spam from contact us form, none if the fixes work.

[vanhorn_s]

redsautorehab.com
1.5.4
Modified version of the Tableau template.

Over the last month, I have been getting tons of spam from russian bots, and I have tried everything I can think of to stop it. So far, the only thing that has worked, was to delete all of the input boxes, and buttons from tpl_contact_us_default.php

I have tried the Google recaptcha 2.0 addon, it didn't work, and nobody responded to my question it it's support thread. I tried Numinix's math captcha, and it didn't work. I searched through several threads, and found workarounds that are for a different code.

Does anybody have any advise? This is what's in the tpl_contact_us_default.php that I was using:

PHP Code:

<?php
/**
 * Page Template
 *
 * Loaded automatically by index.php?main_page=contact_us.<br />
 * Displays contact us page form.
 *
 * @package templateSystem
 * @copyright Copyright 2003-2012 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version GIT: $Id: Author: DrByte  Sun Aug 19 09:47:29 2012 -0400 Modified in v1.5.1 $
 */
?>
<div class="centerColumn" id="contactUsDefault">

<h1 class="back"><?php echo HEADING_TITLE;?></h1>
<div class="alert forward" id="required-information"><?php echo FORM_REQUIRED_INFORMATION; ?></div>

<?php 
    if (DEFINE_CONTACT_US_STATUS >= '1' and DEFINE_CONTACT_US_STATUS <= '2') { 
        echo '<div class="clearBoth contact-us-intro">';
            require($define_page);
        echo '</div>';
    } 
?>

<?php echo zen_draw_form('contact_us', zen_href_link(FILENAME_CONTACT_US, 'action=send')); ?>

<?php
  if (isset($_GET['action']) && ($_GET['action'] == 'success')) {
?>
<!-- 
    /*
     *  Code changed on: May 26, 2014;
     *     Fixed issue: Layout for success message;
    */
 -->
<div id="contact-form-wrapper" class="back">
    <p><?php echo TEXT_SUCCESS; ?></p>
    <div class="buttonRow"><?php echo zen_back_link() . zen_image_button(BUTTON_IMAGE_BACK, BUTTON_BACK_ALT) . '</a>'; ?></div>
</div><!--EOF #contact-form-wrapper-->

<!-- 
    /*
     *  End Code changed on: May 26, 2014;
    */
-->

<?php
  } else {
?>

<?php if ($messageStack->size('contact') > 0) echo $messageStack->output('contact'); ?>

<div id="contact-form-wrapper" class="back">

    <div id="contact-col-left" class="back">

        <?php
        // show dropdown if set
            if (CONTACT_US_LIST !=''){
        ?>
            <label class="inputLabel" for="send-to"><?php echo SEND_TO_TEXT; ?> <?php echo '<span class="alert">' . ENTRY_REQUIRED_SYMBOL . '</span>'; ?></label>
            <?php echo zen_draw_pull_down_menu('send_to',  $send_to_array, 0, 'id="send-to"'); ?>
        <?php
            }
        ?>    

        <label class="inputLabel" for="contactname"><?php echo ENTRY_NAME; ?> <?php echo '<span class="alert">' . ENTRY_REQUIRED_SYMBOL . '</span>'; ?></label>
        <?php echo zen_draw_input_field('contactname', $name, ' size="40" id="contactname"'); ?>
        
        <label class="inputLabel" for="email-address"><?php echo ENTRY_EMAIL; ?> <?php echo '<span class="alert">' . ENTRY_REQUIRED_SYMBOL . '</span>'; ?></label>
        <?php echo zen_draw_input_field('email', ($email_address), ' size="40" id="email-address"'); ?>
        
        <label class="inputLabel" for="subject" ><?php echo ENTRY_SUBJECT; ?> <?php echo '<span class="alert">' . ENTRY_REQUIRED_SYMBOL . '</span>'; ?></label>
        <?php echo zen_draw_input_field('subject', ($email_subject), ' size="40" id="subject"'); ?>
        
    </div><!--EOF #contact-col-left-->
    
    <div id="contact-col-right" class="forward">
    
        <label for="enquiry"><?php echo ENTRY_ENQUIRY . ' <span class="alert">' . ENTRY_REQUIRED_SYMBOL . '</span>'; ?></label>
        <?php echo zen_draw_textarea_field('enquiry', '30', '7', $enquiry, 'id="enquiry"'); ?>
        
        <?php echo zen_draw_input_field('should_be_empty', '', ' size="40" id="CUAS" style="visibility:hidden; display:none;" autocomplete="off"'); ?>
    </div><!--EOF #contact-col-right-->
        
