Plug-in: zem_contact_reborn

alannie · 2006-02-09 20:48:54

> thebombsite wrote:

@alannie – how are you calling the contact form to your page template. Do you have it set up as a form then call it with the <code><txp:output_form /></code> tag?

The contact form is inside an article.

You will have to explain to me why you have 4 “article” tags on a page. Could you not replace 3 of them with the “article_custom” tag? It isn’t generally recommended to use more than 1 “article” tag though, depending on how your site is set up, it can be done.

Two of them are for this reason. (Note the newly added “edit” that mentions the dangers of having more than one “article” tag!) The third one is because I needed an unique id for each page, so I was inserting the article’s id into the body tag. The last one is for the article content.

As for why I could not use <code>article_custom</code> – I needed something that was context-sensitive to the current article being displayed. I tried <code>article_custom</code> but it displayed data from all articles instead of the current one. Limiting it to “1” would have just displayed the most recently added article, instead of the current one.

For the contact form pages, those first three “article” tags weren’t absolutely essential, so I just created a separate page template that does away with them.

els · 2006-02-09 20:52:32

@Els – That says you have too many “)” in there. Let me work it into my test site then I’ll update the template and put a new version out. Give me 30 minutes.

I understood as much ;) But I counted and there are just as many opening brackets as closing brackets…

30 minutes would be great! but take your time and don’t forget supper ;)

Edit: hmm… so much for my counting abilities… I’m going to try again.

Edit again: the second one after FALSE should go.

Last edited by doggiez (2006-02-09 20:58:03)

-P- · 2006-02-09 21:01:33

<blockquote> > thebombsite wrote:

> @ P I don’t think this is either WP/TXP related or plug-in related. It sounds like someone has developed a bot to specifically hit contact forms. How many hits did you get on the TXP site?

Are you using a Captcha plug-in? Did I spot that Sencer had released something somewhere though I think that may have been for comments? </blockquote>

After first five spam emails received sent thru princessdom contact form I disabled all the contact forms from all the my own sites and sites I host. So can´t say what it could have been. Thru that other sites contact form, domain owner received a huge amount of this spam. Haven´t had reports from my other sites.

I don´t receive system mail neither (email delivery error and notifications) at the moment any more so can´t say how serious it could be.

What I hate most now is the though and knowledge about that there are zillion spam emails around the net now with personalized contact form subject fields from my domains and with sender address also pointing to my domains.

For especially business sites this could be very bad thing to happen.

I don´t use captcha since haven´t had much comment spam, thanks to forced preview on commet forms. Could it be implemented to contact form too? I it´s only for comments at the mo.

Last edited by -P- (2006-02-09 21:09:57)

neptho · 2006-02-09 21:03:08

> thebombsite wrote:

> @neptho – thanks for the code. Now if you could just explain to me exactly what it is doing please.

It may be partially broken – so don’t integrate it JUST YET.. this is just a ‘beta’, that ‘works for me’. What it does is check any of the incoming data vatriables for a mime encapsulation which these bots use to send third party unsolicited email. This makes the script die when it sees that it is being fed multipart or mime encapsulated messages, which nobody should be doing from a contact form.

The alternatives are a redirect, or a ‘no, you can’t do that’ page, but, as the whole context is malicious, I prefer to shut them down with minimal efforts, and bandwidth on my part.

thebombsite · 2006-02-09 21:19:50

Thanks neptho. I’m still debating whether a “beta” fix is better than no fix at all until tranquillo sorts out the other method we were going to employ.

@Els – I haven’t actually tried anything yet but just reading through neptho’s code again here I think there should only be a single “)” after “FALSE”.

thebombsite · 2006-02-09 21:55:15

~~I won’t put this in the main post but if you want to try this out here’s a link~~.

Maybe if P would like to try this as well.

And don’t mention business sites please! I’ve just finished a redesign for FreshlyPressed with a complex contact form. Have a look. What do you think of the new logo?

Last edited by thebombsite (2006-02-11 00:18:09)

NeilA · 2006-02-09 22:14:46

Nice job on the logo Stu!

Haven’t been following lots of the recent zem-contact discussion, but good job on ‘Freshly Pressed’

Cheers

-P- · 2006-02-09 22:23:22

@Stuat Nice logo!! Veeery fresh :D

Thank you Stuart so much for your quick response regarding this spam problem! Hopefully that solves it.

But. I will test it tomorrow. Spent some serious time last week upgrading all my TXP sites to use contact_reborn. Then last nite added to every one of them a checkbox as a quick solution. Did not help. Spent this morning disabling all the contact forms. :D

So as Scarlet O´Hara, I´ll count now for tomorrow ;)

thebombsite · 2006-02-09 22:31:10

Thanks both. Actually the graphic was done for us in your neck of the woods NeilA. Must be all that sun :)

We still have the other method to incorporate so whether this one will remain as well, or be modified in some way I can’t say, but if a few here can test this method out then all the better. But I should reiterate what neptho says, it is “beta” so I don’t consider this as a main update release although you do now have the “fix” for the “select” validation problem.

Last edited by thebombsite (2006-02-09 22:33:06)

els · 2006-02-09 23:19:27

Thank you Stuart! Installed on six sites… now just sit and wait.

