Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Help! Spam issues with contact us form


Recommended Posts

Getting a load of Chinese emails full of spam and web links in my site

 

How do i stop this?

 

I looked for a contribution but it was just a plain html file with no instructions or guidance?

 

contribution I looked at was:

http://www.oscommerce.com/community/contributions,3534

 

 

Whats the most effective method of stopping this menace!?!

 

Many Thanks

Link to comment
Share on other sites

Sorry if i didn't explain myself properly!!

 

The page:

http://www.oscommerce.com/community/contributions,3534

 

has lots of different fixes and I wasn't sure which one to apply

 

I fancied just making the changes in 6A and 6B

 

Would this be sufficient to stop the spam?

 

The user recommends not using all the changes in this file so didn't want to do "half a job"

 

If someone could let me know which is the most relevant I would be indebted as these chinese emails are full of junk and getting on my wires!

Link to comment
Share on other sites

To help you all out the file contains the following text:

 

Contribution Info Contribution Support Credits

Contact_us_fix.

vs1.3 by Gidgidonihah - 15-September-2005

vs1.2 by Darklings - 15-September-2005

vs1.1b by Vger - 13-September-2005

vs1.1 by Darklings - 13-September-2005

vs1.0 by GeneriX1 - 11-September-2005

What does this contribution do?

This contribution is a combination of many of the possible solutions to the Contact_Us form abuse issue. There are quite a few spread through out the forums and contribs so I condensed them into one. Missing are the original authors of the solutions. Feel free to modify or correct the file.

 

1. Verify robot.txt file.

 

# Sample robots.txt file (make sure the filename is ALL LOWERCASE on Linux/Unix systems)

# This file should go in your web site's ROOT directory

# The root directory is where your site's main /index.html file would be found

# It is usually found in /yourhomedir/public_html/ or /yourhomedir/httpdocs

# Where "yourhomedir" is your user account's name

# This says to apply these settings to ALL search engine spiders/crawlers

User-agent: *

 

# These settings will keep spiders from indexing your unwanted pages

# This assumes that your OSC install is in your web site's ROOT directory

# ie: http://www.yoursite.com/index.php <- Use if this brings up your OSC main page

Disallow: /admin

Disallow: /includes

Disallow: /account.php

Disallow: /advanced_search.php

Disallow: /checkout_shipping.php

Disallow: /create_account.php

Disallow: /login.php

Disallow: /login.php

Disallow: /password_forgotten.php

Disallow: /popup_image.php

Disallow: /shopping_cart.php

Disallow: /contact_us.php

Disallow: /product_reviews_write.php

Disallow: /cookie_usage.php

# Feel free to add any other pages on your site that you don't want to be indexed by

# the search engines.

# PLEASE NOTE: Any pages that you list here should be secured by other means if you

# don't want people to be able to view them, as some malicious users (BadBots) will look at a

# robots.txt file to try to find "hidden" or "secret" areas of web sites to find

# confidential information.

# Just Uncomment a line or add new ones as you see fit.

# Disallow: /private

# Disallow: /hidden

 

# IF YOU DO NOT WISH TO HAVE THE GOOGLE IMAGE BOT SCAN YOUR DOMAIN FOR IMAGES

# THEN YOU CAN INCLUDE THE FOLLOWING IN YOUR ROBOTS FILE.

# I FOUND THAT MY BANDWIDTH USAGE DROPPED BY A MASSIVE AMOUNT AFTER I GOT RID

# OF THE GOOGLE IMAGE BOT. ALL I HAD WAS IMAGE HUNTERS STEALING PRODUCT SHOTS

# AND NOT EVEN BROWSING THE SITE.

 

#User-agent: Googlebot-Image

#Disallow: /

 

 

 

2. Disallow emails to be sent FROM? your domain.

Commonly the script that send out spam emails is sent from your own domain. ? To stop that from happening with the contact us form, make the following changes.

 

At the top of catalog/includes/configure.php find:

 

define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');

Replace it with:

 

define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');

define('HTTP_MAIL_DOMAIN', 'yourdomain.com');

At the top of contact_us.php find:

 

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

Replace it with:

 

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send') && tep_email_isfromdomain($_POST['email']))

{

$error = true;

$messageStack->add('contact', ENTRY_EMAIL_ADDRESS_ISFROMDOMAIN_ERROR);

}

elseif (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

 

 

At the top of /includes/functions/validations.php add this function:

function tep_email_isfromdomain($email) {

list($username,$domain)=split('@',$email);

$domain = strtolower($domain);

if ($domain == '' . HTTP_MAIL_DOMAIN . ''){

return true;

}else{

return false;

}

}

 

Somewhere in /includes/languages/english/english.php add:

define('ENTRY_EMAIL_ADDRESS_ISFROMDOMAIN_ERROR', 'Your E-Mail Address appears to be from ' . HTTP_SERVER . '. To contact us, please use your valid email address.');

 

Somewhere in /includes/languages/dutch/dutch.php add:

define('ENTRY_EMAIL_ADDRESS_ISFROMDOMAIN_ERROR', 'U geeft een email adres op van ' . HTTP_SERVER . '. Om contact met ons op te nemen, dient u een geldig email adres op te geven.');');

3. Contact Us Form Vunerability Fix.

The real fix is already there, just not used.

