .co.uk or .com etc etc

If this is what all are after, then this will cover basic needs, for which sure someone will be able to extend it to cover multiple domains, https usage and a nice 'get lost spammer' type of message instead of an abrupt exit...

**mj2003** · 14-Sep-2006, 10:04 AM

Originally posted by Support@Techno-

If I am following this thread correctly, is the issue that has been discovered, that there is not referrer checking being conducted on mailform script,...

The problem we've found with using referrer as a validation is that people use things like Norton internet privacy which by default stops the referrer being passed on and thus breaks our web forms.

I like the idea of showing the message in the web page thank you. If confirms back using the medium the user is using.

Matthew

**AndrewPK** · 14-Sep-2006, 10:16 AM

Originally posted by pinbrook

8.02 has now been announced with this issue seemingly fixed.

Thats great, but what about the rest of us using v7, is there a fix for us in the works?

Originally posted by mj2003

The problem we've found with using referrer as a validation is that people use things like Norton internet privacy which by default stops the referrer being passed on and thus breaks our web forms.

prehaps someone who knows a bit more about scripting than me

could alter that script so that instead of just giving a "dead end" when an invalid referrer is given, it warns that things like norton internet privacy could be to fault and to try again without it switched on

**David@MPL** · 14-Sep-2006, 11:09 AM

Originally posted by AndrewPK

prehaps someone who knows a bit more about scripting than me

could alter that script so that instead of just giving a "dead end" when an invalid referrer is given, it warns that things like norton internet privacy could be to fault and to try again without it switched on

Sadly I think requests like that scare alot of users. If they've got NIS then they know a bit about security and might think you're up to something naughty. As has been said above, I think the browser confirmation page is the best bet.

**AndrewPK** · 14-Sep-2006, 11:30 AM

Originally posted by David@MPL

I think the browser confirmation page is the best bet.

While this will solve part of the problem, it will stop spammers using the 'contact us' forms on our pages.
It DOES NOT stop people using their own forms but our mailform script, meaning we are still at risk,

we NEED a way of setting up the mailform script so it can only be run from a form on the same server (IE if mailform is on blah.com then the form needs to be on Blah.com)
the fact that this is not already included on the mailform script shocks me as when i was looking for a script to set up a 'join our mailing list' form, ALL the mailforms had this security measure

**David@MPL** · 14-Sep-2006, 11:39 AM

Ahh, I see where you're coming from now. I hadn't picked up on the using remote forms point.

**Bob Isaac** · 14-Sep-2006, 08:44 PM

This forum uses vBulletin software and the subject of spam has been discussed at great lengths. vBulletin have tightened the system in their newer version that Actinic have not yet upgraded to. There is even a hack to put in place a second line of defence. But still, the spammers get through.

I think there is crock of gold waiting for the perfect solution. I also think Bill Gates has the correct idea, having said he can eliminate spam in a few short years. Totally. His idea is based on the reason for the introduction of the postage stamp. Make a charge for every email sent, but if the recipient is willing to accept it the charge is waived. This means you must have a valid email account that can be charged if the email is not accepted.

Bob

**lessharma** · 15-Sep-2006, 07:42 AM

Hi,

My wife has a V8 site selling baby clothes. I created her a simple 'join our mailing list' form, but after a few weeks we were getting loads of Spam BotS sending us crap.

I've now created a new PHP 'Join our mailing page' with some very secure PHP CAPTCHA code from the net. Have a look here..... http://www.superstarbaby.co.uk/mailing-list.php

Why hasn't Actinic includled CAPTCHA already in it's 'contact us' form?

**Nadeem** · 15-Sep-2006, 07:51 AM

Hi there

Why hasn't Actinic includled CAPTCHA already in it's 'contact us' form?

When I recently investigated this, it seems that you would need an additional library for Perl on the image side. Some perl packages may not contain this, so this is the reason why we didn't use CAPTCHA. Also looking from a point of view on people who use screen readers for shopping, since you have an image with letters, they are at a disadvantage. These two are the main reason why we didn't use CAPTCHA

Kind Regards

**mj2003** · 15-Sep-2006, 08:00 AM

Originally posted by Bob Isaac

This forum uses vBulletin software and the subject of spam has been discussed at great lengths. vBulletin have tightened the system in their newer version that Actinic have not yet upgraded to.

This thread is not about forum spam, but spam sent using the Actinic Catalog contact us form.

Matthew

**AndrewPK** · 15-Sep-2006, 11:28 AM

Originally posted by lessharma

Why hasn't Actinic includled CAPTCHA already in it's 'contact us' form?

i dont think the "captcha" is the best method, it may be a bit off putting for some, having to be asked a security question just to request info

I still think the idea mentioned above with the domain check is probably the best move, but it needs to have an error message added so if there is a problem the user is told

could anybody out there who know perl do that

**Owen Drumm** · 15-Sep-2006, 11:43 AM

Originally posted by lessharma

I've now created a new PHP 'Join our mailing page' with some very secure PHP CAPTCHA code from the net. Have a look here..... http://www.superstarbaby.co.uk/mailing-list.php

Why hasn't Actinic includled CAPTCHA already in it's 'contact us' form?

Les, I note that you still have the standard Atinic contact form on your site. Wouldn't it work if you just created a link to a similar form you created as it seems a good solution.

By the way, if I knew this was going to cause so much heat I wouldn't have started the post in the first place

**lessharma** · 15-Sep-2006, 11:57 AM

Originally posted by Owen Drumm

Les, I note that you still have the standard Atinic contact form on your site. Wouldn't it work if you just created a link to a similar form you created as it seems a good solution.

By the way, if I knew this was going to cause so much heat I wouldn't have started the post in the first place

Hi Owen,

Yes you are right, I only did the CAPTCHA 'Join our mailing list form' last night. But I'm gonna replace the 'Actinic Contact Form' ASAP with my new CAPTCHA PHP form today or tomorrow.

The CAPTCHA form is working well, because today I haven't got any Spam Bots trying to join my wife's mailing list as before.

**lessharma** · 15-Sep-2006, 12:11 PM

Originally posted by AndrewPK

i dont think the "captcha" is the best method, it may be a bit off putting for some, having to be asked a security question just to request info

I don't think CAPTCHA is asking a question. It just askes your visitor to input what they see. As time goes on, more and more people are getting use to 'entering what they see' on forms.
If it's good enough for Google, Natwest and most large companies ....it must be OK for our sites?

But I do understand from Nadeem's post why Actinic has not used it already.

It's really a shame that us web site owners have to waste time on all this rubblish because of Spammers!

**Timmo** · 15-Sep-2006, 08:52 PM

Originally posted by Bruce

Actinic v8.0.2 will be released into full production on Thursday 14th September.

Kind regards,

Yes, i got a nice email from a tech at actinic saying it had been released so i downloaded the release and ran the update, it then asked for my actinic key, then it said my version 7 key was invalid. when i phoned actinic about it i was told that all cover customers will be getting an upgrade cd and key but this will take 28 days.

WHats the point of releasing a patch that we cant use.....

Office politics was mentioned to me.....

Thats bang out of order if you guys at actinic are squablling amongst yourselves when there are lots of users of your software that need this patch to get this spamming email issue fixed.

Timmo.

Announcement

Contact Form Spam

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment