Ensuring My Forms Are Spam-Safe
March 31, 2006 4:54 PM   Subscribe

Is the script that powers my contact form spam-safe?

I'm about to start up a semi-commercial web endeavor that will need several contact forms (all directed my way, each with a different purpose). I've been using a very simple .cgi script to power my contact form for quite a while and I've been pleased with it on my personal site. But before I incorporate the script into a commercial site, I want to be sure that it cannot be used to send spam to others.

By what means could I go about testing the script to keep my sites out of the hands of those who would use them for nefarious means?
posted by Dreama to Computers & Internet (12 answers total) 1 user marked this as a favorite
Requiring a CAPTCHA at either registration time or for each post is the only real reliable way to beat automated submissions. And even then processing and OCRing the image can beat them some of the time.
posted by cellphone at 4:57 PM on March 31, 2006

That said, ensuring within the script itself that it can only send mail to one address is another way to lock it down.
posted by cellphone at 4:57 PM on March 31, 2006

Check out NMS FormMail.
posted by kirkaracha at 4:59 PM on March 31, 2006

Another problem that I've run into is that even if it is secure, they'll still try to exploit it, and you'll get a lot of junk from your contact forms. It's so bad, I'm thinking of adding a simple CAPTCHA like cellphone suggests.
posted by smackfu at 5:31 PM on March 31, 2006

I always had a simple contact form that used PHP to e-mail me the contents of a few fields (subject, from, and message body). I always had my e-mail address hard-coded into it, so I knew there was no risk of it being misused for spam, but aside from that didn't do any input validation. Especially in the last year or so the amount of junk that came through it to my e-mail address has been incredible (many messages every day). Most look like it's just automated programs trying to figure out if any exploits work. I haven't had to resort to CAPTCHA yet, but by seriously tightening the input validation, hardly any junk gets through any more.

I check the following things:

- From address is filled out
- From address is a conformant e-mail address
- From address does NOT contain my own domain name
- From address's domain exists (has a DNS MX record)
- Message has been entered
posted by Emanuel at 6:04 PM on March 31, 2006

The other thing I'm now doing is adding the IP address of the sender, and the referrer and user agent headers to the message. Just incase I need that and don't have access to the web server logs.
posted by Emanuel at 6:14 PM on March 31, 2006

As there are an infinite number of ways of coding email scripts, it would be a lot quicker if you showed us the source code.

That said, the simplest way to answer this concern:

I want to be sure that it cannot be used to send spam to others

is to have something like this in the code:

unless(email address you're sending to is at your domain){die}

Then it can only be used to send spam to you.
posted by AmbroseChapel at 6:48 PM on March 31, 2006

You have to check for email header injection in the message subject line and body, too-just hard-coding your own address is insufficient.
posted by evariste at 7:48 PM on March 31, 2006

AFAIK you can't inject e-mail headers using the body field. The subject line, definitely. You have to make sure none of the headers you accept from the user have a newline in them.
posted by kindall at 8:45 PM on March 31, 2006

I'm idly playing with your mailform Dreama, just testing it for various things. But anything I do will be identified by my email and refer to this thread.
posted by AmbroseChapel at 9:02 PM on March 31, 2006

You can in fact inject mime-part headers in contact forms that use php's mail() command. The headers go right through php to postfix, which picks up the headers and sends out the message as a separate email. I imagine that perl/cgi or any other language that interacts in a similar way with the mta would do the same.

Here is a function I use to check for that sort of exploit that you should be easily able to change to suit your purposes.

This is a major problem if your site gets any traffic at all, we regularly get trolled by spam bots testing for this exploit on our clients' forms. We had a form without this checking on it a while back and had all our boxes blacklisted because of it. Nightmare. Good luck, and thanks for being conscientious about this sort of problem.
function feedback_check_exploit($data) {
  $bad_strings = array (

  foreach($bad_strings as $str) {
    if (stristr($data, $str)) {
      watchdog ('user', t('Attempt to relay spam using %str. Field is %data',
        array('str'=>$str, 'data'=>$data)));
      return true;
  return false;

posted by crunchywelch at 11:41 AM on April 1, 2006

I would suggest using an open source form handling script, with the idea that—with more people using it—exploits are likely to be experienced or noticed more quickly than a home-brewed script. I did a fair amount of research into such scripts about six months ago, though avoiding exploits wasn't high on my list of criteria.

In any case, I've been pretty happy using a script called Phorm since. It's written in PHP and it's open source. if you want to get some bonus features, you can register for $10. It has a lot of flexibility, but it's pretty easy to get up and running for simple stuff.
posted by xulu at 2:35 PM on April 1, 2006

« Older Help me find some good narcocorrido music!   |   Need a good answering machine Newer »
This thread is closed to new comments.