Contact Form Spam

I have a contact form. On this form there is a randomly generated
string of characters that must be copied. If it is not typed
properly, the form is not processed. If filled out correctly, an
email is sent to the sender and a copy to the owner. All of the
sending is done in php and no email addresses appear on the form (nor
in the view source). Everything is done in php.

What is happening is that junk filled forms are being sent and they
are bypassing the security code requirement. To see what was
happening, I included both the generated and typed codes in the email
that is sent. When I fill it out, the email contains matching codes.
The spam email has empty fields.

Finally, I changed the form yesterday to include those security code
echos. Today's spam has the changed form.

Questions:
1 - How are they accessing the the code to generate these emails?
2 - How are they bypassing the check of the security code?
3 - Most importantly, what can I do to stop them?

Shelly

Re: Contact Form Spam

Hello,

on 01/23/2008 11:31 PM Shelly said the following:
> I have a contact form. On this form there is a randomly generated
> string of characters that must be copied. If it is not typed
> properly, the form is not processed. If filled out correctly, an
> email is sent to the sender and a copy to the owner. All of the
> sending is done in php and no email addresses appear on the form (nor
> in the view source). Everything is done in php.
>
> What is happening is that junk filled forms are being sent and they
> are bypassing the security code requirement. To see what was
> happening, I included both the generated and typed codes in the email
> that is sent. When I fill it out, the email contains matching codes.
> The spam email has empty fields.
>
> Finally, I changed the form yesterday to include those security code
> echos. Today's spam has the changed form.
>
> Questions:
> 1 - How are they accessing the the code to generate these emails?

They may not necessarily be accessing your code. You just assumed that.


> 2 - How are they bypassing the check of the security code?

If you are using a image based CAPTCHA, there is code to brute force
guess the text in the CAPTCHA images using OCR (Optical Character
Recognition) solutions. Here is a simple OCR written in pure PHP.

http://www.phpclasses.org/phpocr


> 3 - Most importantly, what can I do to stop them?

Use a better CAPTCHA. Here are several CAPTCHA solutions that use more
advanced techniques. Some use more ofuscated images, others ask
subjective questions to the user, others use animated images, etc..

http://www.phpclasses.org/searchtag/CAPTCHA/by/package/tag/C APTCHA/


--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

Re: Contact Form Spam

On Jan 23, 8:47 pm, Manuel Lemos wrote:

The email is only sent to the site owner, so the spammer has no way of
knowing what the email should look like. That tells me that they have
to be going through the form. Yet the proper email has an echo of
generated security code. The spam email has that field empty. So,
that says he can't be going through the form.

It seems to me that they must:
1 - Somehow diverting a legitimate email so that copy is sent to
them.
2 - Using that email copy to create a template and modify the output
so that junk is sent.

I really don't know how they are doing it.

Re: Contact Form Spam

Shelly wrote:
> On Jan 23, 8:47 pm, Manuel Lemos wrote:
>
> The email is only sent to the site owner, so the spammer has no way of
> knowing what the email should look like. That tells me that they have
> to be going through the form. Yet the proper email has an echo of
> generated security code. The spam email has that field empty. So,
> that says he can't be going through the form.
>
> It seems to me that they must:
> 1 - Somehow diverting a legitimate email so that copy is sent to
> them.
> 2 - Using that email copy to create a template and modify the output
> so that junk is sent.
>
> I really don't know how they are doing it.
>

Or, you're not checking the security field before sending the email.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Contact Form Spam

On Jan 23, 11:07 pm, Jerry Stuckle wrote:
> Shelly wrote:
> > On Jan 23, 8:47 pm, Manuel Lemos wrote:
>
> > The email is only sent to the site owner, so the spammer has no way of
> > knowing what the email should look like. That tells me that they have
> > to be going through the form. Yet the proper email has an echo of
> > generated security code. The spam email has that field empty. So,
> > that says he can't be going through the form.
>
> > It seems to me that they must:
> > 1 - Somehow diverting a legitimate email so that copy is sent to
> > them.
> > 2 - Using that email copy to create a template and modify the output
> > so that junk is sent.
>
> > I really don't know how they are doing it.
>
> Or, you're not checking the security field before sending the email.

Of **COURSE** I am. [I even tested it :-) --- and many times].
Filling in all the fields and either leaving that one empty, or with
the wrong info, prevents an email from being sent and the page is
presented again so that the user can fill it in properly.

Jerry, why in the world would I go throught the trouble of generating
a security field if I weren't testing for its accuracy? That would be
just plain stupid.

Shelly

Re: Contact Form Spam

Shelly wrote:
> On Jan 23, 11:07 pm, Jerry Stuckle wrote:
>> Shelly wrote:
>>> On Jan 23, 8:47 pm, Manuel Lemos wrote:
>>> The email is only sent to the site owner, so the spammer has no way of
>>> knowing what the email should look like. That tells me that they have
>>> to be going through the form. Yet the proper email has an echo of
>>> generated security code. The spam email has that field empty. So,
>>> that says he can't be going through the form.
>>> It seems to me that they must:
>>> 1 - Somehow diverting a legitimate email so that copy is sent to
>>> them.
>>> 2 - Using that email copy to create a template and modify the output
>>> so that junk is sent.
>>> I really don't know how they are doing it.
>> Or, you're not checking the security field before sending the email.
>
> Of **COURSE** I am. [I even tested it :-) --- and many times].
> Filling in all the fields and either leaving that one empty, or with
> the wrong info, prevents an email from being sent and the page is
> presented again so that the user can fill it in properly.
>
> Jerry, why in the world would I go throught the trouble of generating
> a security field if I weren't testing for its accuracy? That would be
> just plain stupid.
>
> Shelly
>

Shelly,

You said:

"The spam email has that field empty."

So you're obviously not checking it - at least not correctly. If you
were, then you would reject emails with the field empty.

But you never posted any code, so it's hard to tell.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Contact Form Spam

Hello,

on 01/24/2008 12:07 AM Shelly said the following:
> The email is only sent to the site owner, so the spammer has no way of
> knowing what the email should look like. That tells me that they have
> to be going through the form. Yet the proper email has an echo of
> generated security code. The spam email has that field empty. So,
> that says he can't be going through the form.
>
> It seems to me that they must:
> 1 - Somehow diverting a legitimate email so that copy is sent to
> them.
> 2 - Using that email copy to create a template and modify the output
> so that junk is sent.
>
> I really don't know how they are doing it.

If you are not using a good CAPTCHA, I am not sure what you mean by
security codes.

Anyway, I suspect that your code has a common vulnerability of contact
forms which is to not properly encode information that goes to message
headers. This means that if the abuser inserts a well throught character
sequences, he may make your script compose a message that uses your mail
server to send spam to anybody in the world.

It is hard to advise without seeing your script. Anyway, I recommend
using a component that knows how to properly encode or escape malicious
character sequences to avoid abuses like your suffering.

I use this MIME message composing and sending class that is well aware
of all the e-mail standards that are necessary to compose messages
properly. You may want to use it to avoid the abuses.

http://www.phpclasses.org/mimemessage


--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

Re: Contact Form Spam

On Jan 23, 11:29 pm, Manuel Lemos wrote:
> Hello,
>
> on 01/24/2008 12:07 AM Shelly said the following:
>
> > The email is only sent to the site owner, so the spammer has no way of
> > knowing what the email should look like. That tells me that they have
> > to be going through the form. Yet the proper email has an echo of
> > generated security code. The spam email has that field empty. So,
> > that says he can't be going through the form.
>
> > It seems to me that they must:
> > 1 - Somehow diverting a legitimate email so that copy is sent to
> > them.
> > 2 - Using that email copy to create a template and modify the output
> > so that junk is sent.
>
> > I really don't know how they are doing it.
>
> If you are not using a good CAPTCHA, I am not sure what you mean by
> security codes.
>
> Anyway, I suspect that your code has a common vulnerability of contact
> forms which is to not properly encode information that goes to message
> headers. This means that if the abuser inserts a well throught character
> sequences, he may make your script compose a message that uses your mail
> server to send spam to anybody in the world.
>
> It is hard to advise without seeing your script. Anyway, I recommend
> using a component that knows how to properly encode or escape malicious
> character sequences to avoid abuses like your suffering.
>
> I use this MIME message composing and sending class that is well aware
> of all the e-mail standards that are necessary to compose messages
> properly. You may want to use it to avoid the abuses.
>
> http://www.phpclasses.org/mimemessage
>

I use the class htmlMimeMail from http://www.phpguru.org/ by Richard
Heyes. The security code is just a randomly generated string of 6
characters. I am not using a CAPTCHA. I guess I will have to.

