Wed, 2008-01-16 20:43
Do I need to take precautions against auto spamming when including a mailto: method? (I want it to be as easy but optimal to e-mail me a request for information.)
If so, is the strategy to assure a human interaction?
If that is so, can one simply include an image of a fuzzy number/letter combination and ask the reader in a quasi-apologetic tone to enter that number in the subject line... lest the message be lost forever in the sea of deletion? Is that utterly tasteless and ineffective?
What do web authors/developers commonly do in this situation? Thanks.
Wed, 2008-01-16 22:45
#1
rbfree wrote:Do I need to
rbfree wrote:
Do I need to take precautions against auto spamming when including a mailto: method?
Absolutely, unless you have a very good spam filter or high tolerance for spam.
rbfree wrote:
If that is so, can one simply include an image of a fuzzy number/letter combination and ask the reader in a quasi-apologetic tone to enter that number in the subject line... lest the message be lost forever in the sea of deletion? Is that utterly tasteless and ineffective?
I think that method would be very ineffective - both for real users and spambots. I think it unlikely that a real user would notice your message, and very few would bother to enter the contents of the fuzzy image into their email since there would be no way for forcing them to do so.
Since the email address in a mailto: link is plain text, using a mailto: is a sure way to publish that email address to all the world. Even if you ignore all emails to that address, you've notified all the world of a domain through which new email addresses might be guessed. At the least, I'd only use a throw-away address and domain in a mailto: link.
rbfree wrote:
What do web authors/developers commonly do in this situation? Thanks.
The best method in this day and age is to have visitors fill out a form for sending an email. You can then process the form on the server to pass spam tests, and clean it of dangerous hack attempts. It's also effective to have your fuzzy image (commonly known as a CAPTCHA) on the page with the form, and the form is not submitted if the CAPTCHA is answered incorrectly.
Thu, 2008-01-17 02:35
#2
thnx, one more question
Thanks for this tip. I think I can work it out given a bit of time. Will this require server side programming, or could it be done it javascript?
In the meantime, what are your thoughts about simply making an image with my e-mail address... such that an interested person could manually jot/type it? Thnx sincerely.
Thu, 2008-01-17 03:28
#3
It would be done with server
It would be done with server side programming. PHP's send mail has always worked well for me. You should investigate what options your host provides. I don't know of a way it could be done with JavaScript.
Thu, 2008-01-17 03:35
#4
contact form
Hi rbfree,
Katie's suggestion to use a contact form is a good one. It will require server side scripting such as PHP. You should be able to get a free script somewhere to meet your requirements.
Using an image will be unaccessible to visually impared users, unless you add your email address to the alt attribute, which could then be picked up by the email harvesting bots.
Stick with a form then once you reply to their initial question they will have your email address if they need it.
Thu, 2008-01-17 13:02
#5
Katie wrote:It would be done
Katie wrote:
It would be done with server side programming. PHP's send mail has always worked well for me. You should investigate what options your host provides. I don't know of a way it could be done with JavaScript.
I am using a html form page that actions to a php page that contains the code
mail("[email protected]", $subject, $message, $from);
Is this enough/what you are referring to? I was curious as it is still code on the page.
Thu, 2008-01-17 16:38
#6
dugal wrote: I am using a
dugal wrote:
I am using a html form page that actions to a php page that contains the code
mail("[email protected]", $subject, $message, $from);
If that's all the code you are courting utter disaster. The PHP "mail" function by itself provides no security at all. Might as well use a "mailto" link for all it helps.
Thu, 2008-01-17 18:26
#7
Dugal, Yeah, that's the
Dugal,
Yeah, that's the basic form. Remember that PHP code isn't exposed to the browser. I do run each of the variables through a "cleaner" function.
Fri, 2008-01-18 00:37
#8
There are not any hacks that
There are not any hacks that i am aware of that could be used against the mail command, php can never be seen by the end user (there is a function that you can use but only if needed - e.g for a hitcounter service). Your email will never be seen.
Fri, 2008-01-18 01:12
#9
benracer wrote:There are not
benracer wrote:
There are not any hacks that i am aware of that could be used against the mail command, php can never be seen by the end user (there is a function that you can use but only if needed - e.g for a hitcounter service). Your email will never be seen.
