My contact PHP page used for spam

Hi, I subscribed some weeks ago (5 or 6) a domain host at www.ionos.fr . I created 3 subdomains, one for the catalogs of the stoves brands I represent, another one for eventualy another brands (not used yet), and a third I will use for my softwares developped under Xojo (I actually distribute them on my personnal website). There is actually nothing as I didn’t write it.
I gave my website address https://toroco.fr only to my customers.
I created a PHP contact page, you can access it clicking “Formulaire de contact” at the bottom of my page. This page send email to me. If you click “Formulaire de contact vierge” you can send email to who you want. I don’t know PHP, I learned a little creating this SendEmailPage looking exemple on the web. I keep this possibility to send to who I want for my test, I didn’t think someone will use it. But I had the good idea to put myself in copy just in case.
For 5 days I received those kind of emails:

Nom : CrytoTafTaf
Email : sindrawis@gmail.com
Message:
Tout le monde peut gagner autant qu’il veut maintenant. https://Dige.seamonkey.es/gotodate/go


Email envoyé depuis la page Formulaire d'envoi d'email de Toroco

Are there bots which scan the web to search those contact pages? Or is it an human who use it?
I’m afraid of see my email blacklisted as spammer, could it be the case?
If I try to add a Javascript to control a human send the email, something like: What’s the result of 3 + 5 . Will that resolve the problem?
Thank you.

Absolutely.
Get these all the time.
Some of them even go so far as to say ‘hey… we know how to use these contact forms to SPAM a load of people, so get in touch if you want to be a nuisance too’

Annoyingly, I often DON’T receive the messages from real people… :frowning:

1 Like

Isn’t personal, they’re just bots crawling and scanning for forms. You can start by adding a captcha (for example reCAPTCHA).

They normally can bypass “What’s the result of 3 + 5” kind of fields.

1 Like

Yes, your contact page can easily be exploited by bots and these bots exist.

An easy trick is to have an extra empty field, which is not visible to user (css visibility set to hidden).

if that field contains text, it’s spam certainly spam.

2 Likes

I ended up removing our contact us form, because like Jeff, I got so much spam (even with a capture) that it became too expensive to deal with. I found I could defeat them for short period of time, but then after about 6 months, they’d find a way around it.

Thank you all. reCAPTCHA is a solution but I will have to understand how it works and, as I said, I’m a hobbyist and developp with Xojo is difficult enough and I do very basic PHP and javaScript.
Christian’s idea is simple and gave me another idea. Instead of put a TextField which should contains the result of A + B, what about put a picture which explain to enter a text in a field. If this filed does not contains the text, and if the hidden TextField is not empty then don’t send the email and write an alert “your email has not been send”. I may change this picture (then the sentence) from time to time.

I must not write the result of sentence image in the javascript as it is readable, I have to put it in a PHP variable. I’m looking for how to pass a PHP variable in a Javascript variable.

The captcha is annoying.
We got a field, which must be sent empty.
We also have a field, which gets set in JavaScript and bots don’t do that.

So if the fields are not correct, it shows an error for an human, but the bot won’t see it.

1 Like

I just upload what I wanted to do. The user has to enter the sentence in the picture, if not correct, then I fill the hidden TextField (Christian’s idea). If this fill is not empty (wrong sentence or the bot fill it) then I display the error page.
Wait and see if the I continue to receive spam.
I can share my code if someone is interested, but don’t laugh at me, I don’t now PHP neither than Javascript, I just search exemple on the web. I had to search how to set a CSS to make something invisible :wink: .

My page SCphpSendEmail.php :

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="shortcut icon" type="image/png" href="images/trcb_transp64.png" />
<link rel="apple-touch-icon" type="image/png" href="images/trcb_blanc160.png" />
<title>Formulaire d'envoi d'email de Toroco</title>
<link href="Zz_CSS/mef_page.css" rel="stylesheet" type="text/css" />
<script language="JavaScript" type="text/javascript" src="Comparateur/mesfonctionsjs.js"></script>
<script type="text/javascript" language="JavaScript">
<!--
var TpCtrlHum = "<?php echo ("Phrase de controle Hum2") ?>"; // Ecrire ce que j'ai mis dans l'image taille 880 x 44 en police Menlo 14

function Btn_EnvEmail() {
	var DrapOk = (document.FormEnvEmail.Inp_CtrlHumA.value == TpCtrlHum);
	if (!DrapOk) { // J'affiche la page d'erreur qu'email non envoyé, rien de plus. personne n'est censé utiliser cette page
		// alert("Votre phrase est mal copiée !"); //  direcement de toute façon
		document.FormEnvEmail.Inp_CtrlHumB.value = "ErrPhrase"; // Ou n'importe quoi mais non vide ''
	// } else {
		// alert("On envoie Email.");
		// document.FormEnvEmail.Inp_CtrlHumB.value  reste à sa valeur
	}
	document.FormEnvEmail.submit();
	return DrapOk;
}

//-->
</script>
</head>

<body>
<?php
// J'ai lu que c'était préférable que ce script PHP soit à la racine du site Free
// http://www.phpjabbers.com/make-contact-form-and-send-email-in-php-php21.html
// http://les.pages.perso.chez.free.fr/l-art-d-envoyer-des-mails-depuis-les-pp-de-free.io
// https://openclassrooms.com/forum/sujet/envoyer-un-e-mail-php-hebergeur-free-23799 (pour ini_set )
// str_replace ( mixed $search , mixed $replace , mixed $subject [, int &$count ] )
$AdminEmail = "thomas@toroco.fr"; // DOIT être le compte du site utilisé d'après ce que j'ai lu à propos de la fonction Mail PHP Free
$AdmEmailA = "tom.25@free.fr"; // Sert seulement à vérifier si je dois me mettre en copie
$AdmEmailB = "th.rob@orange.fr"; // Sert seulement à vérifier si je dois me mettre en copie
$V_DestMail = str_replace(":@NoSpam.z:", "@", $_POST["Inp_DestMail"]);
$V_UserExpEmail = str_replace(":@NoSpam.z:", "@", $_POST["Inp_UserExpEmail"]);
$V_BccMail = str_replace(":@NoSpam.z:", "@", $_POST["Inp_BccMail"]);
$V_UserNom = $_POST["Inp_UserNom"];
$V_SujetEmail = $_POST["Inp_SujetEmail"];
// $V_CorpsMess = $_POST["Inp_CorpsMess"];
$V_CorpsMess = str_replace("\t", " ---> ", $_POST["Inp_CorpsMess"]); // Les Tab sont remplacés par des espaces ??!!
// $V_CorpsMess = str_replace("\t", "tttt", str_replace("\r\n", "rrrrnnnn", $_POST["Inp_CorpsMess"])); // C'est bel et bien remplacé donc contient bel et bien caractères Tab et Return
$V_LienRet = $_POST["Inp_LienRet"];
if ($V_LienRet == "") {
	$V_LienRet = "https://toroco.fr/SCphpSendEmail.php";
}
$V_CtrlHum = $_POST["Inp_CtrlHumB"];
// echo "Pour test, corps email : '".$V_CorpsMess."'";
// if (($V_DestMail <> "") && (($V_UserNom <> "") || ($V_UserExpEmail <> ""))) {
if (($V_DestMail <> "") && (($V_SujetEmail <> "") || ($V_CorpsMess <> ""))) {
	$TampText = " ".$V_DestMail." ".$V_UserExpEmail." ".$V_BccMail; // Si aucun des mes emails n'est destinataire
	if (!((stripos($TampText,$AdminEmail)) || (stripos($TampText,$AdmEmailA)) || (stripos($TampText,$AdmEmailB)))) { // Il faut commencer
		if ($V_BccMail == "") { //                                                               par un espace car pas trouvé si 1er email
			$V_BccMail = $AdminEmail; // Si je ne suis pas en copie je m'y mets (pour savoir si c'est utilisé et pourquoi)
		} else { //  mais normalement je suis le destinataire, et quelqu'un pourrait utiliser cette page depuis son propre site
			$V_BccMail = $V_BccMail.", ".$AdminEmail;
		}
	}
	$ToEmail = $V_DestMail; // "floriane@xyze.com";
	// $ToEmail = "thomas.robisson@xyz.com"; // .", "."toto@xyz.com".", "."tata@xyz.com";
	
	$EmailSubject = $V_SujetEmail; // "Site contact form";
	
	$Message_Body = "\r\n";
	$Message_Body .= "Nom : ".$V_UserNom."\r\n";
	$Message_Body .= "Email : ".$V_UserExpEmail."\r\n";
	// $Message_Body .= "\r\n";
	$Message_Body .= "Message:"."\r\n".$V_CorpsMess."\r\n"."";
	$Message_Body .= "\r\n"."--"."\r\n"."Email envoyé depuis la page ".$V_LienRet."\r\n";
	// $Message_Body = str_replace("\t", "\t<dd>", $Message_Body); // Impossible d'avoir un caractère Tab en Html
	// $Message_Body = nl2br($Message_Body); // Ce serait utile si j'envoyais l'email en Content-type: text/html

	$MailHeader = "From: ".$AdminEmail."\r\n"; // DOIT être le compte du site Free sur lequel est cette page
	if ($V_UserExpEmail <> "") { // Je mets l'expéditeur en copie
		$MailHeader .= "Cc: ".$V_UserExpEmail."\r\n";
	}
	if ($V_BccMail <> "") { // Ne contient pas forcément  $AdminEmail  si je suis destinataire
		 $MailHeader .= "Bcc: ".$V_BccMail."\r\n"; // "tata@orange.fr"
	}
	$MailHeader .= "MIME-Version: 1.0"."\r\n";
	// $MailHeader .= "Content-type: text/plain; charset=iso-8859-1\r\n"; // J'ai lu que chez Free il ne fallait pas envoyer en text/html seulement
	// $MailHeader .= "Content-type: text/html; charset=utf-8"."\r\n"; // ici on envoie le mail au format text / html encodé en UTF-8
	$MailHeader .= "Content-Type: text/plain; charset=utf-8"."\r\n"; // ici on envoie le mail au format texte encodé en UTF-8
	// $MailHeader .= "Content-Transfer-Encoding: 8bit"; // Ici on précise qu'il y a des caractères accentués mais c'est inutile chez Free
	// $MailHeader .= "Reply-To: ".$V_UserExpEmail."\r\n"; // Quand le destinataire clique "Répondre"
	$MailHeader .= "Return-Path: ".$AdminEmail."\r\n"; // $V_UserExpEmail Quand le serveur renvoie un message d'erreur (adresse email inconnue etc.)

	$MailAddParam = null;

	// ini_set("SMTP", "smtp.orange.fr");
	// ini_set("smtp_port", 25);
	// ini_set("sendmail_from", $AdminEmail); // $ToEmail Ce n'est pas clair s'il faut l'adresse du destinataire ou celle de l'expéditeur

	if ($V_CtrlHum == "") { // Je ne mets pas d'alerte, le spammeur qui utilise ma page pensera que l'email est parti
		//mail($ToEmail, $EmailSubject, $Message_Body, $MailHeader, $MailAddParam) or die ("Failure");
		$V_DrapOk = mail($ToEmail, $EmailSubject, $Message_Body, $MailHeader, $MailAddParam);
	} else {
		$V_DrapOk = false;
	}
	if ($V_DrapOk) {
		echo "<img src=\"images/EnveloppeEmail.png\" alt=\"EnveloppeEmail\" width=\"110\" height=\"78\" border=\"0\" /><br />";
		echo "Votre message a &eacute;t&eacute; envoy&eacute avec succ&egrave;s.<br />";
		echo "Vous pouvez fermer cette fen&ecirc;tre.<br />";
	} else {
		echo "<img src=\"images/Cafard.png\" alt=\"img\" width=\"128\" height=\"128\" border=\"0\" /><br />";
		echo "Il y a eu une erreur, votre message n'a pas &eacute;t&eacute; envoy&eacute;.<br />";
		echo "Vous pouvez essayer &agrave; nouveau en cliquant le fl&egrave;che page pr&eacute;c&eacute;dente de votre navigateur ou en cliquant &quot;Recharger la page appelante&quot;.<br />";
	}
	echo "&nbsp;<br />";
	echo "&nbsp;<br />";
	echo "##################################&nbsp;<br />";
	echo "Exp : '".$AdminEmail."' - De (en copie) : '".$V_UserExpEmail."' --> Dest : '".$V_DestMail."' et copie cachée : '".$V_BccMail."'<br />";
	echo "----------------------------------------------&nbsp;<br />";
	echo "Sujet : '".$EmailSubject."'<br />";
	echo "----------------------------------------------&nbsp;<br />";
	$Message_Affich = nl2br($Message_Body); // Mais pour l'afficher dans la page qui est Html c'est bien
	// echo "<br />Corps de l'Email : '".$V_CorpsMess."'<br />"; // Corps brut envoyé via le formulaire
	echo "".$Message_Affich.""; // Corps formaté en HTML
	echo "##################################&nbsp;<br />";
	echo "&nbsp;<br />";
} else {
?>
<form name="FormEnvEmail" action="SCphpSendEmail.php" onSubmit="return Btn_SubmitF_Email()" method="post">
<table width="600" border="0" cellspacing="2" cellpadding="0">
<tr>
<td height="30">Destinataire</td>
<td>&nbsp;</td>
</tr>
<tr>
<td height="30">&nbsp;&nbsp;Dest Email :</td>
<td><input name="Inp_DestMail" type="text" size="60"></td>
</tr>
<tr>
<td height="30">Expéditeur (+ Cc)</td>
<td>&nbsp;<input type="hidden" name="Inp_BccMail" value=""></td>
</tr>
<tr>
<td width="22%" height="30">&nbsp;&nbsp;Votre Nom :</td>
<td width="*"><input name="Inp_UserNom" type="text" size="60"></td>
</tr>
<tr>
<td height="30">&nbsp;&nbsp;Votre Email :</td>
<td><input name="Inp_UserExpEmail" type="text" size="60"></td>
</tr>
<tr>
<td height="30">Sujet :</td>
<td><input name="Inp_SujetEmail" type="text" size="60"></td>
</tr>
<tr>
<td>Message :</td>
<td><textarea name="Inp_CorpsMess" cols="60" rows="6"></textarea></td>
</tr>
<tr>
<td>Contrôle :</td>
<td>Recopier le texte ci-dessous dans la cellule juste au dessous :<br />
<img src="images/CtrlHum.png" alt="CtrlHum" width="440" height="22" border="0" /><br />
<input name="Inp_CtrlHumA" type="text" size="60">
</td>
</tr>
<tr>
<td>&nbsp;<input type="hidden" name="Inp_LienRet" value="https://toroco.fr/SCphpSendEmail.php"></td>
<td align="left" valign="top"><input type="button" name="BtnEnvEmail" onClick="Btn_EnvEmail()" value="Envoyer" /></td>
</tr>
<tr>
<td class="nonvisibl"><input name="Inp_CtrlHumB" type="text" size="12"></td>
<td align="left" valign="top" class="ptite_note"><span class="coul_imp">L'administrateur du site recevra une copie de cet email.</span></td>
</tr>
</table>
</form>
<?php
};
?>
&nbsp;<br />
<a href= "<?php echo ($V_LienRet) ?>" target="_top">Recharger la page appelante</a>.<br />
&nbsp;<br />
&nbsp;<br />
<a href="index.html" target="_top"><img src="images/trcb_transp64.png" alt="Retour Home" width="32" height="32" border="0" /></a>
</body>
</html>

My page Contact_Trc.html :

