Plug-in: zem_contact_reborn

tinyfly · 2006-02-13 22:56:45

View source for your form and you can see all the ids and classes

Bloke · 2006-02-14 02:09:15

This is a great plugin idea. Love all the styling options.

After reading the recent posts, I’ve disabled the “send to friend” (send_article="yes") part I was testing on one of my sites amid all these spam fears (my hoster is very hard on anybody whose forms are used as spam portals and just closes your account without warning…nice). I’ve left the standard “contact form” up: am I right in thinking the plugin’s fairly hardened in this mode because there’s no facility to inject an email address?

Wondering what this zem_contact_nonce hidden field is for. I initially thought it was some kind of session variable. Forgive me for being naive (happens a lot!) but can’t we use it as such to help counter the bots? Or does TextPattern not allow you to get/set SESSION info from plugin code? I’ve only dabbled in other people’s code so far and I’m a real rookie at this plugin stuff so apologies if that’s a stupid question.

Anyway, before I switched it off, I was trying out my send_article and it occurred to me that I’d like to be able to control the output a little better. For example, I set up my form to have 3 fields;

1) “Your name” (to make it obvious that the person sending should put their name there)
2) “Friend’s email” (again, trying to be explicit so they don’t send it to themselves)
3) “Message”

If I put my name in (for the sake of argument I’ll be Andy) and want to send the article to my mate Bob@bobbins.com, the email that Bob receives is a mite confusing. The first thing he sees at the top of the email is:

Your name: Andy

Which is a blatant lie, because he’s called Bob. Then it says:

Friend’s email: Bob@bobbins.com

Well, he already knows that ‘coz it’s his email address… I’ve tried every way I can think of to label the fields so they’re unambiguous to the sender and meaningful to the recipient but have so far failed. Is there an option somehow that’ll allow me to format a message, be it a txp form or a direct argument to zem_contact, something along the lines of:

Hi ::friend’s email::,

Your friend ::your name:: thought you might like this article. He says:

::message::

Enjoy!

And then the article title/excerpt/body follow as usual. Is this sort of thing feasible, now or in a future release, with the way the plugin functions or shall I just crawl back into my box and stop hassling y’all?

If I get half a chance I’ll look at the code and see what’s viable but with the number of options and amount of complexity in this plugin it’s probably above my tiny brain until I cut my teeth on some intermediate plugins first. Security in this plugin comes first of course; this was just a random thought I’m mentioning before I forget.

Oh, and can I just add my 2p about captchas in this plugin: no, please no!

imho, they’re not worth the bytes they’re printed on. With automated OCR being as good as it is now, it offers little measurable security improvement, there are numerous other ways round them, and they’re a pain for the end user.. the number of times I’ve had to have 2 or more goes at them to get them right because the letters are so distorted. And I regard myself fairly average.

I like the idea of the “hidden empty field” because unless a bot can make a decision about which (if any) hidden fields it will fill in, there’s always a good chance it’ll get it wrong. It does need to be used in tandem with some sort of throttling system though because the number of perms/combs of the fields in your average form is not that great and all combinations of fill/no-fill could be tried in a matter of seconds with at least one guaranteed successful spam.

I’m trying a backwards approach to this area of determining human/computer, but it’s still very early alpha stuff and I haven’t the time to devote it the resource it needs right now, nor do I know whether it’ll even work in practice. One sunny day maybe…

That was probably nearer a quid than 2p. I’ll shut up now.

-P- · 2006-02-14 07:50:38

Maybe everybody got that allready but let me point any way that it was not just “send this article to a friend”-feature that spammers used. It was the general php form mail functions that make whole zem_contact_reborn work.

Spammers hit on my sites via two different TXP installations and one Wordpress installation contact form. None of these had this feature on, only the “plain” contact form.

So meaning that you just left “send this article to a friend”-feature out, does not mean you´re safe it´s the system in general.

Last edited by -P- (2006-02-14 07:52:12)

els · 2006-02-14 20:44:21

Question: if I receive a spam email that does not have the subject line as defined in the plugin code, and it also does not have the usual Name: blah Email: blah Message: blah text, can I then be certain it is not sent through the contact form?

thebombsite · 2006-02-14 23:39:19

@Els – Doesn’t it tell you where the email came from? Or am I grabbing the wrong end of the stick here?