This is a problem. You're quite possibly assuming your knowledge in this area is better than it is.
The PHP mail() function performs no parameter checking and it conforms closely to the SMTP specification. It is possible to pass multiple SMTP header fields in the fourth parameter field. This is by design. However it can allow a malicious user to take advantage of poor input filtering to send the contact email to thousands of recipients when the fourth parameter is used for a "From:" field. If you do intend to pass the user submitted email address as the "From:" you must filter the input to ensure you have a single, conforming email address.
There are at least two threads on this forum which discuss contact form mailers in some detail. There is also plenty of information on the internet of PHP vulnerabilities including what can happen when using the mail() function.
Fri, 2008-01-18 02:18
#10
stop gap
Thanks for the above. I'll have to break my solution into short and medium-term.
For the short term, I'll use the image approach. In general, as my telephone number will be on the page, I will be somewhat accessible to visually impaired readers. I hope to get the page up by February (looks feasible).
In the medium term, I plan to start learning about PHP in February. I have a task in the interim that will require some javascript and then I'll dive into PHP, which I need to do for other reasons. Eventually, most of my applications will be server side, as that's the nature of what I want to get done. With a basic understanding of PHP, I can implement the above and know about what I'm doing.
Thanks again for helping me learn this stuff -- rbfree
Fri, 2008-01-18 04:09
#11
benracer wrote:There are not
benracer wrote:
There are not any hacks that i am aware of that could be used against the mail command, php can never be seen by the end user (there is a function that you can use but only if needed - e.g for a hitcounter service). Your email will never be seen.
That you are not aware of the problems doesn't make them go away or cease to exist. It does make you somewhat more likely to get gulled into a big security breach, though.
Every book I have read on PHP that mentions the "mail" function warns against it's insecurity.
Fri, 2008-01-18 06:12
#12
benracer wrote:There are not
benracer wrote:
There are not any hacks that i am aware of that could be used against the mail command, php can never be seen by the end user (there is a function that you can use but only if needed - e.g for a hitcounter service). Your email will never be seen.
In case you're interested, see email injection - secure php.
cheers,
gary
Fri, 2008-01-18 07:21
#13
Benracer you clearly do not
Benracer you clearly do not do enough googling and studying, never assume that 'as far as I'm aware' is a safe bet for proceeding on. If you're going to use server side scripting be damned sure you know what your doing and the absolute first port of call is security and vulnerabilities, before you go about uploading unsafe scripts to the net. This is an issue of responsibility. scripting/programing has many dangers especially if you are uploading to shared hosting where you could stand to put everyone at risk, with the mail function you stand to add to the general problems that beset email in general across the internet.
Fri, 2008-01-18 08:14
#14
Yes, There are problems with
Yes, There are problems with the headers being passed and you can even put it in a loop to send spam but can anyone confirm if the smtp server can be hacked - like in MySQL where an escape is needed to prevent user access.
Fri, 2008-01-18 13:00
#15
The MySQL problem is the
The MySQL problem is the same as the mail() problem. A user being able to specifically craft the data submitted by a form to subvert the server script. In MySQL you need to process the user input to ensure it can be safely added as data in your SQL statements, this normally means escaping any single quotes. In contact forms it normally means rejecting any data for the from & subject fields that include new lines. And while you're at it any user data echoed back to the browser needs to be filtered for <, > and possibly quotes to prevent cross-site scripting.
Fri, 2008-01-18 17:31
#16
csscr wrote:Hi
csscr wrote:
Hi rbfree,
Katie's suggestion to use a contact form is a good one. It will require server side scripting such as PHP. You should be able to get a free script somewhere to meet your requirements.
Using an image will be unaccessible to visually impared users, unless you add your email address to the alt attribute, which could then be picked up by the email harvesting bots.
Stick with a form then once you reply to their initial question they will have your email address if they need it.
Regarding using a contact form I've been using this contact form for a while now. It's been around for a long time, has several advanced features, and is constantly updated.
Fri, 2008-01-18 19:48
#17
thanks dhaynes and all
Thanks for the contributions!
Wed, 2008-02-06 01:26
#18
is this mailto encrypter beneficial?
Again, thanks for the above. I looked through DHaynes' suggestion but realize that I need to have php under my belt before I work with that solution. (Learning some php is definitely a priority for me ASAP.)
So, I've been looking at some other stop-gap options. I've found a utility on-line that merely scrambles the (my) e-mail address to hex code.
In the context of what I'm doing (a simple web site will have no forms -- merely a simple informational description of a small-business) does this seem like a reasonable approach? If not reasonable, tolerable?
EDIT: Also, would the above approach work if I included subject box content and filtered out all messages without that content in the subject box?
Wed, 2008-02-06 01:28
#19
For the moment then you
For the moment then you could try this jQuery plugin which gets you to write an address in the form of a 'me at example.com' the script then reads this and defustcates it into a clickable link, it's not fool proof but then none of these techniques are
Thu, 2008-02-07 21:01
#20
disregard, edited wrong message
Thanks again, Hugo. The more I look into this whole spam issue the more complex and developed I realize it is. I would guess that, on the whole, all this spam erodes efficiency in the larger internet. It's ubiquitous and uses resources.
Wed, 2008-02-06 08:32
#21
The encode is needed as
The encode is needed as people can build bots that crawl your site for the mailto tag, your email is usually sold on to a 3rd party and you receive endless spam. You could use this...
Where the contsct form would go...
Name:
Subject:
Message:
Create a page called email.php
<?php
$name = $_POST['name'];
$subject = $_POST['subject'];
$message = $_POST['message'];
$message = "This message is from {$name}. " . $message;
mail("[email protected]",$subject,$message);
header("location:index.php");
?>
Wed, 2008-02-06 11:39
#22
mail options
There are 2 options for mail from an unknown user.
1) contact form - user fills in a HTML page, your server cleans it of injection attacks, your server sends it to you
2) and form of mailto. You pass your email address to the user and their email system sends whatever they type direct to you.
Under option 1), you have no idea of the validity of their email address because, to the browser and your server, its just another HTML field.
Under option 2) you have an idea as to their email address (they may lie to you!) but at the cost of exposing your own email address.
At the cost of losing your non-javascript users, you can document.write the mailto: tag. Most web crawlers don't activate javascript and will not see it.
Putting your 'contact us' page under a no-follow link will also cut down on spam.
Only permitting registered users to contact you is the best way IMHO. "We have sent an email to your yahoo account, please reply to that message..."
Thu, 2008-02-07 20:29
#23
thanks again
Thanks Tony and benracer. Much to mull over on this thread.
Thu, 2008-02-07 20:42
#24
would this work with a contact me link instead of my e-mail
Could I somehow incorporate this script to use a link that merely says "E-mail us" (or something) rather than my e-mail address? What would my strategy be?
Thu, 2008-02-07 21:01
#25
EDIT
EDIT - Duplicate post
Thu, 2008-02-07 20:58
#26
I would recomend phpbuilder
I would recomend phpbuilder forum for any help with server side languages.
Thu, 2008-02-07 22:22
#27
this php form will not validate
EDIT: My misunderstanding. With some p elements added, no problem.
BenRacer,
This form seems to drive my xhtml validator crazy. Have you tried to validate this?
Thu, 2008-02-07 21:43
#28
last clarification
Hugo or others, can you help me understand this instruction from the
http://plugins.jquery.com/project/defuscator
page? How do I "run" the defuscate(_) function? Does "elements containing obfuscated email addresses" refer to the anchor tag that contains my mail-to href? Do I surround the element with script tags? Embed them?
Include the plugin and run the .defuscate() function on the elements containing obfuscated email addresses:
$('p').defuscate();
Thanks yet again. If I can get this last little step, I'm done with this site and I can go back to the learning trenches and start getting a handle on scripting.
Here's the preceding passage.
Obfuscate
For this plugin to defuscate email addresses, you first have to obfuscate them. This is very easy. Instead of writing , you write:
name(put the 'at' sign here)example.com
What goes into the paranthese is up to you. You can even do:
name(replace this paranthese with the 'at' sign to get my email address)example.com
The Defuscator will recognize the obfuscated email address and defuscate it. This also works on mailto links such as:
Email me
Defuscate
Include the plugin and run the .defuscate() function on the elements containing obfuscated email addresses:
$('p').defuscate();
Thu, 2008-02-07 22:29
#29
You can create the form any
You can create the form any way, all thats needed is to name the inputs to message, name, subject. It needs to post and the action must direct to the email.php, what is the url of were you have this.
Thu, 2008-02-07 22:55
#30
thanks
Thanks for the follow-up BenRacer. How could I test this approach if my site is off-line (merely on my computer, no server)? Don't I need to have the webpage served on-line?
Thu, 2008-02-07 22:58
#31
idealy yes but php can be
idealy yes but php can be installed on your local machine.
Thu, 2008-02-07 23:24
#32
this yields a strange result
When I insert a script within the anchor element, I get as strange result -- an email with this text in the "to" box (with my e-mail name ):
put the 'at' sign here
and this is followed by a space and then
So, the script apparently inserts the text within the parens and also the email address... but without the at symbol.
That seems rather strange. What am I doing wrong?
:?
Thu, 2008-02-07 23:43
#33
what exactly do you need? is
what exactly do you need? is this site ever going to be live?
Fri, 2008-02-08 01:21
#34
yes
I'm trying to test your solution on my page to see if I have it right. However, I realized that since it's not online yet then there is no php server. I'd prefer to have it working before it goes on-line
As soon as I have this task done, I'll go on-line with it. Yahoo.
Fri, 2008-02-08 08:20
#35
In my opinion it would be
In my opinion it would be worth paying the little price to get your site properly hosted. Then if you ever expand to a shopping cart/ecommerce or the need for serverside languages or this may be difficalt. I would reccomend servage as i have been with them for a long time. http://www.servage.net/?coupon=CUST32535
Fri, 2008-02-08 12:07
#36
Start by getting the *MP
Start by getting the *MP stack for your machine. Its available for Windows (WAMP, WAMPP or WIMP), Linux (LAMP) or OSX (MAMP). Search about a bit to make sure the package comes with an installation routine that matches your level of tinkering. I don't think they are all click and go, but some are.
As benracer says, hosting is cheap. There are plenty of hosts that provide PHP, MYSQL and plenty of other extras in hosting packages of less than $5/month.
Fri, 2008-02-08 19:05
#37
yes
Yes, I think that would be wise (the web hosting) and I'll do some research on the *MP stack of which I'm ignorant. I'm just getting into some reading right now on web hosting beyond the little I've already read. I hope to do get a host service in the next couple of days. (Monday is my target.)
I'd like to get the javascript jquery solution first, however, so I know that I'm somewhat protected before I actually go on-line. Can anyone guide me through that? I just need to know how to connect the contact me link on my page with the javascript function in the .js file. (Ack.)
BTW, "yahoo" above didn't refer to the search engine but to the state of elation I'll experience when I finally have this site on-line, the maiden voyage.
Fri, 2008-02-08 19:22
#38
The only problem with js is
The only problem with js is that many users have it disabled, most do not know it as their anti virus/spyware blocker disables it.
Sat, 2008-02-09 00:35
#39
that is a problem
Yes, I've been reading that js can be a problem in that regard. How big of a problem do you suppose that is (in terms of proportion)? Though I'd like to have something there at least long enough to get the php script correctly installed I don't insist. If I can't get it handled by Monday, then I suppose I'll either disable contact mail or leave it mail:to and get on the php approach. Any opinion on which way would be best in that regard? In any case, many thanks.
Sat, 2008-02-09 06:20
#40
try these
(quote from website)
No Special Server requirements Your web hosting server does not need to be able to run scripts, our powerful server process the form submission, sends you an email with the information and then redirect the visitor to your thank you web page, without the visitor knowing he left your web site. Because of this, our forms are working on any kind of web hosting account.
and
http://www.contactify.com/
(quote from website)
People click on it, they can send you a message. And YOU, never reveal your email address. Reduces spam. Guards your privacy. Keeps you contactable.
and, a bit of advice:
When setting up the form (either place) keep this in mind: you can set up a 'disposable' email contact address. In this manner: set up the contact form, the email, then put an automatic forward on THAT email (at your webhost email location) to another address which you will use in making your reply to whomever contacts you. This address can be same domain .... most webhosts allow more than one email address.
That way, if you ever have to change the email address on your website contact form, you can do so quite invisibly without disturbing anyone .... they'll never know, and what they have for you in their address book doesn't change. Just don't forget about the forwarding to an address you actually use.
I also recommend that people do not use the same email contact address in their advertising, business cards, letterheads, etc. as they have on their website. Website email contact addresses can be changed so much more easily ... especially when used with the forwarding technique.
reprieve
Sat, 2008-02-09 16:46
#41
thanks (for the) reprieve
Thanks so much. I'll give these a try. As noted, once I get this baby site on-line, I'll get back to reading and grasping. (I seem to be learning slower than I figured... but still learning, nonetheless.) Again, thanks. rbfree
Wed, 2008-02-13 02:20
#42
will this script work if
Benracer or others, will the above php script work if I change the form so that "name:", "subject:", and "message:" are the text values for label elements (so I can apply style rules)?
Likewise, will it be a problem using a text area element instead of an input element?
Wed, 2008-02-13 02:25
#43
with all php text (strings)
with all php text (strings) must be in quotes, most of the time using double will work, when a variable/input is used no quotes are needed. So where there is this ...
$_POST['message'];
change it to ...
"my hard code text";
Wed, 2008-02-13 03:49
#44
could you clarify?
BenRacer, thanks again. Could you tell me if I understand you correctly? Am I replacing this entire clause?
$subject = $_POST['subject'];
And, what is "my hard code text"? Am I right in thinking that it's the all the text and coding in the (label) element, including the text value between beginning and end tags? So this code in the html doc...
Subject:
would translate to this line in the php doc
$subject = "
Subject:";
?
Another question. Since most of what I plan to do will relate to serving data (in the medium term future), would you recommend spending time with php and skipping javascript?
Wed, 2008-02-13 16:59
#45
do I need single quots for nested text?
In cases like below, using php, do I need to have "yoursubject" and "fixedwidth" in single quotation marks?
$subject = "Subject:";
Wed, 2008-02-13 17:25
#46
Ok, The subject that would
Ok,
The subject that would be provided in the form would appear in the header of the message. The php mail() function does that for you. The variable $subject contains the text that was inserted in to the text box. If you post exactly what you want the email to look like and contain i will write and annotate the script for you 
.
Wed, 2008-02-13 18:33
#47
thanks and I'd be happy to help with
Thanks for the generous help, BenRacer. I'd be happy to offer service in return, also. If you need proofreading or galley editing, I'd be happy to help you out... whether sentence level (grammar, punctuation, whatever) or structural/organizational editing.
I have lots of experience writing reader-based documents... and lots more tutoring and teaching technical writing and basic comp to undergrad and grad students and business people (usually working on business plans).
As far as the php is concerned, I'd like to fill the subject heading with a simple message, like:
"A comment or request for information"
The message could be blank, but for the purposes of my figuring this stuff out, I'd like to include something like,
"Dear Comprehensive Forestry,
Can you please send me more information?"
BTW, I've put up my index page and about us page to test out the php as currently written. The url is
http://comprehensiveforestry.com/
Wed, 2008-02-13 22:04
#48
- This would work,
- This would work,
<?php
$name = $_POST['yourname'];
$subject = $_POST['yoursubject'];
$message = $_POST['yourmessage'];
$message = "This Message Is From {$name}. \r\n" . $message;
mail("[email protected]",$subject,$message);
header("location:index.php");
?>
.. for the contact us form on your site.
Thu, 2008-02-14 02:08
#49
got this error
Thanks for the script.
I got this error:
Warning: Cannot modify header information - headers already sent by (output started at /home/compreh1/public_html/phpscripts/email.php:3) in /home/compreh1/public_html/phpscripts/email.php on line 12
Can you help me translate this statement? What's HAL saying here?
In any case, this little temporary obstacle (elevated to minor headache) has helped me to realize how much I need to get the basics of scripting. (It'll take months, but way back when I had fun learning elementary FORTRAN and BASIC.)
For now, the various responses on this thread and those on some other threads but dealing with the same matter all have me convinced that the form approach is preferable and it has me yet more curious. I need to go poke around some more.
In any case, the web site is up, minus the contact functionality, and it seems to be working. Thanks so far.
Thu, 2008-02-14 02:15
#50
We will get it working, this
We will get it working, this error usually means that you are trying to redirect but content has been sent to the browser. Have email.php just contain the script i provided. Then where it says "header("location:index.php"); change index.php to a page that has email sent ect.