Forum Moderators: open
Don't send to addresses in the database that don't have the flag set.
thanks for the ideas!
...i don't know why people take the time to fill forms out with nonsense...
Get ready to have your sanitize routines tested. These are spammers "tasting" your form processor to see if a) it sends them an autoresponder with a valid email address, and b) to see if it will go through.
The next step is they point their robots at it and begin hammering you with link spam.
In case a, I always recommend that any form mailer autoresponder gets a "no-reply" address assigned to the "from" field. Otherwise, they submit garbage just to collect the valid email in the "from" field. Yours is just one more email they throw on the stack of addresses to spam directly, so it doesn't matter what to do with your form.
For legitimate customers, you simply reply to your copy of the mailer. The customer now has a direct contact to you.
If you set up a "no-reply" mailbox, DO NOT have it send out an autoresponder. No exceptions. What would happen next is they begin hammering that address with spam. It comes FROM "real-intended-recipient@example.com", hits your no-reply which responds with an email, and bounces back to "real-intended-recipient@example.com" - from no-reply@yourdomain.com. Not good. Simply have the no-reply mailbox refuse to accept emails. You know no one else will be hitting it.
In case b, what I meant by having your sanitize routines tested: it is **ALWAYS** said that good programming accepts only what you want and disallows everything else. But in the case of spam, it's really hard to "disallow" because legitimate emails are composed of the exact same characters as spammers use. So you have to do some sort of filtering, basically breaking this rule.
Understanding your opponent is a good approach to this. They are driven by successful delivery of many types of content, and one of them is spam links. A starting list should be something like this:
'b*cc\s*:'
If newlines are properly stripped, this shouldn't get through, but you want to stop the attempt anyway. This reflects an attempt to malform your mail headers to create a BCC or CC field in which they dump thousands of email addresses. If successful you get one email; AOL gets 1000. And AOL bans any email from you.
'to\s*:'
As above, you already have a to, no legitimate reason for a "to" followed by a ":" (yes I can think of exceptions, they would be rare.)
'content\-type'
Attempt to add a content-type or multipart email to your innocent form, basically, tagging their email behind yours as a second email or worse, attach malicious files.
The following are all common link spam attacks, in both standard, BB-style, and encoded versions. Unless you have a specific reason to allow any HTML in your forms, they have no place being here. Unless it's a link request form, add to this list 'https*\s*:\s*\/\/' - without it, people can still send links, but they won't be formal HTML links.
'\[\s*URL.*\]*'
'\[\s*LINK.*\]*'
'\%5B\s*URL.*(\%5D)*'
'\%5B\s*LINK.*(\%5D)*'
'\[\s*a\s*href.*\]*'
'\%5B\s*a\s*href.*(\%5B)*'
'\<\s*a\s*href.*\>*'
'\%3C\s*a\s*href.*(\%3E)*'
Another common attack: "anything"@yourdomain.com. There is only one valid usage (most of the time) for anyone in your organization to use the form to send an email: testing. Once tested, only a spammer will submit the form using @yourdomain.com as the from. This will stop this type of attack:
'yourdomain.com'
Add to it any words you think are indicative of spam:
'viagra'
'pharm'
'male\s+enhance'
If any of the above are found, exit the script immediately with a "no email was sent" message. Don't be cute or smart-alec, spammers can be vicious.
The garbage characters are a welcoming committee, take heed, secure your scripts. :-)
