Mail Manager Spam and Hack

Hi all,

This isn't really a DW specific question, but I figured all the smart folks
here will have figured this out already. I?ve been using the MMEX mail script
for many years. I don?t know a lot about website management, and it works for
me, so I?ve never had a reason to switch.

Recently, using this script, I keep getting fake form returns, from many
different sources, usually drug or sex sales oriented. Here is the latest one:


Dear Recipient,

This is a notice that a new submission has been generated by by Mail Manage EX
on Jun 27, 2008 @ 5:19:05 pm.


***Form Results***

Skills: britney sex comics spears bikini britney comics spears bra sex
britney comics spears bra sex
Experience: NO EXPERIENCE
Email: sex_comics_britneys_britney_spears (...mail (DOT) com
Volunteer: SEND INFORMATION...
Firstname: britney comics spears bra sex
Shirt: http://bezodoka.cn/britney-spears-sex-comics.html
Commitment: SUBCOMMITTEE
Address: sex_comics_britneys_britney_spears (...mail (DOT) com
Skiability: NONE
Lastname: britney comics spears bra sex
Phone-home: http://bezodoka.cn/britney-spears-sex-comics.html
City: Moscow
Phone-cell: britney comics spears bra sex

User's Browser:

User's IP Address: 76.200.88.212


- Mail Manage EX Notifier -

I thought I would outsmart them by creating rules (phone number formatting,
etc.) that would stop this, but they keep coming through, regardless of the
formatting rules.

Can anyone tell me how to stop this stuff from happening? It?s a real pain!
What do other folks do to stop this kind of stuff?

Thanks for any help.

--
Mark Nadell

Quote:

I thought I would outsmart them by creating rules

Rules? You mean client side javascript validation? Formbots don't use JS so
client side validation won't work. Do the same thing, but use server side
validation. Usually, something as simple as validating to make sure that the
first item of a dropdown list is not selected is enough to foil a bot.

Thanks. The "rules" I alluded to are simply formatting. Like they have to fill
out specific fields, and some of the fields have specific formats, like they
have to put the phone number in as xxx-xxx-xxxx for instance. But the forms I'm
getting back don't seem to be affected by those rules, as sometimes they don't
even fill out the required fields, and the phone number field has just a URL in
it.

The script I'm using is a php script written a long time ago. \Mail Manage EX,
v3.1.7 Written by Gregg Kenneth Jewell, Copyright ? 2003-2004. There doesn't
seem to be any updates to it, but it's always worked.

I'm not familiar with the difference between server-side and client-side
validation. If this is a PHP script, would it matter?

Thanks again,

Mark

Quote:

The "rules" I alluded to are simply formatting.

That statement means nothing to me. Where did you add this 'rule'. What type
of script is enforcing this 'rule'? If you are using a php script, then that's
where you need to add your validation.

The script is using these rules in the form:
# MAIN SETTINGS
$Require = "firstname,lastname,email,phone-home";
$Format = "lastnameA,email@,phone-home#,phone-work#,phone-cell#";

And this is the code from the mmex file itself concerning phone formatting:
if ($Format == "#" and $_POST[$Field]) // PHONE NUMBER FORMAT
{
if (!eregi('([0-9]{3})-([0-9]{3})-([0-9]{4})', $_POST[$Field]) and
!eregi('([0-9]{3})\.([0-9]{3})\.([0-9]{4})', $_POST[$Field]) and
!eregi('([0-9]{3}) ([0-9]{3}) ([0-9]{4})', $_POST[$Field]) and
!eregi('(\([0-9]{3}\))-([0-9]{3})-([0-9]{4})', $_POST[$Field]) and
!eregi('(\([0-9]{3}\))\.([0-9]{3})\.([0-9]{4})', $_POST[$Field]) and
!eregi('(\([0-9]{3}\)) ([0-9]{3}) ([0-9]{4})', $_POST[$Field]) and
!eregi('(\([0-9]{3}\)) ([0-9]{3})-([0-9]{4})', $_POST[$Field]) and
!eregi('(\([0-9]{3}\)) ([0-9]{3})\.([0-9]{4})', $_POST[$Field]))
{
$Field = str_replace("_"," ",$Field);
$Field = ucfirst($Field);
$IncorrectFields .= "[LI]$Field requires the proper phone
format.</li>";
if ($Preview == "1")
$RedFields .= "$Field,";
}
}

But somehow, the formbots, as you call them, don't seem affected by that code,
as I get information in the phone number field as web addresses.

Mark

Sounds like your php script is not secure. You best bet is to post the entire form script so that one of the php experts here can tell you if any flaws exist.