Form mail security

To add to this...

Would this help stop spammers using this?

If Request.ServerVariables("HTTP_REFERER") <>
"http://my_web_form.com/form.asp Then
Respose.Redirect "/SorryCharlie.asp"
Else
'do the form mail thing
End if

the other john wrote:

I'm having trouble with spammers getting through my mail script. I've
heard of FormMail for php but I need a solution for ASP. Any
suggestions? I don't know how to stop these guys from using my forms
to spam.

Thanks!
John

No. Spammers can easily defeat this as well.

the other john wrote:

To add to this...

Would this help stop spammers using this?

If Request.ServerVariables("HTTP_REFERER") <>
"http://my_web_form.com/form.asp Then
Respose.Redirect "/SorryCharlie.asp"
Else
'do the form mail thing
End if

the other john wrote:

I'm having trouble with spammers getting through my mail script.
I've heard of FormMail for php but I need a solution for ASP. Any
suggestions? I don't know how to stop these guys from using my forms
to spam.

Thanks!
John

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Ugh! Ok...any suggestions?

Thanks!
Bob Barrows [MVP] wrote:

No. Spammers can easily defeat this as well.

the other john wrote:

To add to this...

Would this help stop spammers using this?

If Request.ServerVariables("HTTP_REFERER") <>
"http://my_web_form.com/form.asp Then
Respose.Redirect "/SorryCharlie.asp"
Else
'do the form mail thing
End if

the other john wrote:

I'm having trouble with spammers getting through my mail script.
I've heard of FormMail for php but I need a solution for ASP. Any
suggestions? I don't know how to stop these guys from using my forms
to spam.

Thanks!
John

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Maybe CAPTCHA?

the other john wrote:

Ugh! Ok...any suggestions?

Thanks!
Bob Barrows [MVP] wrote:

No. Spammers can easily defeat this as well.

the other john wrote:

To add to this...

Would this help stop spammers using this?

If Request.ServerVariables("HTTP_REFERER") <>
"http://my_web_form.com/form.asp Then
Respose.Redirect "/SorryCharlie.asp"
Else
'do the form mail thing
End if

the other john wrote:
I'm having trouble with spammers getting through my mail script.
I've heard of FormMail for php but I need a solution for ASP. Any
suggestions? I don't know how to stop these guys from using my
forms to spam.

Thanks!
John

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get
a quicker response by posting to the newsgroup.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Oh COOL! Checkin' it out now....

I'll be a good poster and show what I'm doing. Can't vouch for it yet,
just looking but for those searching for the same solution....

http://www.u229.no/stuff/Captcha/

Bob Barrows [MVP] wrote:

Maybe CAPTCHA?

the other john wrote:

Ugh! Ok...any suggestions?

Thanks!
Bob Barrows [MVP] wrote:

No. Spammers can easily defeat this as well.

the other john wrote:
To add to this...

Would this help stop spammers using this?

If Request.ServerVariables("HTTP_REFERER") <>
"http://my_web_form.com/form.asp Then
Respose.Redirect "/SorryCharlie.asp"
Else
'do the form mail thing
End if

the other john wrote:
> I'm having trouble with spammers getting through my mail script.
> I've heard of FormMail for php but I need a solution for ASP. Any
> suggestions? I don't know how to stop these guys from using my
> forms to spam.
>
> Thanks!
> John

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get
a quicker response by posting to the newsgroup.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Incidentally this is what happened. What is it they are doing here?
Would limiting the number of characters in the suject field help? as
you can see they blocked their IP address. thanks!

From: do****@XXXXXXX.net do****@XXXXXXX.net
Date: Sun, 25 Jun 2006 00:01:11 -0400
To: xxxx@xxxxxxxxxxcom
Subject: do****@XXXXXXX.net
MESSAGE SENT FROM XXXXXXX.NET
MESSAGE FROM: do****@XXXXXXX.net
SENDERS EMAIL: do****@XXXXXXX.net
SENDERS IP ADDRESS: a
bcc: Ke****@aol.com
Content-Type: multipart/alternative;
boundary=ddc847aa92d6c6e1cdc07252e628e393
Subject: to th frantic cheers iv th multichood

--ddc847aa92d6c6e1cdc07252e628e393
Content-Transfer-Encoding: base64
Content-Type: text/plain

YWxsIHRoZSBlbnF1aXJpZXMsIGFuZCBnaXZlbiBhbGwgdGhlIG FkdmljZSBzaGUgdGhvdWdodCBw
cm9wZXIsIGNhbGxlZCBvdXQgdG8gdGhlIHBhcnR5LCB3aG8gd2 VyZSBzdGlsbCBhbXVzaW5nIHRo
ZW1zZWx2ZXMgd2l0aCB0aGUgY29tbXVuaWNhdGl2ZSByaXNobW FuLCBhc3RhLCBiYXN0YSwgY29z
aSBjb21lLCB3ZSBoYXZlIGxvc3QgdGltZSBlbm91Z2ggaG9tcH NvbiwgZ2V0IG9uIHIuIGV4dGVy
LCBwdXQgdXAgdGhlIGhlYWQgb2YgdGhlIGJhcm91Y2hlIGF0

--ddc847aa92d6c6e1cdc07252e628e393--
..

SENDERS COMPUTER INFORMATION: do****@XXXXXXX.net
TIME SENT: 6/25/2006 12:01:11 AM

------MESSAGE IS AS FOLLOWS------

do****@XXXXXXX.net

------END MESSAGE------

the other john wrote:

Oh COOL! Checkin' it out now....

I'll be a good poster and show what I'm doing. Can't vouch for it yet,
just looking but for those searching for the same solution....

http://www.u229.no/stuff/Captcha/

Bob Barrows [MVP] wrote:

Maybe CAPTCHA?

the other john wrote:

Ugh! Ok...any suggestions?

Thanks!
Bob Barrows [MVP] wrote:
> No. Spammers can easily defeat this as well.
>
> the other john wrote:
>> To add to this...
>>
>> Would this help stop spammers using this?
>>
>> If Request.ServerVariables("HTTP_REFERER") <>
>> "http://my_web_form.com/form.asp Then
>> Respose.Redirect "/SorryCharlie.asp"
>> Else
>> 'do the form mail thing
>> End if
>>
>>
>>
>>
>>
>> the other john wrote:
>>> I'm having trouble with spammers getting through my mail script.
>>> I've heard of FormMail for php but I need a solution for ASP. Any
>>> suggestions? I don't know how to stop these guys from using my
>>> forms to spam.
>>>
>>> Thanks!
>>> John
>
> --
> Microsoft MVP -- ASP/ASP.NET
> Please reply to the newsgroup. The email account listed in my From
> header is my spam trap, so I don't check it very often. You will get
> a quicker response by posting to the newsgroup.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

the other john wrote on 26 jun 2006 in
microsoft.public.inetserver.asp.general:

Would this help stop spammers using this?

If Request.ServerVariables("HTTP_REFERER") <>
"http://my_web_form.com/form.asp Then
Respose.Redirect "/SorryCharlie.asp"
Else
'do the form mail thing
End if

Sure, your code will not do any mailing after "Respose".
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

uh..yea....it was a typo.
can you tell what this guy was trying to do here by the way? I'd
appreciate it, thanks.
Evertjan. wrote:

the other john wrote on 26 jun 2006 in
microsoft.public.inetserver.asp.general:

Would this help stop spammers using this?

If Request.ServerVariables("HTTP_REFERER") <>
"http://my_web_form.com/form.asp Then
Respose.Redirect "/SorryCharlie.asp"
Else
'do the form mail thing
End if

Sure, your code will not do any mailing after "Respose".
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

the other john wrote on 26 jun 2006 in
microsoft.public.inetserver.asp.general:

Evertjan. wrote:

the other john wrote on 26 jun 2006 in
microsoft.public.inetserver.asp.general:

> Would this help stop spammers using this?
>
> If Request.ServerVariables("HTTP_REFERER") <>
> "http://my_web_form.com/form.asp Then
> Respose.Redirect "/SorryCharlie.asp"
> Else
> 'do the form mail thing
> End if

Sure, your code will not do any mailing after "Respose".

[please do not toppost on usenet]
uh..yea....it was a typo.

can you tell what this guy was trying to do here by the way? I'd
appreciate it, thanks.

What Guy?
I would not know.
I am no a mind reader.

But more interesting is what you want, methinks.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Hi John!

I've read this thread, but I can't find what "mailer" you're using.
With "mailer" I mean "are you using CDOSYS or CDONTS, or JMail maybe?
Some other flavor? This might be of importance. If you're using JMail,
the most important thing to do is check your HEADER fields for
linefeeds/-breaks. So, replace each & every CHR(10)&Chr(13) with
nothing, or a dash, whatever, just no breaks. Breaks make the
mailercomponent think another header is comming up. You can use
breaksline/feeds in the body though. However, it might be good
practise to replace every linefeed/break everywhere. As far as the
other options are concerned, I use so-called one-time-pads with my
forms. This however might be a long short for you. As the IP can't be
checked as you say, you might considder checking for valid e-mail
addresses. There are quite solid methods to do that. Check this for
example:
http://www.powerasp.com/content/code...ValidEmail.asp
There are better options though which check for genuine addresses.
This involves requests to other servers though.
Returning to the hidden IP; can't you "just" ignore each request
comming from a hidden IP? Anyway, this as well is a good read:
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
It opened my eyes for sure!
Anyway, let us know more please!

Best regards,
- Alex.
On 25 Jun 2006 11:30:50 -0700, "the other john" <ki*****@yahoo.com>
wrote:

I'm having trouble with spammers getting through my mail script. I've
heard of FormMail for php but I need a solution for ASP. Any
suggestions? I don't know how to stop these guys from using my forms
to spam.

Thanks!
John

Thanks!

Yes, I am using JMail in this case. This is what I've done so far...

I went with CAPTCHA solution. I have it working correctly. How much
more secure it is I don't know. This is what I'm using.
http://www.tipstricks.org/

I also did a mid() on the fields such as IP and subject, etc. to limit
how much would go through. I hadn't thought of doing a replace(). I
have dealt with CHR(10) before however, sorry. What is your method for
using Replace for multiple conditions? I mean doing 2 or 3 replaces on
a single dim or something?

I'm looking into the validation now, thanks!

Alex wrote:

Hi John!

I've read this thread, but I can't find what "mailer" you're using.
With "mailer" I mean "are you using CDOSYS or CDONTS, or JMail maybe?
Some other flavor? This might be of importance. If you're using JMail,
the most important thing to do is check your HEADER fields for
linefeeds/-breaks. So, replace each & every CHR(10)&Chr(13) with
nothing, or a dash, whatever, just no breaks. Breaks make the
mailercomponent think another header is comming up. You can use
breaksline/feeds in the body though. However, it might be good
practise to replace every linefeed/break everywhere. As far as the
other options are concerned, I use so-called one-time-pads with my
forms. This however might be a long short for you. As the IP can't be
checked as you say, you might considder checking for valid e-mail
addresses. There are quite solid methods to do that. Check this for
example:
http://www.powerasp.com/content/code...ValidEmail.asp
There are better options though which check for genuine addresses.
This involves requests to other servers though.
Returning to the hidden IP; can't you "just" ignore each request
comming from a hidden IP? Anyway, this as well is a good read:
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
It opened my eyes for sure!
Anyway, let us know more please!

Best regards,
- Alex.
On 25 Jun 2006 11:30:50 -0700, "the other john" <ki*****@yahoo.com>
wrote:

I'm having trouble with spammers getting through my mail script. I've
heard of FormMail for php but I need a solution for ASP. Any
suggestions? I don't know how to stop these guys from using my forms
to spam.

Thanks!
John

Im sure the CAPTHA will prevent most spam-attempts. There seem to be
"spiders" that are able to "read" these generated images, but I guess
whenever someone wants to get in bad enough he/she'll get in anyway.
As far as the Char 10 / 13 is conserned, yes, I strip them both out
but for the body, in which I replace them with "<br>", I send
HTML-mail. I can't find the info I came across on the validation part.
It dealt with a couple of techniques, ranging from merely checking the
syntax of the mail address to checking wether or not a domain or an
email address actualy exists by using an XM records check. I believe
the site located at coveryourasp.com has some nice examples to check.
You might find interesting discussions here:
http://forums.webhostautomation.com/...r=asc&start=45

Thanks for that http://www.tipstricks.org/ link :-) I'm adding it to
my arsenal!

I hope the spamming has stopped, or will stop before long! I hate
those pesters ...

- Alex.

On 27 Jun 2006 05:48:49 -0700, "the other john" <ki*****@yahoo.com>
wrote:

Thanks!

Yes, I am using JMail in this case. This is what I've done so far...

I went with CAPTCHA solution. I have it working correctly. How much
more secure it is I don't know. This is what I'm using.
http://www.tipstricks.org/

I also did a mid() on the fields such as IP and subject, etc. to limit
how much would go through. I hadn't thought of doing a replace(). I
have dealt with CHR(10) before however, sorry. What is your method for
using Replace for multiple conditions? I mean doing 2 or 3 replaces on
a single dim or something?

I'm looking into the validation now, thanks!

Alex wrote:

Hi John!

I've read this thread, but I can't find what "mailer" you're using.
With "mailer" I mean "are you using CDOSYS or CDONTS, or JMail maybe?
Some other flavor? This might be of importance. If you're using JMail,
the most important thing to do is check your HEADER fields for
linefeeds/-breaks. So, replace each & every CHR(10)&Chr(13) with
nothing, or a dash, whatever, just no breaks. Breaks make the
mailercomponent think another header is comming up. You can use
breaksline/feeds in the body though. However, it might be good
practise to replace every linefeed/break everywhere. As far as the
other options are concerned, I use so-called one-time-pads with my
forms. This however might be a long short for you. As the IP can't be
checked as you say, you might considder checking for valid e-mail
addresses. There are quite solid methods to do that. Check this for
example:
http://www.powerasp.com/content/code...ValidEmail.asp
There are better options though which check for genuine addresses.
This involves requests to other servers though.
Returning to the hidden IP; can't you "just" ignore each request
comming from a hidden IP? Anyway, this as well is a good read:
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
It opened my eyes for sure!
Anyway, let us know more please!

Best regards,
- Alex.
On 25 Jun 2006 11:30:50 -0700, "the other john" <ki*****@yahoo.com>
wrote:

>I'm having trouble with spammers getting through my mail script. I've
>heard of FormMail for php but I need a solution for ASP. Any
>suggestions? I don't know how to stop these guys from using my forms
>to spam.
>
>Thanks!
>John