close ad
 
Important WebAssist Announcement
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

spam being received with no referrer in the email log

Thread begun 12/04/2020 10:00 am by Mags | Last modified 12/14/2020 11:16 am by Ray Borduin | 2073 views | 15 replies |

Mags

spam being received with no referrer in the email log

One of our clients has received a huge amount of spam today, and on checking the email log the majority of them don't include a referring page. The majority is coming from one IP range so I've banned that range in the htaccess file, but I'm wondering how they're managing to send spam without visiting a page with a contact form on it? Are they triggering the PHP script directly? I've attached a screengrab which shows some sample entries in the email log.

*Update* - just remembered that the mail script is using smtp to send via the client's own domain which we don't host. Does this therefore mean I'm wasting my time trying to ban IPs via the htaccess file or on our server and that the issue needs to be dealt with at the client's end? Even after adding the IP ranges to the htaccess files, the emails are still coming in.

Sign in to reply to this post

Ray BorduinWebAssist

Isn't the code that sends the email and saves the email log data on the page? They would have to be visiting the page to run the code that is on the page.

Referrer can be blocked. It is a header flag that is sent by the browser and it can be removed to prevent tracking. A missing referrer doesn't really mean anything about the source other than they don't want to be traced.

I'm thinking the htaccess rule must be wrong. It should be able to block emails that come from a web page. I don't think any entries would appear in your log if they weren't from your page.

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

The code is actually in a shared PHP file as the contact form is on numerous pages on the site. However I hadn't realised referrers could be blocked so that's the more likely explanation. I've started blocking the offending IPs at server level and may also revert to a standard captcha as I'm currently using Google's reCaptcha v3 (the non-challenge type) which I honestly don't think does any good at all!

Thanks Ray.

Sign in to reply to this post

Ray BorduinWebAssist

I've found the "easy question" captcha to be more efficient than the standard captcha as well. I've used reCaptcha v3 and had success, but it does seem like something that could be bypassed, although it actually seems pretty good in my experience. Are you sure you implemented it correctly?

I wonder if they are accessing the shared file to get around all of your security.

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

This is how I implement reCaptcha v3:

Call JS in the <head> tag:

<script src="https://www.google.com/recaptcha/api.js?render=SITEKEY"></script>
<script>
grecaptcha.ready(function () {
grecaptcha.execute('SITEKEY', { action: 'pagename' }).then(function (token) {
var recaptchaResponse = document.getElementById('recaptchaResponse');
recaptchaResponse.value = token;
});
});
</script>

Insert this above the form:

<?php // Check if form was submitted:
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['recaptcha_response'])) {

// Build POST request:
$recaptcha_url = 'https://www.google.com/recaptcha/api/siteverify';
$recaptcha_secret = 'SECRET_KEY';
$recaptcha_response = $_POST['recaptcha_response'];

// Make and decode POST request:
$recaptcha = file_get_contents($recaptcha_url . '?secret=' . $recaptcha_secret . '&response=' . $recaptcha_response);
$recaptcha = json_decode($recaptcha);

// Take action based on the score returned:
if ($recaptcha->score >= 0.5) {
// Verified - send email
} else {
// Not verified - show form error
}

} ?>

Add the following in the form:

<input type="hidden" name="recaptcha_response" id="recaptchaResponse">

Does that look right to you? It would actually be great if you could let me know as Google's own documentation isn't great and I had to search for quite a while before I found this example!

Sign in to reply to this post

Ray BorduinWebAssist

That is not doing anything. You would have to use server validation to check the value of $recaptcha->score and make sure it is greater than 0.5

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

Isn't that what the following bit does though?

// Take action based on the score returned:
if ($recaptcha->score >= 0.5) {
// Verified - send email
} else {
// Not verified - show form error
}

Sign in to reply to this post

Ray BorduinWebAssist

No... that code is commented out. It does nothing. That is an empty if statement and an empty else statement.

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

Hi Ray, could you possibly take a look at this updated code and tell me what I'm doing wrong? The page loads but when I submit the form the page truncates just before this code block:

<?php // Check if form was submitted:
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['recaptcha_response'])) {

// Build POST request:
$recaptcha_url = 'https://www.google.com/recaptcha/api/siteverify';
$recaptcha_secret = 'SECRET_KEY';
$recaptcha_response = $_POST['recaptcha_response'];

// Make and decode POST request:
$recaptcha = file_get_contents($recaptcha_url . '?secret=' . $recaptcha_secret . '&response=' . $recaptcha_response);
$recaptcha = json_decode($recaptcha);

// Take action based on the score returned:
if ($recaptcha->score >= 0.5)
{
//WA Universal Email
$Email = new WA_Email("index_2");
$Email->Redirect = "".(htmlentities($_SERVER["PHP_SELF"], ENT_QUOTES)) ."?sent=true#success";
$Email->From = "".((isset($_POST["name"]))?$_POST["name"]:"") ." <mwilson@linksdesign.co.uk>";
$Email->addTo("MY_EMAIL");
$Email->BodyFile = "webassist/email/contact.php";
if (function_exists("rel2abs") && $Email->Redirect) $Email->Redirect = $Email->Redirect?rel2abs($Email->Redirect,dirname(__FILE__)):"";
for ($emailGroup=0; $emailGroup<sizeof($Email->To); $emailGroup++) {
$Email->Subject = "Contact from Website";
$Email->send($emailGroup);
}
$Email->close();
} else {
echo("Spam test failed");
}

} ?>

If I replace the email code block with echo("Spam test passed"); it submits and shows the message so I know I've done something wrong in the email code!

Sign in to reply to this post

Ray BorduinWebAssist

Please attach the full page... possibly the include file for the email is lower on the page? It needs to be above the email code.

Sign in to reply to this post
Did this help? Tips are appreciated...
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...