[pmwiki-users] EMail Form Spam

Patrick R. Michaud pmichaud at pobox.com
Fri Feb 9 14:55:34 CST 2007


On Fri, Feb 09, 2007 at 02:49:45PM -0500, Sandy wrote:
> 2007-02-09 14:36:35 - 66.79.163.226 -  -  - emailform - Main.Feedback
> It even matches with a spam received through the wiki email address.
> 
> Strange thing is, Main.Feedback doesn't exist anymore. I moved the page 
> to its own group ages ago.
> 
> I'm using Emailform-s , which supposedly requires entry of a three-digit 
> random code, but it looks like the spammer is circumventing that entirely.

Actually, the way that emailform-s is written it's not at all hard for
a spammer to circumvent the random code.  All the spammer has to do
is to submit a form where the 'ACodeReturn' hidden field matches
the 'ACodeEntered' field.  The spammer can even use any code he/she/it
wants -- all the recipe is doing on the receiving end is checking
that the two fields match.  (In fact, if the spammer just leaves
both fields off entirely the recipe will deliver the message.)

> Any ideas? Not the biggest source of spam I get, but I'd like to squash it.

I think the mailform recipe probably needs some re-working from scratch,
especially to take advantage of some of PmWiki 2.2's new features.
I've also been toying with the idea of creating a (:input captcha:)
control that can be placed in forms to perform captcha-like verification.

Pm



More information about the pmwiki-users mailing list