Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

  1. Index
  2. » Archives
  3. » Plug-in: zem_contact_reborn

#229 2006-02-09 21:03:08

neptho
Member
From: A cold, dark place.
Registered: 2006-02-01
Posts: 48

Re: Plug-in: zem_contact_reborn

> thebombsite wrote:

> @neptho – thanks for the code. Now if you could just explain to me exactly what it is doing please.

It may be partially broken – so don’t integrate it JUST YET.. this is just a ‘beta’, that ‘works for me’. What it does is check any of the incoming data vatriables for a mime encapsulation which these bots use to send third party unsolicited email. This makes the script die when it sees that it is being fed multipart or mime encapsulated messages, which nobody should be doing from a contact form.

The alternatives are a redirect, or a ‘no, you can’t do that’ page, but, as the whole context is malicious, I prefer to shut them down with minimal efforts, and bandwidth on my part.

Offline

#230 2006-02-09 21:19:50

thebombsite
Archived Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: Plug-in: zem_contact_reborn

Thanks neptho. I’m still debating whether a “beta” fix is better than no fix at all until tranquillo sorts out the other method we were going to employ.

@Els – I haven’t actually tried anything yet but just reading through neptho’s code again here I think there should only be a single “)” after “FALSE”.


Stuart

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#231 2006-02-09 21:55:15

thebombsite
Archived Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: Plug-in: zem_contact_reborn

I won’t put this in the main post but if you want to try this out here’s a link.

Maybe if P would like to try this as well.

And don’t mention business sites please! I’ve just finished a redesign for FreshlyPressed with a complex contact form. Have a look. What do you think of the new logo?

Last edited by thebombsite (2006-02-11 00:18:09)


Stuart

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#232 2006-02-09 22:14:46

NeilA
Member
From: Blue Mountains, Australia
Registered: 2004-08-15
Posts: 316
Website

Re: Plug-in: zem_contact_reborn

Nice job on the logo Stu!

Haven’t been following lots of the recent zem-contact discussion, but good job on ‘Freshly Pressed’

Cheers


Neil – Blue Mountains, Australia

http://westserve.org
http://ministrygrounds.net.au

Offline

#233 2006-02-09 22:23:22

-P-
Member
From: Finland
Registered: 2005-09-10
Posts: 211

Re: Plug-in: zem_contact_reborn

@Stuat Nice logo!! Veeery fresh :D

Thank you Stuart so much for your quick response regarding this spam problem! Hopefully that solves it.

But. I will test it tomorrow. Spent some serious time last week upgrading all my TXP sites to use contact_reborn. Then last nite added to every one of them a checkbox as a quick solution. Did not help. Spent this morning disabling all the contact forms. :D

So as Scarlet O´Hara, I´ll count now for tomorrow ;)

Offline

#234 2006-02-09 22:31:10

thebombsite
Archived Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: Plug-in: zem_contact_reborn

Thanks both. Actually the graphic was done for us in your neck of the woods NeilA. Must be all that sun :)

We still have the other method to incorporate so whether this one will remain as well, or be modified in some way I can’t say, but if a few here can test this method out then all the better. But I should reiterate what neptho says, it is “beta” so I don’t consider this as a main update release although you do now have the “fix” for the “select” validation problem.

Last edited by thebombsite (2006-02-09 22:33:06)


Stuart

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#235 2006-02-09 23:19:27

els
Moderator
From: The Netherlands
Registered: 2004-06-06
Posts: 7,458

Re: Plug-in: zem_contact_reborn

Thank you Stuart! Installed on six sites… now just sit and wait.

Very nice logo! Makes you wish it were summer again ;)

I have another question: I don’t know how this spam e-mail works, but in my form I don’t use copysender or subject. Yet in one of the mails was an extra subject line and a bcc mail adress (on aol.com). Does this mean anything?

Offline

#236 2006-02-09 23:35:23

thebombsite
Archived Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: Plug-in: zem_contact_reborn

I don’t think I know enough about it but it sounds to me like it is running through the code and picking up any fields that are there. Although you don’t use them for your form they are still run through in the code via the “ifs” so the bot probably sees them and fills them in. This is where the hidden “empty” fields would be useful, as the bot will see them, fill them in and promptly get stuffed.