 

tep_draw_textarea_field($name, $wrap, $width, $height, $text = '', $parameters = '', $reinsert_value = true)

This is the function, just modify the call to this function in the contact_us.php around line 126

 

Find:

 

<td><?php echo tep_draw_textarea_field('enquiry', 'soft', 50, 15); ?></td>

 

Replace with:

 

 

<td><?php echo tep_draw_textarea_field('enquiry', 'soft', 50, 15, tep_sanitize_string($_POST['enquiry']), '', false); ?></td>

 

 

 

this will take the reinsert from the function and allow you to control how the $_POST variable is displayed from the textarea call, and will also take out the $_GET variable so that it can't be hacked that way.

 

4. Contact form issue/ textarea bug.

For some reason the stripslashes on line 222 in includes/functions/html_output.php doesn't prevent the following bug:

 

https://www.site/contact_us.php?&name=1&ema...);%3C/script%3E

 

By adding strip_tags in front of the stripslashes on line 222, and also adding strip_tags to line 224 just for the heck of it, the problem is solved.

 

Below is what the modified file should look like.

 

221

222

223

224

225 if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {

$field .= strip_tags(stripslashes($GLOBALS[$name]));

} elseif (tep_not_null($text)) {

$field .= strip_tags($text);

}

 

5. Validate string.

to validate ANY string in general.php add the following code at the bottom

 

 

function valid_str($str, $validlength, $validmask="abcdefghijklmnopqrstuvwxyz0123456789_- ") //yes that is a space before " to allow for spaces between words/names

{

$str=strtolower($str);

if (strspn($str, $validmask) == strlen($str) && strlen($str)<=$validlength)

return true;

return false;

}//Hadir @ phpmom

 

Then anywhere when you need to validate the text like in contact_us $name add

 

if(valid_str($name, '20'))

//or what ever length you want

{ <<<ok to send mail and confirm>>>>>

} else {<<<send to "you messed up" page>>>}

 

 

$validmask can be changed to any characters you want

 

 

 

I havent tested this one out yet, and actualy dont know if its realy needed - but included it anyway.

 

6. Contact Us Spam bot.

A.

 

Open up:

 

catalog/includes/functions/general.php

 

Find this:

 

function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {

if (SEND_EMAILS != 'true') return false;

 

Change to this:

 

function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {

if (SEND_EMAILS != 'true') return false;

 

//Dont send any injection type mails.

if (eregi('Content-Type:', $to_name)) return false;

if (eregi('Content-Type:', $email_subject)) return false;

if (eregi('Content-Type:', $from_email_name)) return false;

if (eregi('Content-Type:', $email_text)) return false;

 

//Remove any newline and anything after it on the header fields of the mail.

//$to_email_address and $from_email_address are checked with tep_validate_email().

$to_name = preg_replace('/[\n|\r].*/', '', $to_name);

$email_subject = preg_replace('/[\n|\r].*/', '', $email_subject);

$from_email_name = preg_replace('/[\n|\r].*/', '', $from_email_name);

 

B.

 

In the catalog/includes/functions/general.php you can also change the function tep_mail to this:

 

 

function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {

if (SEND_EMAILS != 'true') return false;

 

//--bof-addon-anti-spam

 

if (preg_match("[\n]", $to_name)) return false;

if (preg_match("[\n]", $to_email_address)) return false;

if (preg_match("[\n]", $email_subject)) return false;

if (preg_match("[\n]", $from_email_name)) return false;

if (preg_match("[\n]", $from_email_address)) return false;

 

//--eof-addon-anti-spam

 

 

// Instantiate a new mail object

$message = new email(array('X-Mailer: osCommerce Mailer'));

 

// Build the text version

$text = strip_tags($email_text);

if (EMAIL_USE_HTML == 'true') {

$message->add_html($email_text, $text);

} else {

$message->add_text($text);

}

 

// Send message

$message->build_message();

$message->send($to_name, $to_email_address, $from_email_name, $from_email_address, $email_subject);

}

 

This will make sure you dont recieve anymore 'spam' mails.