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Biblio 1 Toroco</title>
<link href="Zz_CSS/mef_page.css" rel="stylesheet" type="text/css" />
<link rel="shortcut icon" type="image/png" href="images/trcb_transp64.png" />
<link rel="apple-touch-icon" type="image/png" href="images/trcb_blanc160.png" />
<script language="JavaScript" type="text/javascript" src="Comparateur/mesfonctionsjs.js"></script>
<script type="text/javascript" language="JavaScript">
<!--
var SautLigne = String.fromCharCode(13) + String.fromCharCode(10); // "/r/n";  %0D%0A  idem ci-dessus

function OuvPage() {
	// alert('onLoad OuvPage');
    var CurrentLocation = document.location.href;
	// alert("'" + CurrentLocation + "'");
	document.FormDdeCtc.Inp_LienRet.value = CurrentLocation;
}

function Btn_EcrEmail() {
	var EmailLink = "mailto:" + "thomas:@NoSpam.z:toroco.fr" + "?"; // + "bcc=" + "tom.25:@NoSpam.z:free.fr";
	// var EmailLink = "mailto:" + "thomas.robisson:@NoSpam.z:xyz.com" + "?cc=" + "vincent:@NoSpam.z:xyz.com" + "&bcc=" + "tom.25:@NoSpam.z:xyz.fr";
	EmailLink = EmailLink.replace(/:@NoSpam.z:/gi, "@"); // g recherche plusieurs occurence et i case insensitive
	// alert(EmailLink + SautLigne + document.FormDdeCtc.Inp_SujetEmail.value + SautLigne + TxtCorpsEmail);
	// EmailLink = EmailLink + "&subject=" + escape(document.FormDdeCtc.Inp_SujetEmail.value) + "&body=" + escape(TxtCorpsEmail);
	EmailLink = EmailLink + "&subject=" + encodeURIComponent(document.FormDdeCtc.Inp_SujetEmail.value) + "&body=" + encodeURIComponent(SautLigne + document.FormDdeCtc.Inp_CorpsMess.value);
	// alert(EmailLink);
    window.location.href = EmailLink;
	// return DrapOk; Pas défini dans le <form> (voir plus bas début HTML)
}

function Btn_SubmitF_Email() { // Voir  FormDdeCat  même si ici je ne sauvegarde pas de Cookie
	var ExpNom = document.FormDdeCtc.Inp_UserNom.value; // On supprime les ; car foutent la merde dans sauvegarde Cookie
	ExpNom = ExpNom.replace(/;/ig, ""); // g recherche plusieurs occurence et i case insensitive
	if (document.FormDdeCtc.Inp_UserNom.value != ExpNom) { (document.FormDdeCtc.Inp_UserNom.value = ExpNom); }
	var ExpEmail = document.FormDdeCtc.Inp_UserExpEmail.value; // On supprime les ; car foutent la merde dans sauvegarde Cookie
	ExpEmail = ExpEmail.replace(/;/ig, ""); // g recherche plusieurs occurence et i case insensitive
	if (document.FormDdeCtc.Inp_UserExpEmail.value != ExpEmail) { (document.FormDdeCtc.Inp_UserExpEmail.value = ExpEmail); }
	var DrapOk = (ExpNom != ""); // On doit avoir son nom pour retrouver son adresse
	if (DrapOk) {
    	var atpos = ExpEmail.indexOf("@");
    	var dotpos = ExpEmail.lastIndexOf(".");
		if ((atpos < 1) || (dotpos < (atpos + 2)) || ((dotpos + 2) >= ExpEmail.length)) {
        	DrapOk = confirm("Votre adresse email n'est pas valide !" + "\n" + "Entrez au moins un n° de téléphone dans le texte afin que je puisse vous contacter en retour." + "\n" + "Envoyer quand même ?"); // Si pas d'email il n'aura pas de copie
			if (DrapOk) { // On envoie quand même l'email
				document.FormDdeCtc.Inp_UserExpEmail.value = ""; // Pour ne pas mettre un email merdique en expéditeur, on mettra un exp dans le PHP
			}
		} // Sinon DrapOk reste à Vrai
	} else { // DrapOk reste à false
		alert("Votre nom n'est pas renseigné !");
	}
	if (DrapOk) { // Sinon alerte déjà donnée ci-dessus
		// Je ne contrôle pas  document.FormDdeCtc.Inp_SujetEmail.value
		//  ni  document.FormDdeCtc.Inp_CorpsMess.value
		// alert("On envoie Email.");
		document.FormDdeCtc.submit();
	}
	return DrapOk;
}

