0

I have taken over the maintenance of a website which was built by someone else. This site is mainly HTM/CSS, however it uses the odd javascript code along with PHP which was implemented by a back-end programmer that was contracted in.

The issue I'm having is this - the site consists of a lot of pages, each one with its own unique e-mail form. Each one of these forms were created without concern for spam. Now these forms are receiving a ton of spam, and I am expected to rectify the issue (regardless of the fact that I am neither a Javascript nor PHP programmer). I need some help, as I can't try and guesstimate a solution due to the importance of this e-mail system.

I'm hoping I can post the code up and have someone guide me through the process of implementing a honeypot or an easy mathematical equation (I know that isn't 100% foolproof, but these are just poorly made spambots, and this site likely won't be actively targeted).

The Form Page: This page consists of some PHP, some Javascript but mostly just content which I will avoid posting as it is of little importance. However, I'll post the scripts in order. (Also, the productformvalidation.js file is a simple Javascript script that throws pop-up messages if the e-mail/phone number doesn't have correct characters. I can provide that too if necessary)

<?php

/* validation function for when they press the submit button */
function validateFields($fields, $form_vars) {
$errors = array();
    foreach($fields as $field_name => $error_msg) {
    $value_entered = trim(@$form_vars[$field_name]);
    if(empty($value_entered)) {
        $errors[$field_name] = $error_msg;
    }
}
return $errors;
}

function safe($str) { return htmlentities(strip_tags($str)); }

?>

<head>

<script type="text/javascript" src="js/productFormValidation.js"></script>

</head>

<body>

<div class="contact_links">
<form name="contact" method="post" action="/sendmail/send-mail-start.php" enctype="multipart/form-data" onsubmit="return checkForm(this);">


                            <label>Name: (required) </label><input class="input1" id="name" name="name" type="text" value="" />


                            <label>Email: (required) </label><input class="input1" id="email" name="email" type="text" value="" /><br />


                            <label>Phone: (required) </label><input class="input1" id="phone" name="phone" type="text" value="" />
                            <label>Company: (required)  </label><textarea class="input2" name="comments" id="comments" cols="" rows="1"></textarea><br />
                            <input type="image" src="images/individualProducts/submit.png" alt="" value="" class="submit" />


                            </form>  

<!-- INDIVIDUAL CONTACT LINK ENDS --></div>

</body>

The "Action" Page:

<?php

    $date1=date("F d,Y");

    $nameField=$_POST['name'];
    $companyField=$_POST['company'];
    $countryField=$_POST['country'];
    $stateField=$_POST['state'];
    $emailField=$_POST['email'];
    $phoneField=$_POST['phone'];
    $urlField=$_POST['url'];



    $messageField=nl2br($_POST['comments']);


    $body=" 

    $body is followed by the table setup which contains the code. Basically just font-specifications, padding etc.

   //$from=$firstNameField;
   $sub="Contact Form - From the Start Page".$titleField;

   $name=$firstNameField."< ".$emailField." >";
   $to="info@mysite.com";

    if (mail($to,$sub,$body,"From:".$name."\nContent-Type: text/html; charset=iso-8859-1"))
    {
    print "<meta http-equiv=\"refresh\" content=\"3;URL=/start.php\">";
    }
    else{
    print "<meta http-equiv=\"refresh\" content=\"0;URL=error.php\">";
    }

?>

That is then followed by the HTML that basically thanks them for contacting. So these are the scripts involved.

I'd be able to implement CAPTCHA myself had I created the site myself, simply by finding the right guide and following the steps. Unfortunately someone else has organized this mail structure, and I'm forced to work with a setup I don't fully understand - nor did I learn to understand. I get syntax errors, I'm not sure where to paste pieces of code etc.

I need someone who can see what I've got on my plate, that understands what is happening, to help me implement a simple spam solution that will prevent the annoying bot mail from happening.

Also - reCaptcha is not an option due to its size and difficulty reading.

Thank you in advance.

DontVoteMeDown
  • 19,660
  • 10
  • 65
  • 96
user3737700
  • 51
  • 2
  • 7
  • you can read more here https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#CSRF_Prevention_without_a_Synchronizer_Token, you can check the Origin header, the Referer, add a CSRF token to your form cf https://www.owasp.org/index.php/PHP_CSRF_Guard – pleasedontbelong Jul 28 '14 at 15:02
  • What is this? `@$form_vars[$field_name]` – Daniel W. Jul 28 '14 at 15:13
  • I have no idea. That is the biggest part of my problem. I'm not not experienced with Javascript or PHP, and I've picked up this site from someone else - so whatever they've done, I have no idea. They've just left me with their work, which functions, only minus a spam blocker. – user3737700 Jul 28 '14 at 15:19

3 Answers3

1

A quick (but not perfect) solution would be to add a hidden field that bots would fill out (call it "username" and hide it with CSS), and cancel submission if this field has content. That would at least remove a lot of the spam submissions.