 

7. Contact Us Spam Relay.

More info: http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

 

catalog/contact_us.php

 

Find this:

 

$error = false;

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

$name = tep_db_prepare_input($HTTP_POST_VARS['name']);

$email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);

$enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

 

Change to this:

 

$error = false;

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

// http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

 

$_POST['email'] = preg_replace( "/\n/", " ", $_POST['email'] );

$_POST['name'] = preg_replace( "/\n/", " ", $_POST['name'] );

$_POST['email'] = preg_replace( "/\r/", " ", $_POST['email'] );

$_POST['name'] = preg_replace( "/\r/", " ", $_POST['name'] );

$_POST['email'] = str_replace("Content-Type:","",$_POST['email']);

$_POST['name'] = str_replace("Content-Type:","",$_POST['name']);

 

$name = tep_db_prepare_input($_POST['name']);

$email_address = tep_db_prepare_input($_POST['email']);

$enquiry = tep_db_prepare_input($_POST['enquiry']);

$enquiry = tep_db_prepare_input($enquiry . "\n\n IP: " . $_SERVER['REMOTE_ADDR']);

 

* Last line above also shows remote IP address in e-mail*

http://www.oscommerce.com/forums/index.php?showtopic=168903&st=0

 

http://www.oscommerce.com/forums/index.php?showtopic=167860&hl=

 

Credit: JanZ

 

B.

 

A second solution has been posted by Mattice.

 

This solution make's a change to the tep_mail() function.

 

Open catalog/includes/functions/general.php

 

And change the function tep_mail() to this:

 

function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {

if (SEND_EMAILS != 'true') return false;

 

//--begin-toevoeging-anti-spam

 

if (preg_match("[\n]", $to_name)) return false;

if (preg_match("[\n]", $to_email_address)) return false;

if (preg_match("[\n]", $email_subject)) return false;

if (preg_match("[\n]", $from_email_name)) return false;

if (preg_match("[\n]", $from_email_address)) return false;

 

//--einde-toevoeging-anti-spam

 

 

// Instantiate a new mail object

$message = new email(array('X-Mailer: osCommerce Mailer'));

 

// Build the text version

$text = strip_tags($email_text);

if (EMAIL_USE_HTML == 'true') {

$message->add_html($email_text, $text);

} else {

$message->add_text($text);

}

 

// Send message

$message->build_message();

$message->send($to_name, $to_email_address, $from_email_name, $from_email_address, $email_subject);

}

 

 

 

C.

 

A third solution has been posted by Christian Lescuyer.

 

Open catalog/includes/classes/email.php

 

Find this:

 

function send($to_name, $to_addr, $from_name, $from_addr, $subject = '', $headers = '') {

 

Change wit this:

 

function send($to_name, $to_addr, $from_name, $from_addr, $subject = '', $headers = '') {

// XL Prevent email injection by truncating field at first CR/LF

$to_name = $this->clean_header($to_name);

$to_addr = $this->clean_header($to_addr);

$from_name = $this->clean_header($from_name);

$from_addr = $this->clean_header($from_addr);

 

 

 

Replace (at the real bottom):

 

return $date . $this->lf . $from . $this->lf . $to . $this->lf . $subject . $this->lf . implode($this->lf, $headers) . $this->lf . $this->lf . $this->output;

}

}

?>

 

with:

 

return $date . $this->lf . $from . $this->lf . $to . $this->lf . $subject . $this->lf . implode($this->lf, $headers) . $this->lf . $this->lf . $this->output;

}

 

/*

* Truncate at first CR or LF

*/

function clean_header($string)

{

$string = trim($string);

 

// From RFC 822: "The field-body may be composed of any ASCII

// characters, except CR or LF."

if (strpos($string, "\n") !== false) {

$string = substr($string, 0, strpos($string, "\n"));

}

if (strpos($string, "\r") !== false) {

$string = substr($string, 0, strpos($string, "\r"));

}

 

return $string;

}

 

}

 

?>

 

Note. I havent tested all of them yet - and i dont think its good to use a combination of them.. one should work fine.

 

Support

osCommerce is a community driven organization and as such the support base will fall entirely on the forum members. Lets help out eachother.

 

[ Add link here to forum supporting this contribution ]

 

 

 

Credits

Layout inspired on Clarocque 's guides.

Solutions to the contact_us.php page combine by GeneriX1 on 11 september 2005

Modified by Darklings and added one more solution on 13 september 2005

Modified by Vger on 13th September 2005 to correct wrong file location and name, also add a little additional information

2 More solutions to the Email Injection Attack has been added by Darklings on 15th September 2005

Code to disallow emails sent from your domain added by Gidgidonihah

Link to comment
Share on other sites

Getting a load of Chinese emails full of spam and web links in my site

 

How do i stop this?

