[thelist] are bots submitting my form?

Kasimir K evolt at kasimir-k.fi
Fri Jan 13 09:34:07 CST 2006


Casey scribeva in 2006-01-12 17:38:
> Yes, it's a good chance bots are submitting your form.  What you are seeing 
> is not at all unusual, and as I understand it, they are hoping to discover 
> the email address to which the form content is being sent.  Once they have 
> the email address, of course, they can sell it to spammers.

Over the last couple months there's been (or was) a wave of contact form 
bot attacks - the purpose is not to discover any email addresses, but do 
header injection in order to Bcc: spam

There's been some discussion on the list on this issue, check out these 
threads for more:
http://lists.evolt.org/archive/Week-of-Mon-20050905/175573.html
http://lists.evolt.org/archive/Week-of-Mon-20051107/177540.html
http://lists.evolt.org/archive/Week-of-Mon-20051114/177806.html
http://lists.evolt.org/archive/Week-of-Mon-20051128/178120.html

Have a look also at:
http://www.nyphp.org/phundamentals/email_header_injection.php

> The best way I know of to stop this is to use a required field which asks 
> the user to enter the contents of an ... image with a distorted word in it 

This is called CAPTCHA ("completely automated public Turing test to tell 
computers and humans apart"), and it actually is not such a good idea.
http://www.w3.org/TR/turingtest/

> From: <liz at zolabola.com>
> Sent: Thursday, January 12, 2006 9:10 AM
>> But the darn form keeps coming in completely empty!!!  

So it seems that your form is not a victim of this injection attack 
after all - the messages wouldn't be empty. As others have said, your 
problem lies in using only Javascript for validation (which is a bad idea).

.k



More information about the thelist mailing list