//-->
</script>
</head>

<body onLoad="OuvPage()">
<table border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td class="titre_page"><a href="index.html" target="_blank"><img src="images/Logo_B.png" alt="Logo_B" width="132" height="40" border="0" /></a>&nbsp;&nbsp;&nbsp;Contact.</td>
  </tr>
  <tr>
    <td colspan="2">&nbsp;<br />
      &nbsp;</td>
  </tr>
  <tr>
    <td width="800" >Thomas ROBISSON<br />
    <img src="Contact-Coord.png" alt="Contact-Coord" width="267" height="41" border="0" /><br />
    &nbsp;<br />
    <img src="images/EnveloppeEmail.png" alt="EnveloppeEmail" width="110" height="78" border="0" /><br />
    &nbsp;<br />
    <form name="FormDdeCtc" action="SCphpSendEmail.php" onsubmit="return Btn_SubmitF_Email()" method="post">
    <input type="hidden" name="Inp_LienRet" value=""> <!-- Mis à sa valeur dans OuvPage() -->
    <input type="hidden" name="Inp_BccMail" value=""> <!-- tom.25:@NoSpam.z:free.fr -->
    <input type="hidden" name="Inp_DestMail" value="thomas:@NoSpam.z:toroco.fr"> <!-- tom.25:@NoSpam.z:xyz.fr -->
    <strong>Envoyer un formulaire directement depuis cette page.</strong><br />
    Renseignez les champs ci-dessous et cliquez le bouton <span class="code_src">Envoyer</span>.<br />
    Votre Nom&nbsp;:&nbsp;&nbsp;<input type="text" name="Inp_UserNom" size="35"><br />
    Votre Email&nbsp;:&nbsp;<input type="email" name="Inp_UserExpEmail" size="35"><br />
    Sujet&nbsp;:&nbsp;<input name="Inp_SujetEmail" value="Demande de renseignements" size="40" /><br />
    Votre Message&nbsp;:<br />
    <textarea name="Inp_CorpsMess" cols="80" rows="6">Bonjour,
 
Je souhaite des renseignements sur votre site ... .
 
Cordiales salutations.</textarea><br />
    <input type="submit" value="Envoyer"><br />
    &nbsp;<br />&nbsp;<br />
    <strong>Envoyer ce formulaire via votre logiciel de Messagerie :</strong><br />
    <input type="button" name="BtnEcrEmail" onclick="Btn_EcrEmail()" value="Ecrire" /><br />
    &nbsp;
    </form>
    &nbsp;<br />
    </td>
  </tr>
</table>
<a href="https://toroco.fr/SCphpSendEmail.php" target="_blank">Formulaire de contact vierge</a>.<br />
&nbsp;<br />
<a href="index.html" target="_top"><img src="images/trcb_transp64.png" alt="Retour Home" width="32" height="32" border="0" /></a>
</body>
</html>

I like this one. A hidden field with random invalid base64 random garbage just o make a bot insane, and it can have its value changed to a base64 checkcode by a JS on submit. That checkcode is obtained via XHR to your server and the returned checkcode contains encoded in itself the IP of the requester and a time stamp so it will be declared invalid 120 seconds later for example, and the IP should match with the form sender.

I’m dumb, write echo(‘My sentence’) in PHP write it in clear in the source of the page (my code above).
I added a third test, I have 2 checkbox, one visible “I’m not a robot” and one invisible “I’m a robot”. I found this idea on the web.
And now I check my sentence in the PHP code, I send the sentence the guy enter and I check it before send the email in my PHP page.
I didn’t receive any spam for 1 week I made the change.
If someone fall in this thread and wants the code, just write to me using Xojo or my contact page.