    
    <div class="buttonRow forward"><?php echo zen_image_submit(BUTTON_IMAGE_SEND, BUTTON_SEND_ALT); ?></div>
    
    
    <div class="clearBoth"></div>
</div><!--EOF #contact-form-wrapper-->

<?php
  }
?>

<div id="store-details-wrapper" class="forward">
    
    <div class="clearBoth"></div>
    <div class="back contact-icon" id="business-icon">&#xe002;</div>
    <?php if (CONTACT_US_STORE_NAME_ADDRESS== '1') { ?>
    <address class="back contact-info"><?php echo nl2br(STORE_NAME_ADDRESS); ?></address>
    <?php } ?>
    <div class="clearBoth"></div>

</div><!--EOF #store-details-wrapper-->

</form>


</div>

Here is the header_php.php:

PHP Code:

<?php
/**
 * Contact Us Page
 *
 * @package page
 * @copyright Copyright 2003-2011 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: header_php.php 18697 2011-05-04 14:35:20Z wilt $
 */
require(DIR_WS_MODULES . zen_get_module_directory('require_languages.php'));

$error = false;
if (isset($_GET['action']) && ($_GET['action'] == 'send')) {
  $name = zen_db_prepare_input($_POST['contactname']);
  $email_address = zen_db_prepare_input($_POST['email']);
  $enquiry = zen_db_prepare_input(strip_tags($_POST['enquiry']));
  $subject = (isset($_POST['subject']) ? zen_db_prepare_input(strip_tags($_POST['subject'])) : EMAIL_SUBJECT);
  $zc_validate_email = zen_validate_email($email_address);

  if ($zc_validate_email and !empty($enquiry) and !empty($name)) {
    // auto complete when logged in
    if($_SESSION['customer_id']) {
      $sql = "SELECT customers_id, customers_firstname, customers_lastname, customers_password, customers_email_address, customers_default_address_id
              FROM " . TABLE_CUSTOMERS . "
              WHERE customers_id = :customersID";

      $sql = $db->bindVars($sql, ':customersID', $_SESSION['customer_id'], 'integer');
      $check_customer = $db->Execute($sql);
      $customer_email= $check_customer->fields['customers_email_address'];
      $customer_name= $check_customer->fields['customers_firstname'] . ' ' . $check_customer->fields['customers_lastname'];
    } else {
      $customer_email = NOT_LOGGED_IN_TEXT;
      $customer_name = NOT_LOGGED_IN_TEXT;
    }

    // use contact us dropdown if defined
    if (CONTACT_US_LIST !=''){
      $send_to_array=explode("," ,CONTACT_US_LIST);
      preg_match('/\<[^>]+\>/', $send_to_array[$_POST['send_to']], $send_email_array);
      $send_to_email= preg_replace ("/>/", "", $send_email_array[0]);
      $send_to_email= trim(preg_replace("/</", "", $send_to_email));
      $send_to_name = trim(preg_replace('/\<[^*]*/', '', $send_to_array[$_POST['send_to']]));
    } else {  //otherwise default to EMAIL_FROM and store name
      $send_to_email = trim(EMAIL_FROM);
      $send_to_name =  trim(STORE_NAME);
    }

    // Prepare extra-info details
    $extra_info = email_collect_extra_info($name, $email_address, $customer_name, $customer_email);
    // Prepare Text-only portion of message
    $text_message = OFFICE_FROM . "\t" . $name . "\n" .
    OFFICE_EMAIL . "\t" . $email_address . "\n\n" .
    '------------------------------------------------------' . "\n\n" .
    strip_tags($_POST['enquiry']) .  "\n\n" .
    '------------------------------------------------------' . "\n\n" .
    $extra_info['TEXT'];
    // Prepare HTML-portion of message
    $html_msg['EMAIL_MESSAGE_HTML'] = strip_tags($_POST['enquiry']);
    $html_msg['CONTACT_US_OFFICE_FROM'] = OFFICE_FROM . ' ' . $name . '<br />' . OFFICE_EMAIL . '(' . $email_address . ')';
    $html_msg['EXTRA_INFO'] = $extra_info['HTML'];
    // Send message
    zen_mail($send_to_name, $send_to_email, $subject, $text_message, $name, $email_address, $html_msg,'contact_us');

    zen_redirect(zen_href_link(FILENAME_CONTACT_US, 'action=success'));
  } else {
    $error = true;
    if (empty($name)) {
      $messageStack->add('contact', ENTRY_EMAIL_NAME_CHECK_ERROR);
    }
    if ($zc_validate_email == false) {
      $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
    }
    if (empty($enquiry)) {
      $messageStack->add('contact', ENTRY_EMAIL_CONTENT_CHECK_ERROR);
    }
  }
} // end action==send

