formmail spam to my email but not customers

Forum Moderators: coopster

Message Too Old, No Replies

formmail spam to my email but not customers

formmail spam emails

titangrad

6:50 am on Dec 31, 2007 (gmt 0)

I'm hoping there's a simple solution -- if it's already elsewhere on this forum I couldn't find it through search, or via Google. My problem is that our web feedback form results in dozens of spam-like returns to my email, presumably from the same offender. To my knowledge, at least nobody is using my email to send out spam... but I keep getting similar form results in my email, clearly from our feedback form.

I removed the two offending pages (the feedback form itself as well as the results page which listed my email address, yes we're dummies) then used a totally different script with better security, including a requirement for the user to correctly answer a question, plus the PHP now calls on nondescript auxillary files in nondescript folders (none of which have names like "mail" or "feedback).

But I'm still getting these bogus emails. Have I missed something somewhere or do I need to blow up the original email address to throw them off the trail? Thanks for your help.

-keith

eelixduppy

9:02 am on Dec 31, 2007 (gmt 0)

Welcome to WebmasterWorld!

Here's a recent thread on the issue: [webmasterworld.com...]

Are you sure that the emails are coming from your form? If you had the emails listed maybe the spam is coming from another source? Check up on the info provided in the link above; it should give you some good ideas on how to protect your form from abuse.

PHP_Chimp

11:54 am on Dec 31, 2007 (gmt 0)

Unfortunately once your email address has been picked up by spam bots it is very difficult to get rid of all of the spam. Of course you can kill the address, but then what if customers have that address? When there email comes back as 'returned: mailbox unavailable' some of them will just go to another company.

The cookie idea is great, however not everyone accepts cookies. So you need a backup plan for those people that dont want your cookies (or you need to set up your P3P policy so that IE doenst complain at all, then 75% of the world will not know that you are setting cookies on there machine ;))

You could to set up some form of filtering for your email on that address. You could then use the form on your site to add additional headers to the mail [uk3.php.net]. You could then check these headers and if they are not present junk the email.
Depending on what email program you are using depends on what sort of additional headers you would be able to use and check. Having a header along the lines of X-time: time() is quite good, as then you may be able to set up a filter to only allow mails that have been sent within the past 1 hour or so.
Assuming that the mail is sent from your site to you then it would be difficult for people to inject there own custom headers into this script, unless you allow them to put a Reply-To: header in (I cant think of any other reason why you would give them access, but there may be).

titangrad

6:29 pm on Dec 31, 2007 (gmt 0)

Good posts. Thanks for the input. I found another version of my results page (not currently linked, but still on the server) so I whacked that last night and didn't get more spam since, so maybe that solves the problem for the time being?

I'm pretty confident the new version of the form won't have this problem, and if it does I'm using an email address I can easily kill without losing customers. Happy New Year!

-keith