Keep getting nonsense submissions from my contact form.

[fuzzybabybunny]

Every day I get these submissions from my contact form. What's going on? What are they trying to take advantage of?

Name: khypuxlnlo
Address: rhevzwjdupsmjoqipup, <a href="http://www.hdgbqwxnfp.com">oaxlqkydlt</a>
Telephone: kzpwdbzr
Content: rhevzwjdupsmjoqipup, <a href="http://www.hdgbqwxnfp.com">oaxlqkydlt</a>

 

[EagleKeeper]

Robot probes?
Filter the phone number and delete the record or disconnect the session of an invalid type number is detected

 

[Markbnj]

Looks to me like they are trying to see if they can submit urls.

 

[IronWing]

Get used to it. That's why you're using a contact form instead of providing an email address. Our contact form appends a log file. 90% of the contacts are spam/gibberish. Make sure your form reader breaks urls and scripts.

 

[Fallen Kell]

Well, url's, or testing to see if your processing opens you up to a possible remote exploit due to failure of testing untrusted inputs (like for instance, maybe your application's backend opens the URL, which has exploit code embedded within it).

 

[smackababy]

Are you sanitizing your inputs? Depending on what your system is they could be trying to see what they can and cannot enter and how it reacts.

I am glad I have never worked for an outward facing system and have to deal with users being able to just input whatever they want. Although, once I witnessed a user putting classified information into an unclassified system. My supervisor was thrilled about that. He had to go through all kinds of crap to get debriefed. Some one even suggested a database off all the classified information we could check user input again. >_>

 

[DaveSimmons]

The above.

Remember that programs can submit your form without running any of the script code that you send them.

They can use code to send you a POST with any fields and any data that they want - SQL commands, URLs, strings that are 10,000 characters long. Your code that processes the form needs to validate each input, without making any assumptions about the incoming data.

 

[BoberFett]

Obligatory http://xkcd.com/327/

 

[Markbnj]

Obligatory http://xkcd.com/327/

Little Bobby Tables, we call him!

 

[Leros]

Add a captcha to the form

 

[smackababy]

Obligatory http://xkcd.com/327/

This makes me laugh every time I see it. I don't care how many times, it still works. Sadly, major corporations still can't figure this out. =(

 

[Tweak155]

It's a good thing. That means your site is important enough to send a bot to. I had that problem on both my sites, but it took almost a year for one of them.

 

[fuzzybabybunny]

Thanks for the replies. So they are basically hoping that whoever checks the emails will click on the links and then the link will open some kind of spam or virus or something?

I changed the code to look for "www" in one of the submission lines that has no business having "www" in it. It'll refuse to send the message.

 

[DaveSimmons]

With some unsecured email forms, they can also be used as spam email relays.

If you have something like < input type=hidden name=mailto value="me@my_server.com" > then all they have to do is POST their own value for that field and your server will send spam mail for them.

 

[Ken g6]

I would take the phone number, delete all nonnumeric characters, and then see if there were enough characters left to make a phone number. If not I would return an error to the user.

Other things you can do include adding a hidden field that should be blank. Spam bots will fill in every field they can find. So if the field is filled in it's a spam not.