homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

Someone is spamming my order forms
Should I really worry?
Oliver Henniges

 12:40 pm on Aug 22, 2006 (gmt 0)

I have designed some special product category pages, which I think are quite comfortable for my visitors, because you have all the relevant products for a given search plus text fields for invoice and shipping address all on one form.

Now two days ago some idiot from a casino site has begun to insert nonsense into the form fields, which is a little bit annoying, because we have to delete all those orders by hand.

Obviously this guy is doing that by hand, because it ammounts in total to about 10 or 20 submittings per day. I do not really worry about his tag-insertions, because I regard the cdi-enginge 100% safe.

I might also modify the cgi in order to filter that out, but is that really worth the effort? Has anyone made similar experiences? How long will it take until he gives up?



 1:50 pm on Aug 22, 2006 (gmt 0)

i get exactly the same on a lot of different forms
you might find that your forms allow spammers to post a CC or BCC field, meaning they can spam to thousands of email addresses from your form - make sure you close those holes! most of the manual spammers give up when they realise you've closed the holes ....

i did use referer checking to make sure form submissions came from the website, but found they don't work for people using norton and other software that hides the referer etc - given up on that now

also try hiding your contact forms using different URLs because spammers often use robots / spiders to check for files called contact.php etc - rename them to something obscure so there's less chance of them being found

Oliver Henniges

 2:36 pm on Aug 22, 2006 (gmt 0)

Thx so far.

> you might find that your forms allow spammers to post a CC or BCC field

I checked that. No way. All the form does, is send an email to me and a second one to another mail-account which I need for importing the data. My hosting company does not allow access to the databases from outside, so I have chosen this workaround to get access to the data and import it to my companies billing-software.

I will wait a few more days and see what happens. If he doesn't give up I will write an extra include-routine for defining some filters. Might do me some good services in the future.


 2:43 pm on Aug 22, 2006 (gmt 0)

I see this a lot. Require a preview before posting the form and you'll get rid of most of the automated ones.


 3:48 pm on Aug 22, 2006 (gmt 0)

It's most likely a bcc/cc injection attack. If the script is not filtering input, it may be vulnerable.


 4:01 pm on Aug 22, 2006 (gmt 0)

There was a good post on this which I flagged:
Here's how to secure your formmail script from spammers [webmasterworld.com]

Oliver Henniges

 4:18 pm on Aug 22, 2006 (gmt 0)

thx for the link.

Actually I do not send any mails as an automated action based on that form, except - as I said - two mails to my own accounts, the adresses of which are defined by my cgi-script. All I do is store the (customer-)mail-adress in my database for further requests, so I think I don't have to worry about bcc/cc attacks.

I am a bit worried about mysql-injection and that sort of stuff. It is quite some time ago that I wrote that cgi-script. If I remember correctly, this is a question of configuring escape-methods of your webserver, isn't it? Are there any means an unfiltered storage of post-variables can harm ones database or lead to execution of unwanted code?


 4:47 pm on Aug 22, 2006 (gmt 0)

is ANY part of the form that is submitted used in the two emails that are sent out when it is submitted?

Are ALL of the email headers hardcoded in your script or are some of them passed to the script via the form?

For example, if the subject line is passed via the form (such via hidden input, etc.), a carefully placed newline character could allow the spammer to add a bcc/cc field and you would have no idea on your end.

Oliver Henniges

 6:07 pm on Aug 22, 2006 (gmt 0)

the mail-headers (except 'from' and 'reply to') are completely defined by my cgi-script. There is a check whether the potential customer mail address is valid, and if it is, it is inserted as the from- and reply-to-header variable.

the rest of the post variables are stored into my database and connected to a textstring covering the mere content of the two mails.

Oliver Henniges

 6:33 pm on Aug 22, 2006 (gmt 0)

just checked that \bcc: trick given in bnhall's source with another one of my mail-accounts as the second address. First of all I use this

$email = $mypostvariables['E_MAIL'];
$regexp = "^([_a-z0-9-]+)(\.[_a-z0-9-]+)*@([a-z0-9-]+)(\.[a-z0-9-]+)*(\.[a-z]{2,4})$";
$valid = 0;if (eregi($regexp, $email)){$valid = 1;} else {$valid = 0;}

piece of php-code in order to check whether the mail-address is valid. By this code the inserted address was filtered out as invalid. I received only one mail as normal, none by the second mail account, and the from-field was left empty due to the status of the $valid-variable.

Secondly, the '\bcc:'-sequence was correctly escaped as '\\bcc:' by the regular post-variables-treatment of my webserver, as the text-body of the mail revealed. I still think I'm on the safe site regarding bcc attacks. Thanks a lot for your contributions, again I learned something important at WW.

Oliver Henniges

 6:48 pm on Aug 22, 2006 (gmt 0)

> Require a preview before posting the form

some people say you loose 60% customers with any such action. The main idea behind this type of pages is, to enable my visitors to order directly from the landing-page. No login-procedure, no preview, just order. I'm quite satisfied with the success.


 12:16 am on Aug 23, 2006 (gmt 0)

>> some people say you loose 60% customers with any such action

It's not unlikely you'd lose some but if couched in a way that seems to be helpful to the customer - like "please check your order to be sure details are correct" or some such - you're likely to lose less. Still, for conversions sake, no preview would be better.

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved