PDA

View Full Version : Trick to escape from form hijacking



theodore
10-29-2006, 04:00 PM
Hi everyone
i have put into practice the following trick to escape from "Form hijacking" if this happens. It is not a prevent trick but an escape one and you will understand what i mean when you read it. It has help me alot and is based not to a technical script but in logical.

1. Creat an e-mail (for example website@yourname.com) and put this e-mail to your form script.

2. Forward the above e-mail to your e-mail that you want to receive the form data.

When (i hope never) someone hijack your form (you will understand it, belive me), just delete the website@yourname.com e-mail and create a new one (for example website1@yourname.com) following the same steps
as above.

This trick will not work if you have a catch up all e-mail.

In this case just register a cheep domain name (for ex. $3 per year) and create an e-mail (for example website@cheepdomain.com ) and forward it to your e-mail.

i hope that you will never need to create a second e-mail

Theodore

navaldesign
10-29-2006, 05:17 PM
Hi Theodore,
I suppose that you mean using your form script for sending spam ? Or are you meaning capturing your own email address, to send spam to YOU ?

In this second case, the form script can NOT be captured by any spider or bot. It is hard coded in the script itself, so it is not captured by code analyzers. However, it can be captured manually, if you have an autoresponder in your script, and this autoresponder uses the same email address as the script. It will be enough to make a form submission and receive the autoresponder email, to have your email address captured by a spammer.

In the first case:

bot or manual hijacking of form scripts, is used to send spam mail through your mailserver, and has nothing to do with the email address used. It sends directly from the form script, using your mail server. Injecting some of the form fields with additional code, that works as a trojan horse (for the script) will have the same effect even if you change the email address as you suggested above.

The only solution in this problem is to use a script like the ABVFP which will not allow (if so set) to have the @ symbol in the form values submitted, thus preventing the use of your script for spam purposes.

theodore
10-29-2006, 05:31 PM
Hi naval

i'm talking about capturing my own contact form, to send spam to me.

Take a look in "contact us" form in my website www.avitecengineering.com (http://www.avitecengineering.com)

I was receiving more than 30 SPAM e-mails per day, using my form.

When i make the above it stops.

navaldesign
10-29-2006, 07:46 PM
You can simply encrypt your email. Have a look at http://www.dynamicdrive.com/emailriddler/index.htm

theodore
10-29-2006, 08:25 PM
Thanks alot Naval.

Theodore.