Getting through captcha

I'm using this line fo code


elseIf Request("CAPTCHA_Postback") AND blnCAPTCHAcodeCorrect = False Then
response.write("The Captcha code is incorrect")

elseif

execute email code here

surely the it should trip on that before it reaches the emailing bit?

Also, try using Javascript on your form to help cut down on automated submissions

Are you using CDOSYS to send the email?

If so you need to parse the data submitted.

For example you can include 100's of email address separated by a semicolon in the subject line CSDOSYS will send the email to each of these email addresses.

You can prevent this by parsing the data submitted for the subject line shortening the length to say 100 characters and removing any semicolons (;)

Using JavaScript to validate the form, or using the size of a textbox will not work as these are both client side and can easily be changed by turning off javascript in the browser and using a browser plugin to modify the form input fields.

Unless you have modified the CAPTCHA code they would only be able to submit the once before having to generate a new CAPTCHA code and entering it to be able to submit again.

It could well be that they are only submitting once to send the email 100's of times. I can see from your code that you are not parsing the user input and only using Request to get the data.

This is very dangerous as the data can be submitted using either GET or POST, also you are not parsing it to remove any malicious code.

The person submitting the malicious code could easily send a request to the server that contained 100's of email address. Most mail servers, if they receive a list of email addresses separated by a semicolon will send that email to ALL those email addresses in the list.

You should rewrite your code to only allow submissions using POST from a form. You should then also parse the data to remove any malicious code such as semicolons from the email_to field and also any tags < and > from all the fields submitted.

This is the very lease you should do to remove any malicious code as there are lots of different hacking techniques to get mail servers to relay on 1000's of emails just from a single form submission.


Edited by WebWiz-Bruce - 12 October 2009 at 12:27pm