spam being received with no referrer in the email log

One of our clients has received a huge amount of spam today, and on checking the email log the majority of them don't include a referring page. The majority is coming from one IP range so I've banned that range in the htaccess file, but I'm wondering how they're managing to send spam without visiting a page with a contact form on it? Are they triggering the PHP script directly? I've attached a screengrab which shows some sample entries in the email log.

*Update* - just remembered that the mail script is using smtp to send via the client's own domain which we don't host. Does this therefore mean I'm wasting my time trying to ban IPs via the htaccess file or on our server and that the issue needs to be dealt with at the client's end? Even after adding the IP ranges to the htaccess files, the emails are still coming in.

Isn't the code that sends the email and saves the email log data on the page? They would have to be visiting the page to run the code that is on the page.

Referrer can be blocked. It is a header flag that is sent by the browser and it can be removed to prevent tracking. A missing referrer doesn't really mean anything about the source other than they don't want to be traced.

I'm thinking the htaccess rule must be wrong. It should be able to block emails that come from a web page. I don't think any entries would appear in your log if they weren't from your page.

The code is actually in a shared PHP file as the contact form is on numerous pages on the site. However I hadn't realised referrers could be blocked so that's the more likely explanation. I've started blocking the offending IPs at server level and may also revert to a standard captcha as I'm currently using Google's reCaptcha v3 (the non-challenge type) which I honestly don't think does any good at all!

Thanks Ray.

I've found the "easy question" captcha to be more efficient than the standard captcha as well. I've used reCaptcha v3 and had success, but it does seem like something that could be bypassed, although it actually seems pretty good in my experience. Are you sure you implemented it correctly?

I wonder if they are accessing the shared file to get around all of your security.

This is how I implement reCaptcha v3:

Call JS in the <head> tag:

<script src="https://www.google.com/recaptcha/api.js?render=SITEKEY"></script>
<script>
grecaptcha.ready(function () {
grecaptcha.execute('SITEKEY', { action: 'pagename' }).then(function (token) {
var recaptchaResponse = document.getElementById('recaptchaResponse');
recaptchaResponse.value = token;
});
});
</script>

Insert this above the form:

<?php // Check if form was submitted:
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['recaptcha_response'])) {

// Build POST request:
$recaptcha_url = 'https://www.google.com/recaptcha/api/siteverify';
$recaptcha_secret = 'SECRET_KEY';
$recaptcha_response = $_POST['recaptcha_response'];

// Make and decode POST request:
$recaptcha = file_get_contents($recaptcha_url . '?secret=' . $recaptcha_secret . '&response=' . $recaptcha_response);
$recaptcha = json_decode($recaptcha);

// Take action based on the score returned:
if ($recaptcha->score >= 0.5) {
// Verified - send email
} else {
// Not verified - show form error
}

} ?>

Add the following in the form:

<input type="hidden" name="recaptcha_response" id="recaptchaResponse">

Does that look right to you? It would actually be great if you could let me know as Google's own documentation isn't great and I had to search for quite a while before I found this example!

That is not doing anything. You would have to use server validation to check the value of $recaptcha->score and make sure it is greater than 0.5

Isn't that what the following bit does though?

// Take action based on the score returned:
if ($recaptcha->score >= 0.5) {
// Verified - send email
} else {
// Not verified - show form error
}

No... that code is commented out. It does nothing. That is an empty if statement and an empty else statement.

Hi Ray, could you possibly take a look at this updated code and tell me what I'm doing wrong? The page loads but when I submit the form the page truncates just before this code block:

<?php // Check if form was submitted:
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['recaptcha_response'])) {

// Build POST request:
$recaptcha_url = 'https://www.google.com/recaptcha/api/siteverify';
$recaptcha_secret = 'SECRET_KEY';
$recaptcha_response = $_POST['recaptcha_response'];

// Make and decode POST request:
$recaptcha = file_get_contents($recaptcha_url . '?secret=' . $recaptcha_secret . '&response=' . $recaptcha_response);
$recaptcha = json_decode($recaptcha);

// Take action based on the score returned:
if ($recaptcha->score >= 0.5)
{
//WA Universal Email
$Email = new WA_Email("index_2");
$Email->Redirect = "".(htmlentities($_SERVER["PHP_SELF"], ENT_QUOTES)) ."?sent=true#success";
$Email->From = "".((isset($_POST["name"]))?$_POST["name"]:"") ." <mwilson@linksdesign.co.uk>";
$Email->addTo("MY_EMAIL");
$Email->BodyFile = "webassist/email/contact.php";
if (function_exists("rel2abs") && $Email->Redirect) $Email->Redirect = $Email->Redirect?rel2abs($Email->Redirect,dirname(__FILE__)):"";
for ($emailGroup=0; $emailGroup<sizeof($Email->To); $emailGroup++) {
$Email->Subject = "Contact from Website";
$Email->send($emailGroup);
}
$Email->close();
} else {
echo("Spam test failed");
}

} ?>

If I replace the email code block with echo("Spam test passed"); it submits and shows the message so I know I've done something wrong in the email code!

Please attach the full page... possibly the include file for the email is lower on the page? It needs to be above the email code.