Contact/Email Form Exploits (ASP)

Zoran · 03-28-2008, 04:17 PM

I've had some problems with email form exploits in the past. There are basically two things spammers are doing with email forms. Most of us that have been around for a while know about this. For those that don't, here is how it works.

1. The worst one is they use your email form to send out their spam through your email form to others. Gives stormhosts a headache as they don't want to have their server blacklisted.

2. More annoying than anything else, spammers use your email form to send you spam. How desperate can you be to sell viagra??

To take care of #1, just use the function below to validate your all form fields.

Code:

Function ValidForm(strField)	
	If instr(1, lcase(strField), "content-type") > 0 OR inStr(1, strField, "%0a", 1) > 0 OR inStr(1, strField, "%0d", 1) > 0 OR inStr(1, strField, "\n", 1) > 0 OR inStr(1, strField, "\r", 1) > 0 OR inStr(1, lcase(strField), "cc:", 1) > 0 OR inStr(1, lcase(strField), "to:", 1) > 0 Then
		ValidForm = false
	Else
		ValidForm = true
	End If
End Function

If the function returns true, just send your email. If false, exit out to whatever method you prefer.

For #2, I found that checking to see if your email script is being requested from your site, not some other, is enough to stop those annoying spam through your form. Use the following.

Code:

If Instr(1, Request.ServerVariables("HTTP_REFERER"), "yourdomain.com", 1) < 1 Then Response.Redirect("/errorpage.html")

Basically it checks if the email processing script was referred through your website. If not, you send the somewhere else. Personally, I would send them here.
Also, the above will take care of #1 in a lot of cases.

If there are any other ideas to improve or streamline this, I would love to hear it.

Will · 06-04-2008, 04:19 AM

The HTTP referrer idea is good but would prevent anyone with a referrer-less browser from using your form. Some people turn off the referrer header for privacy reasons. spammers are probably also likely not to send the referrer header, or if they're really smart - they'll just set it to the page they're requesting.

Could you give more information on your first function? Is that looking for control characters used by spammers to send multiple emails?

Mipsuinc · 11-29-2009, 03:22 PM

Im trying to make an asp page that can edit cascading style sheets. If anyone has any idea on how to do this, or if its even possible, please help.

Thnx.

11-29-2009, 03:22 PM	#3
Mipsuinc Registered User Join Date: Nov 2009 Location: Finland Posts: 2	Contact/Email Form Exploits ASP Im trying to make an asp page that can edit cascading style sheets. If anyone has any idea on how to do this, or if its even possible, please help. Thnx. __________________ Too lazy to set a custom title hedonism jamaica

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

03-28-2008, 04:17 PM	#1
Zoran Registered User Join Date: Jun 2004 Posts: 76	Contact/Email Form Exploits (ASP) I've had some problems with email form exploits in the past. There are basically two things spammers are doing with email forms. Most of us that have been around for a while know about this. For those that don't, here is how it works. 1. The worst one is they use your email form to send out their spam through your email form to others. Gives stormhosts a headache as they don't want to have their server blacklisted. 2. More annoying than anything else, spammers use your email form to send you spam. How desperate can you be to sell viagra?? To take care of #1, just use the function below to validate your all form fields. Code: Function ValidForm(strField) If instr(1, lcase(strField), "content-type") > 0 OR inStr(1, strField, "%0a", 1) > 0 OR inStr(1, strField, "%0d", 1) > 0 OR inStr(1, strField, "\n", 1) > 0 OR inStr(1, strField, "\r", 1) > 0 OR inStr(1, lcase(strField), "cc:", 1) > 0 OR inStr(1, lcase(strField), "to:", 1) > 0 Then ValidForm = false Else ValidForm = true End If End Function If the function returns true, just send your email. If false, exit out to whatever method you prefer. For #2, I found that checking to see if your email script is being requested from your site, not some other, is enough to stop those annoying spam through your form. Use the following. Code: If Instr(1, Request.ServerVariables("HTTP_REFERER"), "yourdomain.com", 1) < 1 Then Response.Redirect("/errorpage.html") Basically it checks if the email processing script was referred through your website. If not, you send the somewhere else. Personally, I would send them here. Also, the above will take care of #1 in a lot of cases. If there are any other ideas to improve or streamline this, I would love to hear it.

06-04-2008, 04:19 AM	#2
Will Registered User Join Date: Nov 2003 Location: Bradford, UK Posts: 283	The HTTP referrer idea is good but would prevent anyone with a referrer-less browser from using your form. Some people turn off the referrer header for privacy reasons. spammers are probably also likely not to send the referrer header, or if they're really smart - they'll just set it to the page they're requesting. Could you give more information on your first function? Is that looking for control characters used by spammers to send multiple emails? __________________ ----------------------------------------------------------- Docupro - Offering Custom Programming and Websites

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)