Webmaster World Forum http://www.webmasterworld.com

Page is a not externally linkable
- Code, Content, and Presentation
-- Perl Server Side CGI Scripting
---- Modifying NMS FormMail to deny submissions with URL links

patb - 1:29 pm on May 3, 2012 (gmt 0)

I think we are getting there. Thanks so much for your guidance Rocknbill. Your technique to print out the contents of variables as explained on that other thread [webmasterworld.com] was a great way to analyse what was going on.

At about (my) line 2287, there is a 'sub parse_form' which leads to either 'sub parse_config_form_input' or 'sub parse_nonconfig_form_input'. It is at the latter point where the code (either my simple version or Rocknbill's works for me). So the complete edited code at about (my) line 2404 (with the added lines marked "phb anti-spam hack V2") is as follows:

sub parse_nonconfig_form_input { my ($self, $name) = @_; my @vals = map {$self->strip_nonprint($_)} $self->cgi_object->param($name); my $key = $self->strip_nonprint($name); $self->{Form}{$key} = join $self->{CFG}{join_string}, @vals; push @{ $self->{Field_Order} }, $key; # phb anti-spam hack V2 my @bad_patterns = ( 'bcc\s:', ## multipart or mail header injection attempts 'to\s:', '\[\sURL.\]', ## BB code style attempts '\[\sLINK.\]', '\%5B\sURL.(\%5D)', '\%5B\sLINK.(\%5D)', '\[\sa\shref.\]', '\%5B\sa\shref.(\%5B)', '\<\sa\shref.\>', '\%3C\sa\shref.(\%3E)', # 'example.com', 'viagra', 'http', 'male\s+enhance' ); my $spam = 0; foreach my $pattern (@bad_patterns) { if ($self->{Form}{$key} =~ /$pattern/i) { $spam=1; # to do: we now need to log the suspected spam print "content-type: text/html\n\n"; print 'Program error. Your message was not sent. Please contact us by email or phone. <br><br>Press your browser's "Back" button to continue.<br><br>'; exit 0; } # end if } # end @bad_patterns # end phb anti-spam hack V2 }

This is still probably a bit rough but it does identify spam, send the printed message to the sender, and decline to submit the form if suspect spam is detected.

It might be necessary to apply the same technique under the 'sub parse_config_form_input' or refine the code but in my local testing that sub seems to be by-passed in all cases. I'm not knowledgeable enough to see what the distinction is between the two subs.

Any further comments would of course be welcome but I am happy with this. Thanks again.

Cheers, Pat.

Thread source:: http://www.webmasterworld.com/perl/4447902.htm
Brought to you by WebmasterWorld: http://www.webmasterworld.com