Your form would look something like this:

<form name="contact" method="post" action="/sendmail/send-mail-start.php" enctype="multipart/form-data" onsubmit="return checkForm(this);">

  <label>Name: (required)</label>
  <input class="input1" id="name" name="name" type="text" value="" />

  <label class="hidethis">Username: (required)</label>
  <input class="input1 hidethis" id="username" name="username" type="text" value="" />

  <label>Email: (required)</label>
  <input class="input1" id="email" name="email" type="text" value="" />
  <br />
  <label>Phone: (required)</label>
  <input class="input1" id="phone" name="phone" type="text" value="" />
  <label>Company: (required) </label>
  <textarea class="input2" name="comments" id="comments" cols="" rows="1">
  </textarea>
  <br />
  <input type="image" src="images/individualProducts/submit.png" alt="" value="" class="submit" />
</form>

and /sendmail/send-mail-start.php would begin like this:

<?php
  if($_POST['username']!= "") {die("No spam");}
  $date1=date("F d,Y");
  $nameField=$_POST['name'];
  $companyField=$_POST['company'];
  $countryField=$_POST['country'];
  ... // Rest of your code
johanpw
  • 597
  • 1
  • 10
  • 29
  • Whereabouts in send-mail-start.php would I post that exactly? This is a problem I run into. I try and add code to the page and I'm not sure as to where to add it without causing trouble for the rest of the script. – user3737700 Jul 28 '14 at 15:21
  • For simplicity, you can add this line right after the initial ` – johanpw Jul 28 '14 at 15:30
  • Thanks. For some reason I am being redirected to my error page though? – user3737700 Jul 28 '14 at 17:28
  • Oops nevermind, that was when testing in Localhost. How would I go about testing this to make sure nothing is broken and it is effectively working? – user3737700 Jul 28 '14 at 17:36
  • Just make the hidden field visible (remove the class or change your CSS) for testing. Your form should still be sent as long as the "username" field is empty. Add any content to the "username" field, and it won't be sent. – johanpw Jul 28 '14 at 17:40
  • Ahhh! I'm asleep today! Now, would this cause a problem for anyone with a browser that utilizes auto-fill? – user3737700 Jul 28 '14 at 18:10
  • Also, I have just done a test, and even with the username section filled in, it still sends the e-mail. – user3737700 Jul 28 '14 at 18:14
  • As for the autofill, I would assume browsers are smart enough to avoid this, but I've learned to never assume anything with IE... Adding `autocomplete="off"` should do the trick, but read the complete description [here](http://stackoverflow.com/questions/2530/how-do-you-disable-browser-autocomplete-on-web-form-field-input-tag) – johanpw Jul 28 '14 at 18:17
  • 1
    Never mind, this has worked! This is more than appreciated. I'm in your debt! – user3737700 Jul 28 '14 at 18:18
0

To prevent spam-bots from abusing my forms on my website, I used a relatively simple trick (described here by the way: http://www.sitepoint.com/easy-spam-prevention-using-hidden-form-fields/); first, add an additional input field to each form, for example:

<span class="hide"><label>Username: (required) </label><input name="Username" type="text" value="" /></span>

Then hide the field using CSS (that's why I wrapped it in a span); spam-bots generally ignore CSS, so they won't notice it's hidden:

.hide { display: none; }

Last but not least, check in the PHP code (before you send the data in an email!) whether the new input-field was filled out when someone submits the form, so for example:

if ($_POST['Username']) {
    echo('F*** off you nasty spam-bot.');
    return false;
}

It's not perfect by far, but it's helped me a lot ^^

Niffler
  • 1,509
  • 9
  • 11
0

In addition to a hidden field as mentioned in the other answers here, you could also add a disabled attribute to the submit button, then enable it on document ready with javascript.

This works mainly because most bots aren't javascript enabled. Additionally, to hinder the ones that are, you can set a 1-2 second timeout before removing the 'disabled' attribute.

c-griffin
  • 2,510
  • 1
  • 16
  • 25