Gossamer Forum: General: Perl Programming: NMS Formmail

Jan 14, 2011, 1:19 AM

socrates

Enthusiast (832 posts)

Jan 14, 2011, 1:19 AM

Post #1 of 6

Shortcut

NMS Formmail

Is anyone familiar with NMS formmail http://nms-cgi.sourceforge.net/

It is widely used as a replacement for old matt's formmail (but not updated for a while). I have been using NMS formmail for a long time but lately I am getting someone filling in the form to send spam.
I want them not to be able to send email without disclosing their env_variable such as Remote Address (which most spammers hide).

1) Is there way to make sure that they can't fill the form/send it, if they are hiding/not disclosing their Remote Address (IP address).

2) Is there way to make sure they don't fill in any HTML in the form or alternatively I can just block certain strings via an additional sub.

Thanks in Advance

Last edited by:

socrates: Jan 14, 2011, 1:21 AM

Jan 14, 2011, 6:14 AM

Andy

Veteran / Moderator (18441 posts)

Jan 14, 2011, 6:14 AM

Post #2 of 6

Shortcut

Re: [socrates] NMS Formmail In reply to

Without going too in depth with that script, I see you have this in /lib/CGI/NMS/Validator.pm:

Code:
sub validate_email { 
  my ($self, $email) = @_; 

  $email =~ /^([a-z0-9_\-\.\*\+\=]{1,100})\@([^@]{2,100})$/i or return 0; 
  my ($user, $host) = ($1, $2); 

  return 0 if $host =~ m#^\.|\.$|\.\.#; 

  if ($host =~ m#^\[\d+\.\d+\.\d+\.\d+\]$# or $host =~ /^[a-z0-9\-\.]+$/i ) { 
     return "$user\@$host"; 
   } 
   else { 
     return 0; 
  } 
}

Simple thing would be to add this in:

Code:
sub validate_email { 
  my ($self, $email) = @_; 

if ($ENV{REMOTE_ADDR} !~ /\d+\.\d+\.\d+\.\d+/) { 
      return 0; 
  }

  $email =~ /^([a-z0-9_\-\.\*\+\=]{1,100})\@([^@]{2,100})$/i or return 0; 
  my ($user, $host) = ($1, $2); 

  return 0 if $host =~ m#^\.|\.$|\.\.#; 

  if ($host =~ m#^\[\d+\.\d+\.\d+\.\d+\]$# or $host =~ /^[a-z0-9\-\.]+$/i ) { 
     return "$user\@$host"; 
   } 
   else { 
     return 0; 
  } 
}

Cheers

Jan 17, 2011, 11:25 PM

socrates

Enthusiast (832 posts)

Jan 17, 2011, 11:25 PM

Post #3 of 6

Shortcut

Re: [Andy] NMS Formmail In reply to

Thanks Andy, will try that. I was able to stop users via .htaccess, who don't disclose their IP address and I think it is working (I haven't received the spam from that a****** for the last 3-4 days).

Jan 18, 2011, 12:15 AM

Andy

Veteran / Moderator (18441 posts)

Jan 18, 2011, 12:15 AM

Post #4 of 6

Shortcut

Re: [socrates] NMS Formmail In reply to

Hi

NP =)

Mind sharing how you did it in the htaccess rules? Be interesting to see, in case I need to do it (or anyone else Wink

) in the future

Cheers

Andy (mod)
andy@ultranerds.co.uk

Jan 20, 2011, 3:06 AM

socrates

Enthusiast (832 posts)

Jan 20, 2011, 3:06 AM

Post #5 of 6

Shortcut

Re: [Andy] NMS Formmail In reply to

Simple - just added this after rewrite rules - don't know what the downside to it is. Also, eariler I was not making users to fill in the email field in the NMS form but made that required. After doing both no spam so far from that spammer - so, either or seems to be working.

#block if they don't disclose env variables
#RewriteCond %{HTTP_USER_AGENT} ^$ [NC]
RewriteCond %{HTTP_REFERER} ^$ [NC]
RewriteCond %{REMOTE_ADDR} ^$ [NC]
RewriteRule .* - [F]

Jan 20, 2011, 3:46 AM

Andy

Veteran / Moderator (18441 posts)

Jan 20, 2011, 3:46 AM

Post #6 of 6

Shortcut

Re: [socrates] NMS Formmail In reply to

Ah ok cool =) Will save this, as I'm sure I'll have a need for similar stuff at some point too. Its amazing how much spam you get on blogs/forums now :(

Cheers

Andy (mod)
andy@ultranerds.co.uk