Very nice logo! Makes you wish it were summer again ;)

I have another question: I don’t know how this spam e-mail works, but in my form I don’t use copysender or subject. Yet in one of the mails was an extra subject line and a bcc mail adress (on aol.com). Does this mean anything?

thebombsite · 2006-02-09 23:35:23

I don’t think I know enough about it but it sounds to me like it is running through the code and picking up any fields that are there. Although you don’t use them for your form they are still run through in the code via the “ifs” so the bot probably sees them and fills them in. This is where the hidden “empty” fields would be useful, as the bot will see them, fill them in and promptly get stuffed.

But in the mean time if you can keep me posted on any spams you receive now that you have this method installed. I can’t do a lot at the moment as they haven’t tried hitting thebombsite yet. I haven’t installed this there, it’s only on my /test/ site so I await their arrival, at which point I shall install it and see what happens.

alannie · 2006-02-10 04:42:57

Hi, I recently came across this email injection article that seems to offer helpful solutions for preventing email injections, including MIME injections. I don’t have enough PHP knowledge to easily figure out whether these solutions have already been incorporated into the plugin, but thought I would pass it along just in case. The reference to the regexp library in particular looks like it might be a timesaver for building in additional security measures.

neptho · 2006-02-10 08:31:00

> doggiez wrote:

> Thank you Stuart! Installed on six sites… now just sit and wait.

Very nice logo! Makes you wish it were summer again ;)

I have another question: I don’t know how this spam e-mail works, but in my form I don’t use copysender or subject. Yet in one of the mails was an extra subject line and a bcc mail adress (on aol.com). Does this mean anything?

PHP Manual on mail() – It’s just simple injection.

If you look at the latest, it’s overkill, but “anton at basehost dot net”‘s idea is one of the more portable, and less taxing – I just made a simpler way. If there’s no MIME boundary, it should not be accepted by mail(). However, a more paranoid approach:

<pre> foreach ($zem_contact_form as $k => $v) { if ( // An array might make more sense, but it’s quick, and I lack motivation. strpos($v, ‘multipart/mixed’) != FALSE || strpos($v, ‘charset=”’) != FALSE || strpos($v, ‘mime-version:’) != FALSE ||strpos($v, ‘content-type=’) != FALSE || strpos($v, ‘bcc:’) != FALSE ) die(“No, I do not think so.”); $msg[] = $k.’: ‘.htmlspecialchars($v); }
</pre>

This has been tested and I have not had a spamthrough since I just used the ‘multipart/mixed’, but it’s not finished. This is only PART of the problem. Really, Stuart, etc, let me know what your plans are. This (contact) code is bad news. It might be easier to throw the baby away with the bathwater. Some things are just, well, wrong-ish.

Last edited by neptho (2006-02-10 08:44:30)

thebombsite · 2006-02-10 10:05:47

> neptho wrote:

> Really, Stuart, etc, let me know what your plans are. This (contact) code is bad news. It might be easier to throw the baby away with the bathwater. Some things are just, well, wrong-ish.

I’m not sure what you mean by that neptho. Are you saying that this particular plug-in code is bad news or contact form code in general?

As I’ve mentioned before we are looking at the “hidden empty field” method. Maybe a combination of both would be worth looking at?

@alannie – Thanks for the article pointer. I think I shall just go and emigrate now. :)

Last edited by thebombsite (2006-02-10 10:16:38)

-P- · 2006-02-10 10:54:57

About what neptho wrote, expanding that thinking we could just give up in general and go back maintaining static html sites with no excutable code in it. :)

Okay, it is easy for me to say since I´m not a coder. All I can do is inform my experiences. But seems like since it is more difficult for bots to harvest email addresses for spam purposes in the net, thanks to contact forms and email addresses marked in a way bots can´t understand, spammers are also finding better tecniques to achive their task.

And I want to note again that this is not just TXP:s contact form releated issue, same has happened with Wordpress and who knows what has been happening with small stand alone contact form scripts.

Princessdom is having her contact form back online since this morning. No successful malicious use yet.

Last edited by -P- (2006-02-10 10:57:18)

Textpattern CMS

Textpattern CMS support forum

#226 2006-02-09 20:48:54

Re: Plug-in: zem_contact_reborn

#227 2006-02-09 20:52:32

Re: Plug-in: zem_contact_reborn

#228 2006-02-09 21:01:33

Re: Plug-in: zem_contact_reborn

#229 2006-02-09 21:03:08

Re: Plug-in: zem_contact_reborn

#230 2006-02-09 21:19:50

Re: Plug-in: zem_contact_reborn

#231 2006-02-09 21:55:15

Re: Plug-in: zem_contact_reborn

#232 2006-02-09 22:14:46

Re: Plug-in: zem_contact_reborn

#233 2006-02-09 22:23:22

Re: Plug-in: zem_contact_reborn

#234 2006-02-09 22:31:10

Re: Plug-in: zem_contact_reborn

#235 2006-02-09 23:19:27

Re: Plug-in: zem_contact_reborn

#236 2006-02-09 23:35:23

Re: Plug-in: zem_contact_reborn

#237 2006-02-10 04:42:57

Re: Plug-in: zem_contact_reborn

#238 2006-02-10 08:31:00

Re: Plug-in: zem_contact_reborn

#239 2006-02-10 10:05:47

Re: Plug-in: zem_contact_reborn

#240 2006-02-10 10:54:57

Re: Plug-in: zem_contact_reborn

Board footer