Shelly

Re: Contact Form Spam

Hello,

on 01/24/2008 02:40 AM Shelly said the following:
>>> The email is only sent to the site owner, so the spammer has no way of
>>> knowing what the email should look like. That tells me that they have
>>> to be going through the form. Yet the proper email has an echo of
>>> generated security code. The spam email has that field empty. So,
>>> that says he can't be going through the form.
>>> It seems to me that they must:
>>> 1 - Somehow diverting a legitimate email so that copy is sent to
>>> them.
>>> 2 - Using that email copy to create a template and modify the output
>>> so that junk is sent.
>>> I really don't know how they are doing it.
>> If you are not using a good CAPTCHA, I am not sure what you mean by
>> security codes.
>>
>> Anyway, I suspect that your code has a common vulnerability of contact
>> forms which is to not properly encode information that goes to message
>> headers. This means that if the abuser inserts a well throught character
>> sequences, he may make your script compose a message that uses your mail
>> server to send spam to anybody in the world.
>>
>> It is hard to advise without seeing your script. Anyway, I recommend
>> using a component that knows how to properly encode or escape malicious
>> character sequences to avoid abuses like your suffering.
>>
>> I use this MIME message composing and sending class that is well aware
>> of all the e-mail standards that are necessary to compose messages
>> properly. You may want to use it to avoid the abuses.
>>
>> http://www.phpclasses.org/mimemessage
>>
>
> I use the class htmlMimeMail from http://www.phpguru.org/ by Richard

I have not studied that class. I don't know if it properly encodes
message headers.


> Heyes. The security code is just a randomly generated string of 6
> characters. I am not using a CAPTCHA. I guess I will have to.

That may explain it. Even some CAPTCHAs can be bypassed with good OCR
scripts. But even a basic CAPTCHA can raise the bar hard enough to make
your abuser give up.

--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

Re: Contact Form Spam

On Jan 23, 11:44 pm, Manuel Lemos wrote:
> Hello,
>
> on 01/24/2008 02:40 AM Shelly said the following:
>
>
>
> >>> The email is only sent to the site owner, so the spammer has no way of
> >>> knowing what the email should look like. That tells me that they have
> >>> to be going through the form. Yet the proper email has an echo of
> >>> generated security code. The spam email has that field empty. So,
> >>> that says he can't be going through the form.
> >>> It seems to me that they must:
> >>> 1 - Somehow diverting a legitimate email so that copy is sent to
> >>> them.
> >>> 2 - Using that email copy to create a template and modify the output
> >>> so that junk is sent.
> >>> I really don't know how they are doing it.
> >> If you are not using a good CAPTCHA, I am not sure what you mean by
> >> security codes.
>
> >> Anyway, I suspect that your code has a common vulnerability of contact
> >> forms which is to not properly encode information that goes to message
> >> headers. This means that if the abuser inserts a well throught character
> >> sequences, he may make your script compose a message that uses your mail
> >> server to send spam to anybody in the world.
>
> >> It is hard to advise without seeing your script. Anyway, I recommend
> >> using a component that knows how to properly encode or escape malicious
> >> character sequences to avoid abuses like your suffering.
>
> >> I use this MIME message composing and sending class that is well aware
> >> of all the e-mail standards that are necessary to compose messages
> >> properly. You may want to use it to avoid the abuses.
>
> >>http://www.phpclasses.org/mimemessage
>
> > I use the class htmlMimeMail fromhttp://www.phpguru.org/by Richard
>
> I have not studied that class. I don't know if it properly encodes
> message headers.
>
> > Heyes. The security code is just a randomly generated string of 6
> > characters. I am not using a CAPTCHA. I guess I will have to.
>
> That may explain it. Even some CAPTCHAs can be bypassed with good OCR
> scripts. But even a basic CAPTCHA can raise the bar hard enough to make
> your abuser give up.

But with or without a CAPTCHA, they still need to get the text that is
checked by me before sending the email. I put that text (both what I
asked for and what they put in) into the email that is sent. The
email that we received from them had those fields empty. Wouldn't
they have been filled with their correct determination of the code?

Re: Contact Form Spam

Hello,

on 01/24/2008 02:49 AM Shelly said the following:
>>>>> The email is only sent to the site owner, so the spammer has no way of
>>>>> knowing what the email should look like. That tells me that they have
>>>>> to be going through the form. Yet the proper email has an echo of
>>>>> generated security code. The spam email has that field empty. So,
>>>>> that says he can't be going through the form.
>>>>> It seems to me that they must:
>>>>> 1 - Somehow diverting a legitimate email so that copy is sent to
>>>>> them.
>>>>> 2 - Using that email copy to create a template and modify the output
>>>>> so that junk is sent.
>>>>> I really don't know how they are doing it.
>>>> If you are not using a good CAPTCHA, I am not sure what you mean by
>>>> security codes.
>>>> Anyway, I suspect that your code has a common vulnerability of contact
>>>> forms which is to not properly encode information that goes to message
>>>> headers. This means that if the abuser inserts a well throught character
>>>> sequences, he may make your script compose a message that uses your mail
>>>> server to send spam to anybody in the world.
>>>> It is hard to advise without seeing your script. Anyway, I recommend
>>>> using a component that knows how to properly encode or escape malicious
>>>> character sequences to avoid abuses like your suffering.
>>>> I use this MIME message composing and sending class that is well aware
>>>> of all the e-mail standards that are necessary to compose messages
>>>> properly. You may want to use it to avoid the abuses.
>>>> http://www.phpclasses.org/mimemessage
>>> I use the class htmlMimeMail fromhttp://www.phpguru.org/by Richard
>> I have not studied that class. I don't know if it properly encodes
>> message headers.
>>
>>> Heyes. The security code is just a randomly generated string of 6
>>> characters. I am not using a CAPTCHA. I guess I will have to.
>> That may explain it. Even some CAPTCHAs can be bypassed with good OCR
>> scripts. But even a basic CAPTCHA can raise the bar hard enough to make
>> your abuser give up.
>
> But with or without a CAPTCHA, they still need to get the text that is
> checked by me before sending the email. I put that text (both what I
> asked for and what they put in) into the email that is sent. The
> email that we received from them had those fields empty. Wouldn't
> they have been filled with their correct determination of the code?

It is hard to even understand the context of all what you are saying
without seeing your code.

If you put the text in the form page, it is very easy to retrieve the
page, get the code and emulate the form submission with the code in it.
With CAPTCHA that would be harder.

If you say you verify the presence of the correct code, maybe you are
not doing it correctly.

--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

Re: Contact Form Spam

On Jan 23, 11:57 pm, Manuel Lemos wrote:
> Hello,
>
> on 01/24/2008 02:49 AM Shelly said the following:
>
>
>
> >>>>> The email is only sent to the site owner, so the spammer has no way of
> >>>>> knowing what the email should look like. That tells me that they have
> >>>>> to be going through the form. Yet the proper email has an echo of
> >>>>> generated security code. The spam email has that field empty. So,
> >>>>> that says he can't be going through the form.
> >>>>> It seems to me that they must:
> >>>>> 1 - Somehow diverting a legitimate email so that copy is sent to
> >>>>> them.
> >>>>> 2 - Using that email copy to create a template and modify the output
> >>>>> so that junk is sent.
> >>>>> I really don't know how they are doing it.
> >>>> If you are not using a good CAPTCHA, I am not sure what you mean by
> >>>> security codes.
> >>>> Anyway, I suspect that your code has a common vulnerability of contact
> >>>> forms which is to not properly encode information that goes to message
> >>>> headers. This means that if the abuser inserts a well throught character
> >>>> sequences, he may make your script compose a message that uses your mail
> >>>> server to send spam to anybody in the world.
> >>>> It is hard to advise without seeing your script. Anyway, I recommend
> >>>> using a component that knows how to properly encode or escape malicious
> >>>> character sequences to avoid abuses like your suffering.
> >>>> I use this MIME message composing and sending class that is well aware
> >>>> of all the e-mail standards that are necessary to compose messages
> >>>> properly. You may want to use it to avoid the abuses.
> >>>>http://www.phpclasses.org/mimemessage
> >>> I use the class htmlMimeMail fromhttp://www.phpguru.org/byRichard
> >> I have not studied that class. I don't know if it properly encodes
> >> message headers.
>
> >>> Heyes. The security code is just a randomly generated string of 6
> >>> characters. I am not using a CAPTCHA. I guess I will have to.
> >> That may explain it. Even some CAPTCHAs can be bypassed with good OCR
> >> scripts. But even a basic CAPTCHA can raise the bar hard enough to make
> >> your abuser give up.
>
> > But with or without a CAPTCHA, they still need to get the text that is
> > checked by me before sending the email. I put that text (both what I
> > asked for and what they put in) into the email that is sent. The
> > email that we received from them had those fields empty. Wouldn't
> > they have been filled with their correct determination of the code?
>
> It is hard to even understand the context of all what you are saying
> without seeing your code.
>
> If you put the text in the form page, it is very easy to retrieve the
> page, get the code and emulate the form submission with the code in it.
> With CAPTCHA that would be harder.

Exactly. If they put the code in it (assuming they got it), and since
I put it in the email that is sent (both what they put in and what I
asked for), why would the email they send not have anything in either
field in the email?


>
> If you say you verify the presence of the correct code, maybe you are
> not doing it correctly.

It is done correctly. I tested this about twenty times. It only
succeeds if the code that is typed in is the same as the one asked
for. BTW, every time the page is presented there is a different set
of 6 characters.

Shelly

Re: Contact Form Spam

Hello,

on 01/24/2008 03:03 AM Shelly said the following:
>> If you put the text in the form page, it is very easy to retrieve the
>> page, get the code and emulate the form submission with the code in it.
>> With CAPTCHA that would be harder.
>
> Exactly. If they put the code in it (assuming they got it), and since
> I put it in the email that is sent (both what they put in and what I
> asked for), why would the email they send not have anything in either
> field in the email?
>
>
>> If you say you verify the presence of the correct code, maybe you are
>> not doing it correctly.
>
> It is done correctly. I tested this about twenty times. It only
> succeeds if the code that is typed in is the same as the one asked
> for. BTW, every time the page is presented there is a different set
> of 6 characters.

It seems you have a bug that only you can figure because only you know
your code. Maybe we can help you can show your code.

--

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

Re: Contact Form Spam

On Jan 24, 12:09 am, Manuel Lemos wrote:
> Hello,
>
> on 01/24/2008 03:03 AM Shelly said the following:
>
>
>
> >> If you put the text in the form page, it is very easy to retrieve the
> >> page, get the code and emulate the form submission with the code in it.
> >> With CAPTCHA that would be harder.
>
> > Exactly. If they put the code in it (assuming they got it), and since
> > I put it in the email that is sent (both what they put in and what I
> > asked for), why would the email they send not have anything in either
> > field in the email?
>
> >> If you say you verify the presence of the correct code, maybe you are
> >> not doing it correctly.
>
> > It is done correctly. I tested this about twenty times. It only
> > succeeds if the code that is typed in is the same as the one asked
> > for. BTW, every time the page is presented there is a different set
> > of 6 characters.
>
> It seems you have a bug that only you can figure because only you know
> your code. Maybe we can help you can show your code.
>
> --
>
> Regards,
> Manuel Lemos
>
> PHP professionals looking for PHP jobshttp://www.phpclasses.org/professionals/
>
> PHP Classes - Free ready to use OOP components written in PHPhttp://www.phpclasses.org/

The calling code is (The constants are defined earlier. Also, $fld is
an instance of a class that contains information about all of the
fields on the form. The last three are not on the form and the
security field was not part of $fld.)
====================
$mail = new htmlMimeMail();
$mail->setFrom(MAIL_FROM);
$mail->setBcc(MAIL_CC);
$mail->setSubject(MAIL_SUBJECT);
$i = 0;
$message = "";