@-P- I am aware your spam came through the normal form functions however Bloke makes a good point about keeping the core code to a minimum and using the new API to add extra functionallity, but only if YOU want it. With this in mind I will have a word with Tranquillo and Anura about whether the “Send Article” and the hopefully soon to come “Select Recipient” can be separated into their own plug-ins.

I have also fixed the “isError” for the “zem_contact_select” function so that should now be as stylable as the other inputs. I have also reduced the number of “returns” made dependent on “zemRequired” to a single instance which has taken out a nice little chunk of code. Still haven’t been able to get a “button element” to work properly yet. :(

Tranquillo is currently reviewing neptho’s code for possible inclusion into the base code but this may require a major rewrite so don’t hold your breath.

In the mean time it would be interesting to see if the current plug-in is working properly to stop spam, particularly from those who were having problems last week.

Last edited by thebombsite (2006-02-15 12:18:21)

Bloke · 2006-02-15 08:43:34

@-P- : Thanks for clearing that up. I must have misunderstood your earlier post. It was late in the day, sorry. Upon reflection, I think I may have been a bit obtuse in my last post on a few counts, but hey I’m still learning. Forgive me…

Regarding the whole spam thing, while I agree it’s a pest to receive unwanted spam to your own email address, I am more concerned about spammers using various injection attacks/bots to use zem_contact_reborn as a jump-off point to send spam to other people. I don’t particularly want my brand diluted by a spammer sending a message to a few hundred thousand people by inserting carefully-crafted headers into the form fields, because the people who receive it will think it’s from me. I then get a slew of angry people asking why I sent them stuff about xanax from my company e-mail address. Not to mention that if it does happen, my hoster will shut me down. That’s what I meant by “am I right in thinking the plugin’s fairly hardened in this [vanilla contact form] mode because there’s no facility to inject an email address?”

I think my question still stands under this revised definition. Who has tried to:
=> fake a form submission from other domains
=> call the script directly with bogus information
=> add SQL/HTML code into various input fields
=> call the script repeatedly from behind an IP randomizer
=> overflow the fields
=> add fields to the input data to try and get past those poor people (like me) whose hoster insists on leaving register_globals on
=> many more, I’m sure

What were the results? Does the script hold up? My guess is it does (when used as a pure contact form) because the code appears to set all the necessary headers like Content-type with the proper newline sequences, and uses htmlspecialchars() to escape input, etc. It’s unclear what will happen with the article_send form. My guess is that since you can put whatever email address in you like (as long as it’s a valid domain, right?) the message will go to the person/people in the field. And repeatedly calling the script with a bot and a faked subject/body could result in a bajillion messages being sent.

The only extra protection I can think of is SESSION vars. I just don’t know if that’s possible in TextPattern, or even if it helps. From my cursory look at the code it appears the nonce string could be used (if it isn’t already – haven’t figured out what it does yet, anyone care to point me in the right direction?) to check if the values match on two consecutive form submissions from the same client. Not sure if that system works – haven’t thought it through yet.

Tackling the other spam issue of people just sending thousands of messages to your home email from the form will hopefully be reduced with a combination of the various suggestions from people like P (preview message is an excellent idea) and the hidden fields thing, plus some kind of throttling protection if possible.

@thebombsite : I concur with splitting the functionality into various related plugins using a common “core” engine to save rewriting the transport ‘sendmail’ part each time, and then allowing people to bolt on the type of contact plugin(s) they want. Makes a lot of sense.

If/when I get up to speed on the TextPattern API (I’m slowly getting there but some functions are still a little obscure to me) I’ll gladly offer my services to help build this plugin up.

Gee, another massive post. One day I’ll learn to be concise :-p

-P- · 2006-02-15 11:38:51

<blockquote> > thebombsite wrote:

@-P- I am aware your spam came through the normal form functions however Bloke makes a good point about keeping the core code to a minimum and using the new API to add extra functionallity, but only if YOU want it. With this in mind I will have a word with Tranquillo and Anura about whether the “Send Article” and the hopefully soon to come “Select Recipient” can be separated into their own plug-ins.
</blockquote>

Yes, I know that you know that :) Putting “Send article” to separate plugin sounds very good idea.

<blockquote>In the mean time it would be interesting to see if the current plug-in is working properly to stop spam, particularly from those who were having problems last week.</blockquote>

I only have contact_reborn running on one installation that got hit last week. I have not at least received any similar spam nor my ISP has not contacted me again about malicious usage. So I assume it is ok, can´t be absolutely sure thou. I hope you understand my reasons not to test it widely yet.

