问题
So I use PHP and have a contact form on my website.
Once users fill up the form and submit, it will shoot an email to me.
I have been receiving junk input from bot, I assume, like below.
This is the result of print_r($_REQUEST). I removed some parameter for simplicity.
Array
(
[name] => rycpufrwq
[email] => raaszg@fqhzdm.com
[company] => naCuklaLMab
[website] => http://ujpbfhazkpzv.com/
[message] => cBimwx <a href=\"http://pxlahgqmdrhs.com/\">pxlahgqmdrhs</a>, [url=http://sjmbrhkycvbz.com/]sjmbrhkycvbz[/url], [link=http://rddqwgzwvrhv.com/]rddqwgzwvrhv[/link], http://csohvhsvdisc.com/
)
On such request, I don't write to db or anything. I only send an email by calling mail().
Specifically, mail($to,$subject,$body,$headers) where $headers is:
$headers="From:$email_from\r\nBcc:$email_bcc\r\nReply-To:$name<$email>\r\n";
$name is $_REQUEST['name'] and $email is $_REQUEST['email'], but I strip out all "\r" and "\n" if any because they can put "\r\nCc:<a list of emails>" and they would be able to send spam emails using my domain.
However, for an input I mentioned above, I don't see 'newline' under 'email' field. Hence, I assume it is a different kind of attack. Is there something I should be aware of?
回答1:
Hence, I assume it is a different kind of attack.
I doubt it. This doesn't look like an E-Mail injection attack, but a simple run-off-the-mill bot trying to get its content linked in as many places (e.g. comment threads) as possible. That's why the [link] notation is there, to cause the URL to be linked in BBCode.
Except from that it's trash, I can see nothing malicious in the message.
To stop this, as others say, captcha solutions are the most popular way; there are others. See the related questions on SO, e.g. Blocking comment spam without using captcha
来源:https://stackoverflow.com/questions/4122623/is-this-junk-input-from-a-bot-filling-up-a-form-on-my-website-safe