 

I looked for a contribution but it was just a plain html file with no instructions or guidance?

 

contribution I looked at was:

http://www.oscommerce.com/community/contributions,3534

Whats the most effective method of stopping this menace!?!

 

Many Thanks

From memory, I did DAVE USER9999999 CODE TO STOP SPAMMERS in http://www.oscommerce.com/forums/index.php?showtopic=162664&st=

 

and OSC Update 051112

Link to comment
Share on other sites

  • 2 weeks later...
HI There

Massive thanks for the reply!

I have done some replacement with the code as detailed above but will give your idea a shot!

 

Many Thanks for your help!

 

its really appreciated :-)

 

David,

 

Could you please give us an update on what code fixes listed you implemented for the contact_us.php file and if what you implemented stopped the SPAM.

 

Thanks,

 

Foxtel

Link to comment
Share on other sites

David,

 

Could you please give us an update on what code fixes listed you implemented for the contact_us.php file and if what you implemented stopped the SPAM.

 

Thanks,

 

Foxtel

 

 

Did them all and not a damned thing worked!

Still getting chinese and korean spam

Link to comment
Share on other sites

Did them all and not a damned thing worked!

Still getting chinese and korean spam

 

Did you try Anti Robot Registration Validation 1.0 + images?

http://www.oscommerce.com/community/contributions,1237/

 

I implemented this on my contact_us.php. So, when the customers enter an Inquiry they must also type a five alpha verification code before they can submit the message.

 

My site is not live yet so don't know if this works on SPAM but I imagine that some automated scrip would not be able to send email because it would not know the verification code. Other posts have talked about also having a verification code and they say it help stop SPAM.

 

 

 

If you try this please let us know if it worked.

 

Regards,

-Foxtel

 

Link to comment
Share on other sites

Did you try Anti Robot Registration Validation 1.0 + images?

http://www.oscommerce.com/community/contributions,1237/

 

I implemented this on my contact_us.php. So, when the customers enter an Inquiry they must also type a five alpha verification code before they can submit the message.

 

My site is not live yet so don't know if this works on SPAM but I imagine that some automated scrip would not be able to send email because it would not know the verification code. Other posts have talked about also having a verification code and they say it help stop SPAM.

 

 

 

If you try this please let us know if it worked.

 

Regards,

-Foxtel

 

 

You could rename your contact us page to something else and see if that helps.

Link to comment
Share on other sites

You could rename your contact us page to something else and see if that helps.

 

This code was in another posting. Site is not live yet so I have not tested the code yet but it looks like it does various checks to detect SPAM.

If someone gives this a try please let us know if it works on stopping the SPAM.

 

-Foxtel

 

 

 

<?php

// First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser:  
if(!isset($_SERVER['HTTP_USER_AGENT']))
{
  die ("Forbidden - You are not authorized to view this page");
  exit;
}

// Make sure the form was indeed POST'ed:
//  (requires your html form to use: action="post")
if(!$_SERVER['REQUEST_METHOD'] == "POST")
{
  die ("Forbidden - You are not authorized to view this page");
  exit;  
}

// Host names from where the form is authorized
// to be posted from:
$authHosts = array ("webserviteur.com");

// Where have we been posted from?
$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));

// Test to see if the $fromArray used www to get here.
$wwwUsed = strpos ($fromArray['host'], "www.");

// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts))
{  
  //logBadRequest();
  header("HTTP/1.0 403 Forbidden");
exit;  
}

// Attempt to defend against header injections:
$badStrings = array("Content-Type:",
  "Content-Type: text/plain;",
  "MIME-Version:",
  "Content-Transfer-Encoding:",
  "Content-Transfer-Encoding: 7Bit",
  "bcc:",
  "cc:");

// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v)
{
  foreach($badStrings as $v2)
  {
if(strpos($v, $v2) !== false)
{
 //logBadRequest();
 header("HTTP/1.0 403 Forbidden");
  exit;
}
  }
}  

// Made it past spammer test, free up some memory
// and continue rest of script:  
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);

// Add your mail function
?>

Link to comment
Share on other sites

  • 4 weeks later...

Here is another great contrib. from Amanda, http://www.oscommerce.com/community/contributions,3184.

The purpose of the contrib is NOT to stop SPAM, but it allows you to queue all incoming and outgoing emails.

Where I found this to be extremely useful is if some SPAM bot, script, ect... tries to use your contact_us.php form to relay there SPAM from your email server. In admin you can view all the email before it is send out and take appropriate action.

Here is the support forum for Email Queue http://www.oscommerce.com/forums/index.php?showtopic=150516

Edited by Foxtel
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...