<blockquote> > Bloke wrote:

> @-P- : Thanks for clearing that up. I must have misunderstood your earlier post. It was late in the day, sorry. Upon reflection, I think I may have been a bit obtuse in my last post on a few counts, but hey I’m still learning. Forgive me…

Regarding the whole spam thing, while I agree it’s a pest to receive unwanted spam to your own email address, I am more concerned about spammers using various injection attacks/bots to use zem_contact_reborn as a jump-off point to send spam to other people. I don’t particularly want my brand diluted by a spammer sending a message to a few hundred thousand people by inserting carefully-crafted headers into the form fields, because the people who receive it will think it’s from me. I then get a slew of angry people asking why I sent them stuff about xanax from my company e-mail address. Not to mention that if it does happen, my hoster will shut me down. That’s what I meant by “am I right in thinking the plugin’s fairly hardened in this [vanilla contact form] mode because there’s no facility to inject an email address?”</blockquote>

You´re welcome :)
And yes, occasional spam is mean thing. But what here just happened, was that 20.000 spam emails were sent using my contact forms with fake email addresses from three of my domains. One of them is the one that “runs” my virtual server, other two are private ones. Luckily spam bot did not hit to business domains that I host cause it could make serious damage in a way you mention above.

I talked yesterday to one guy who runs own it-business with own server. They had these same attempts via their contact form but since there was a time limit (only one email sent per 10 minutes or something) the spam bot was not able to hit.

els · 2006-02-15 16:07:37

thebombsite wrote:

@Els – Doesn’t it tell you where the email came from? Or am I grabbing the wrong end of the stick here?

Ah, I must have been sleeping… forgot to look for “X-Mailer: Textpattern (zem_contact_reborn)”. It isn’t there. Thanks Stuart for waking me up.

In the mean time it would be interesting to see if the current plug-in is working properly to stop spam, particularly from those who were having problems last week.

Nothing so far, but then I only received four spam emails last week.

Champak · 2006-02-17 18:38:16

Is it possible to 1/ limit the “@” to just one in the to and from text areas. If there is more than one then you get a fail message upon trying to send. And then 2/ set a cookie or something to where the person can only send a specific amount within a specific amount of time….like 3 within 3 months. I know the second part wont really do that much, but it’s just added security.

bruno · 2006-02-20 15:30:43

Hello, many thanks to all of you for this indispensable plugin.

A Browse attribute could be very practical. It would produce a html line like that:
<code>input type=“file” name=“anylabel” size=“16”</code>

(thank you doggiez!)

Last edited by bruno (2006-02-20 15:43:11)

els · 2006-02-20 15:33:40

< code > < /code > without the spaces ;)

squaredeye · 2006-02-23 03:34:12

Does anybody care to offer an example or a couple of how they are using the to_form tag?

I continue to get the error “To” address is missing.

I am using the following forms:

form = Contact
<code>
<h2><txp:title /></h2>
<txp:zem_contact to_form=“to_form” >
<txp:zem_contact_text label=“name” />
<txp:zem_contact_email /><br />

<txp:zem_contact_text label=“Phone” min=7 required=“no”/><br />
<txp:zem_contact_textarea label=“Message” /><br />
<txp:zem_contact_submit label=“send your message” />
</txp:zem_contact>
</code>

form=to_form

Thx.

Matthew.

ps. sorry if its in the thread somewhere, I couldn’t find it.

Textpattern CMS

Textpattern CMS support forum

#265 2006-02-13 22:56:45

Re: Plug-in: zem_contact_reborn

#266 2006-02-14 02:09:15

Re: Plug-in: zem_contact_reborn

#267 2006-02-14 07:50:38

Re: Plug-in: zem_contact_reborn

#268 2006-02-14 20:44:21

Re: Plug-in: zem_contact_reborn

#269 2006-02-14 23:39:19

Re: Plug-in: zem_contact_reborn

#270 2006-02-15 08:43:34

Re: Plug-in: zem_contact_reborn

#271 2006-02-15 11:38:51

Re: Plug-in: zem_contact_reborn

#272 2006-02-15 16:07:37

Re: Plug-in: zem_contact_reborn

#273 2006-02-17 18:38:16

Re: Plug-in: zem_contact_reborn

#274 2006-02-20 15:30:43

Re: Plug-in: zem_contact_reborn

#275 2006-02-20 15:33:40

Re: Plug-in: zem_contact_reborn

#276 2006-02-23 03:34:12

Re: Plug-in: zem_contact_reborn

Board footer