#150

Ok, thats fine so just to confirm, for the ‘referrer checking’, the script should check that the POST data originated on the server itself and if there are any red flags raised anywhere, the script should just stop and not bother to send the junk?

Comment by Phrixus — 14/9/2005 @ 7:59 am

#149

No I don’t think logging is that important, at least not for me and clients I have set up with WP and this great plugin

Comment by Justin Perkins — 14/9/2005 @ 3:06 am

#148

Good points Justin, would it also be useful to maintain a basic log perhaps that could be viewed in the control panel? Something along the lines of registering the number of mails sent, the number that were red flagged and the number of mails that didn’t pass the referrer check? If so, would just a basic count be preferable or a more detailed output?

Comment by Phrixus — 13/9/2005 @ 10:12 pm

#147

Just checking the HTTP_REFERER server variable is all that is needed, maybe comparing it against some other server variables like SERVER_NAME and/or SCRIPT_NAME would be a good comparison that doesn’t require hardcoding the expected referring URL.

I would even go so far as to raise a red flag not to send the email at all if any fields have a carriage return in them (except the message field). Maybe that’s a better approach since just stripping unwanted characters doesn’t stop the spam from arriving in my inbox.

Comment by Justin P — 13/9/2005 @ 8:54 pm

#146

Hi Justin, the post does not do any referrer checking. If you have any ideas for implementing this. I would be happy to look into it.

Comment by Phrixus — 12/9/2005 @ 10:12 pm

#145

Thanks for the quick response Phrixus, I’m curious if your update does any referrer checking on the post?

I’ve fixed the carriage return vulnerability, but am still getting flooded with junk mail from kiddies attempting to exploit this issue.

Comment by Justin P — 12/9/2005 @ 9:30 pm

#144

PXS Mail Form

Phrixus
Has updated their email contact form plugin, built off of Ryan Duff’s excellent wp-contactform plugin. PXS includes additional checks over the original plugin, as well as the option to turn off the embeded CSS, and use your own.

…

Trackback by WordPress Station — 12/9/2005 @ 7:04 pm

#143

PLUGIN UPDATED
See the main post above for details of changes and the option to download the new version.

Comment by Phrixus — 12/9/2005 @ 6:50 pm

#142

This contact form is vulnerable to form hacking, explained better here:
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

A new version should be released ASAP to correct this gaping vulnerability.

Comment by Justin Perkins — 12/9/2005 @ 3:27 am

#141

Phrixus, I feel like an idiot but I figured out the problem. I had copied the options-pxsmail.php into the /wp-content/plugins/ directory and not the /wp-admin/ directory. So should anyone else do a bonehead install of this plugin, the fix would be to follow the instructions more carefully. Works great now, Thanks.

Comment by Jason — 12/9/2005 @ 1:35 am