$html = '' .
'From: ' . MAIL_FROM . ' '.com>
' .
'Sent: ' . MAIL_SENT . "
" .
'To: ' . MAIL_TO . "
" .
'Subject: ' . MAIL_SUBJECT . "
" .
'

Re: Contact Form Spam

Hello,

on 01/24/2008 03:21 AM Shelly said the following:
> The calling code is (The constants are defined earlier. Also, $fld is
> an instance of a class that contains information about all of the
> fields on the form. The last three are not on the form and the
> security field was not part of $fld.)
> ====================
> $mail = new htmlMimeMail();
> $mail->setFrom(MAIL_FROM);
> $mail->setBcc(MAIL_CC);
> $mail->setSubject(MAIL_SUBJECT);
> $i = 0;
> $message = "";
>
> $html = '' .
> 'From: ' . MAIL_FROM . ' > '.com>
' .
> 'Sent: ' . MAIL_SENT . "
" .
> 'To: ' . MAIL_TO . "
" .
> 'Subject: ' . MAIL_SUBJECT . "
" .
> '

Re: Contact Form Spam

On Jan 24, 5:33=A0am, Manuel Lemos wrote:
> Hello,
>
> on 01/24/2008 03:21 AM Shelly said the following:
>
>
>
>
>
> > The calling code is (The constants are defined earlier. =A0Also, $fld is=

> > an instance of a class that contains information about all of the
> > fields on the form. =A0The last three are not on the form and the
> > security field was not part of $fld.)
> > ====================
> > $mail =3D new htmlMimeMail();
> > $mail->setFrom(MAIL_FROM);
> > $mail->setBcc(MAIL_CC);
> > $mail->setSubject(MAIL_SUBJECT);
> > $i =3D 0;
> > $message =3D "";
>
> > $html =3D '' .
> > =A0 =A0'From: ' . MAIL_FROM =A0. ' ROM .
> > '.com>
' .
> > 'Sent: ' . MAIL_SENT . "
" .
> > 'To: ' . MAIL_TO . "
" .
> > 'Subject: ' . MAIL_SUBJECT . "
" .
> > '

Re: Contact Form Spam

>> Or, you're not checking the security field before sending the email.
>
> Of **COURSE** I am. [I even tested it :-) --- and many times].

Well, Jerry is right, you know. If the mail gets sent without the field
being filled in, there is something wrong with your check. AND with your
tests.

> Filling in all the fields and either leaving that one empty, or with
> the wrong info, prevents an email from being sent and the page is
> presented again so that the user can fill it in properly.

Take one step back. A code is presented (generated by your page). That
code has to be stored somewhere to do the check later, doesn't it? Where
do you store it? In the session? In that case, the code in the session
is an empty string (not true, but your server settings can make it act
like it) whenever you post the form directly (thereby starting a
session) without first seeing the form and the code.

Also, you say there are no addresses on the form. Any header field (like
a subject) will do to do spamming, if you don't check things. However,
if it sent to you and your address is not in the page, it is most likely
that your security mechanism just fails.

>
> Jerry, why in the world would I go throught the trouble of generating
> a security field if I weren't testing for its accuracy? That would be
> just plain stupid.


To err is human, not stupid. To ask questions can even be considered
wise. To point others at there errors can be either helpful or annoying.
You decide ;)

Good luck!

Re: Contact Form Spam

Shelly wrote:

> $_POST['securityHidden']

This is your problem.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 24 days, 21:18.]

CSS to HTML Compiler
http://tobyinkster.co.uk/blog/2008/01/22/css-compile/

Re: Contact Form Spam

On Jan 24, 5:06 am, Toby A Inkster
wrote:
> Shelly wrote:
> > $_POST['securityHidden']
>
> This is your problem.
>

Why is this the problem? Here is the code:


$securityCodeDisplay; ?>:




I display a space separated version of the $securityCode
($securityCodeDisplay) and store the code in a hidden field,
securityHidden, on the form so that when it posts back, I can compare
it with the value that they type in text field, securityCode.

If this is the problem, why is the problem and how do I change it?

Shelly