The enquiry page is php driven and parses the form when submitted back to the same page and sends mail.
I have a validation script which works to ensure there is a valid email and name in the form.
we started off recieving about 600 emails a day from the site.
I change the variable Action=post to action=somethingelse to see if this stopped the emials being sent. This didnt work. the next thing we tried was to make the action to post lookup a variable in a key table to stop them being sent and again this didnt work.
I then gave up and changed the email method from php mail to a cgi script provided by our web server.
this stopped the emails for one day and then this morining again i got a load of blank emails
does this sound malicious???
Q. Do your logfiles give you any idea if there is a relationship between the blank emails and requests for the page? When *you* use the form on the live site does it work as it's supposed to?
This should give you some idea if the page is hit and generates email(s) every time. If one hit = one email then there is a problem with blank input, however if one hit = multiple emails then the fault may be something to do with a loop in the code or a problem with the mailserver.
The live machine test is vital because any other machine cannot be guaranteed to have the same configuration, if this test works then the fault lies outside of expected operation, if it fails you have found your bug.
Q. Is the form only accepting input via the POST method?
If not potentially it could just be being picked up by SE spiders and other crawlers who are triggering it.
Q. Have you checked the email code to ensure that it cannot send the type of email you are seeing? In other words if someone fed the form blank data would it send a blank email, or are there checks to stop this on the server side?
If you are relying on purely client side validation then potentially blank data could be passed through.
- Tony
I am just wondering, you say that when the form is submitted it goes elsewhere to be validated and then it goes back to itself and then sends the mail.
If this is the case it might be that your send email line or function is being executes every time someone hits the page. If the validation is done elsewhere and then it is sent from the form page. If, in this case, someone hits the page and it is falling through into the mail function the validation will never be done.
I would (if I am understanding correctly) move the mail function or line into the validation script and not on the same page as the form. Then you can be sure that it is only submitted when the submit button is hit and the mailing part is protected by the validation stuff.