// default email and name if customer is logged in
if($_SESSION['customer_id']) {
  $sql = "SELECT customers_id, customers_firstname, customers_lastname, customers_password, customers_email_address, customers_default_address_id
          FROM " . TABLE_CUSTOMERS . "
          WHERE customers_id = :customersID";

  $sql = $db->bindVars($sql, ':customersID', $_SESSION['customer_id'], 'integer');
  $check_customer = $db->Execute($sql);
  $email_address = $check_customer->fields['customers_email_address'];
  $name= $check_customer->fields['customers_firstname'] . ' ' . $check_customer->fields['customers_lastname'];
}

$send_to_array = array();
if (CONTACT_US_LIST !=''){
  foreach(explode(",", CONTACT_US_LIST) as $k => $v) {
    $send_to_array[] = array('id' => $k, 'text' => preg_replace('/\<[^*]*/', '', $v));
  }
}

// include template specific file name defines
$define_page = zen_get_file_directory(DIR_WS_LANGUAGES . $_SESSION['language'] . '/html_includes/', FILENAME_DEFINE_CONTACT_US, 'false');

$breadcrumb->add(NAVBAR_TITLE);

[dbltoe]

Can't remember the thread, but here's the solution.

Zen Cart embedded a code that would let the system know if a bot was trying to enter data. Unfortunately, the feature was discovered and all the script kiddies simply made sure they entered the code as placed in the php code of the files.

All you need do is search for should_be empty and replace it with something you think they would have a hard time discovering. Most anything will work, just use something you can search for easily in case you're "found out" in the future.

Disclaimers:

1. The script kiddies know which files are effected. Make sure the files are NOT accessible on your site.
2. This will NOT stop unsolicited emails. Those who want can still manually leave those funky emails on your site.

[DrByte]

Your header_php.php file doesn't contain the logic to skip sending the emails that have the should_be_empty field filled in.

[dbltoe]

Yep, shoulda mentioned to go back to the original files before the search.

[vanhorn_s]

Thanks guys, I made the edit, and that wasn't working, so I made the edit on the default_template tpl_contact_us_default.php, and moved it over to Tableau folder. We'll see what happens. I'm getting anywhere from 20-60 emails per day, and it seems like I am getting more every day, all from mail.ru.

[dbltoe]

There are at least six files in a current download of ZC. Classic template does not contain the code. If you have more than responsive_classic and template_default, you'll have more than the six.

[vanhorn_s]

I used the developers toolkit, and found every file with that code. And changed it. I am using the 1.5.4 default tpl_contact_us_default.php, and the spam is still coming through. Should I just give up, and go back to a blank page with a mailto link? For some reason, I can't even use any of the captcha add-ons, because I can still send a message without touching the captcha. The must be something screwy with the Tableau template.

I really don't want to upgrade until 1.6 comes out, because it takes me forever, because I'm not a php wiz, so I would really like 1.6 to come out soon.

[mc12345678]

I used the developers toolkit, and found every file with that code. And changed it. I am using the 1.5.4 default tpl_contact_us_default.php, and the spam is still coming through. Should I just give up, and go back to a blank page with a mailto link? For some reason, I can't even use any of the captcha add-ons, because I can still send a message without touching the captcha. The must be something screwy with the Tableau template.

I really don't want to upgrade until 1.6 comes out, because it takes me forever, because I'm not a php wiz, so I would really like 1.6 to come out soon.

Did those search results include the file: includes/modules/pages/contact_us/header_php.php?

How many files are in the directory includes/modules/pages/contact_us and what are their names?

Regarding upgrading? It would help if at the last upgrade the files were updated to what is provided in a vanilla fileset. The file includes/modules/pages/contact_us/header_php.php is basically a core file. It was modified at least back in ZC 1.5.1. The changes made to that file are not shown in your above post. Is it possible the template provided an alternate version of that file? Yes. But I would think that the template forum thread would have something related to this and how the file should look.

[dbltoe]

You have to find out if

1. The spam is coming in with Website Inquiry From....
2. Does it state not logged in.
3. Is the spam just coming to the email address used for contact us

1. If the first is the case, it may just be that someone is hitting 40 sites an hour with spam. Auto-fill is nice until it's used against you.
2. Not many will do this but, it's worth a check
3. You might want to change the email address to support1 vs support to see if you're on a spam list somewhere.

[vanhorn_s]

The emails are coming from the contact us form. It does state not logged in, and shows their ip address. I just modified those two files from a vanilla 1.5.4, and we will see what happens now. If it keeps up, I will ask in the Tableau support thread. Unfortunately, Numinix isn't very supportive with their addons, and most of the fixes come from the users.