But in the mean time if you can keep me posted on any spams you receive now that you have this method installed. I can’t do a lot at the moment as they haven’t tried hitting thebombsite yet. I haven’t installed this there, it’s only on my /test/ site so I await their arrival, at which point I shall install it and see what happens.


Stuart

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#237 2006-02-10 04:42:57

alannie
Member
From: Minnesota, USA
Registered: 2005-09-15
Posts: 150

Re: Plug-in: zem_contact_reborn

Hi, I recently came across this email injection article that seems to offer helpful solutions for preventing email injections, including MIME injections. I don’t have enough PHP knowledge to easily figure out whether these solutions have already been incorporated into the plugin, but thought I would pass it along just in case. The reference to the regexp library in particular looks like it might be a timesaver for building in additional security measures.

Offline

#238 2006-02-10 08:31:00

neptho
Member
From: A cold, dark place.
Registered: 2006-02-01
Posts: 48

Re: Plug-in: zem_contact_reborn

> doggiez wrote:

> Thank you Stuart! Installed on six sites… now just sit and wait.

Very nice logo! Makes you wish it were summer again ;)

I have another question: I don’t know how this spam e-mail works, but in my form I don’t use copysender or subject. Yet in one of the mails was an extra subject line and a bcc mail adress (on aol.com). Does this mean anything?

PHP Manual on mail() – It’s just simple injection.

If you look at the latest, it’s overkill, but “anton at basehost dot net”‘s idea is one of the more portable, and less taxing – I just made a simpler way. If there’s no MIME boundary, it should not be accepted by mail(). However, a more paranoid approach:

<pre> foreach ($zem_contact_form as $k => $v) { if ( // An array might make more sense, but it’s quick, and I lack motivation. strpos($v, ‘multipart/mixed’) != FALSE || strpos($v, ‘charset=”’) != FALSE || strpos($v, ‘mime-version:’) != FALSE ||strpos($v, ‘content-type=’) != FALSE || strpos($v, ‘bcc:’) != FALSE ) die(“No, I do not think so.”); $msg[] = $k.’: ‘.htmlspecialchars($v); }
</pre>

This has been tested and I have not had a spamthrough since I just used the ‘multipart/mixed’, but it’s not finished. This is only PART of the problem. Really, Stuart, etc, let me know what your plans are. This (contact) code is bad news. It might be easier to throw the baby away with the bathwater. Some things are just, well, wrong-ish.

Last edited by neptho (2006-02-10 08:44:30)

Offline

#239 2006-02-10 10:05:47

thebombsite
Archived Plugin Author
From: Exmouth, England
Registered: 2004-08-24
Posts: 3,251
Website

Re: Plug-in: zem_contact_reborn

> neptho wrote:

> Really, Stuart, etc, let me know what your plans are. This (contact) code is bad news. It might be easier to throw the baby away with the bathwater. Some things are just, well, wrong-ish.

I’m not sure what you mean by that neptho. Are you saying that this particular plug-in code is bad news or contact form code in general?

As I’ve mentioned before we are looking at the “hidden empty field” method. Maybe a combination of both would be worth looking at?

@alannie – Thanks for the article pointer. I think I shall just go and emigrate now. :)

Last edited by thebombsite (2006-02-10 10:16:38)


Stuart

In a Time of Universal Deceit
Telling the Truth is Revolutionary.

Offline

#240 2006-02-10 10:54:57

-P-
Member
From: Finland
Registered: 2005-09-10
Posts: 211

Re: Plug-in: zem_contact_reborn

About what neptho wrote, expanding that thinking we could just give up in general and go back maintaining static html sites with no excutable code in it. :)

Okay, it is easy for me to say since I´m not a coder. All I can do is inform my experiences. But seems like since it is more difficult for bots to harvest email addresses for spam purposes in the net, thanks to contact forms and email addresses marked in a way bots can´t understand, spammers are also finding better tecniques to achive their task.

And I want to note again that this is not just TXP:s contact form releated issue, same has happened with Wordpress and who knows what has been happening with small stand alone contact form scripts.

Princessdom is having her contact form back online since this morning. No successful malicious use yet.

Last edited by -P- (2006-02-10 10:57:18)

Offline

  1. Index
  2. » Archives
  3. » Plug-in: zem_contact_reborn

Board footer

Powered by FluxBB