Using a contact form on your website is very useful as it helps your web site visitors to communicate with you in an easy and simple way. But, there are spammers and hackers who are looking for exploitable web forms. It is essential to secure your form against all ‘holes’ that those hackers are searching for.

How does the spammers/hackers exploit HTML forms?

sender@theirdomain.com%0ABcc:NewRecipient@anotherdomain.com

Adding Captcha to the form

The contact form with CAPTCHA

<form method="POST" name="contact_form"
action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>"> 

<label for="name">Name: </label>
<input type="text" name="name"
value="<?php echo htmlentities($name) ?>">

<label for="email">Email: </label>
<input type="text" name="email"
value="<?php echo htmlentities($visitor_email) ?>">

<label for="message">Message:</label>
<textarea name="message" rows=8 cols=30>
<?php echo htmlentities($user_message) ?></textarea>

<img src="captcha_code_file.php?rand=<?php echo rand(); ?>"
id="captchaimg" >
<label for="message">Enter the code above here :</label>
<input id="6_letters_code" name="6_letters_code" type="text">

<input type="submit" value="Submit" name="submit">
</form>

Validating the CAPTCHA

When the form is submitted, we compare the value in the session variable(6_letters_code) with the submitted CAPTCHA code( the value in the text field 6_letters_code). If the codes match, then we proceed with emailing the form submission. Else we display an error.

if(isset($_POST['submit']))
{
  if(empty($_SESSION['6_letters_code'] ) ||
    strcasecmp($_SESSION['6_letters_code'], $_POST['6_letters_code'])
      != 0)
  {
      //Note: the captcha code is compared case insensitively.
      //if you want case sensitive match, update the check above to
      // strcmp()
    $errors .= "\n The captcha code does not match!";
  }

  if(empty($errors))
  {
    //send the email
    $to = $your_email;
    $subject="New form submission";
    $from = $your_email;
    $ip = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] 
          : '';

    $body = "A user  $name submitted the contact form:\n".
    "Name: $name\n".
    "Email: $visitor_email \n".
    "Message: \n ".
    "$user_message\n".
    "IP: $ip\n";  

    $headers = "From: $from \r\n";
    $headers .= "Reply-To: $visitor_email \r\n";

    mail($to, $subject, $body,$headers);

    header('Location: thank-you.html');
  }
}

Customizing the CAPTCHA

$image_width = 120;
$image_height = 40;
$characters_on_image = 6;
$font = './monofont.ttf';

//The characters that can be used in the CAPTCHA code.
//avoid confusing characters (l 1 and i for example)
$possible_letters = '23456789bcdfghjkmnpqrstvwxyz';
$random_dots = 0;
$random_lines = 20;
$captcha_text_color="0x142864";
$captcha_noise_color = "0x142864";

Download the code

[Source: http://www.html-form-guide.com/contact-form/html-contact-form-captcha.html]

What is Phishing?

Phishing is a scam initiated via e-mail. Messages are “fishing” for personal and financial information. Most often, e-mails appear to be from reputable companies (internet service providers, telephone companies, etc), banks, and other financial organizations. The e-mail message often gives a story of the bank needing to update its personal information database or a financial institution claiming your personal data had been lost.

Who Phishes?

Hackers and Scammers looking for personal and financial information use phishing as an effective method of gathering information. Phishers imitate legitimate companies in e-mails to entice people to share passwords or credit-card numbers. Recent victims include:

• Bank of America
• Best Buy
• America Online
• eBay
• PayPal
• Washington Mutual
• MSN (Microsoft Network)

History of Phishing

The term phishing comes from the fact that Internet scammers are using increasingly sophisticated lures as they “fish” for users’ financial information and password data. The most common ploy is to copy the Web page code from a major site – such as AOL – and use that code to set up a replica page that appears to be part of the company’s site. (This is why phishing is also called spoofing.) A fake e-mail is sent out with a link to this page, which solicits the user’s credit card data or password. When the form is submitted, it sends the data to the scammer while leaving the user on the company’s site so they don’t suspect a thing.

Avoid Phishing

Fortunately, common sense can save you from giving away your personal information. For example, be aware for the company requesting information. I have received e-mails from banks I have never had business with. Know that your bank or ISP will never ask for your information out of the blue. Banks do not update their databases and misplace information.

Tips To Avoid Phishing

• If you receive an unexpected e-mail saying your account will be shut down unless you confirm your billing information, do not reply or click any links in the e-mail body.
• Look for words misspelled or other grammatical mistakes.
• Before submitting financial information through a Web site, look for the “lock” icon on the browser’s status bar. It means your information is secure during transmission.
• If you are uncertain about the information, contact the company through an address or telephone number you know to be genuine.
• If you unknowingly supplied personal or financial information, contact your bank and credit card company immediately.

Suspicious e-mail can be forwarded to uce@ftc.gov, and complaints should be filed with the state attorney general’s office or through the FTC at www.ftc.gov.

[Reference: StormFront Development]

1. Inadvertent domain expiration: The owner does not renew the name in time and it is snatched up by a domain speculator. This is often caused by failure to receive renewal notices because of out of date contact information.

2. Domain hijacking or theft: A domain hijacker effectively ‘steals’ the domain by submitting a fraudulent registrar transfer request and tricking an unsophisticated domain owner or registrar into giving them control of the name. More sophisticated hijackers can also hack your email address account and, in such way, take control of your account at registrar.

At this point, legal options can be expensive and time consuming. Since the domain has been transferred away from the domain owner’s original registrar, this registrar is often powerless in assisting. Domain hijackers are aware of this and commonly transfer domains to countries far away from the original owner – making legal recourse cost prohibitive.

3. Inaccurate contact information: your name can be cancelled if your domain information is not accurate and you fail to respond to a registrar’s inquiries within fifteen days!!! (Section 3.7.7.2 of ICANN’s Registrar Accreditation Agreement). In the past, this section was seldom enforced, however as of October 2003, ICANN is requiring all registrars to contact their customers on a yearly basis to verify domain information.

Now let’s see how you can protect yourself from these common mistakes.

1. Keep track of your domain names’ expiration dates and keep your contact information up to date: remember that the most of inadvertent domain expirations and many fraudulent transfers are due to out of date contact information.

2. Be careful who is listed in your contact information. You or your organization should always be listed as the organization and administrative contact.

When registering corporate domain names, make sure that the company name is listed as the owner of the domain. Do not allow an outside web site designer or host to be listed as either the domain owner or administrative contact. If possible, the business owner or a senior executive should be listed as administrative contact since this person will be authorized to modify or change ownership of company domain names.

3. Be careful when using free e-mail addresses from services like Hotmail. Many free e-mail services will automatically suspend or delete your e-mail account if you do not log in frequently enough. Once your e-mail account is deleted, a domain hijacker can sign up for your same e-mail address and use it to give permission to transfer your domains away from you.

If possible, avoid using a free e-mail address on your domain records. If you are using a Hotmail account, you may want to consider paying to upgrade your account to exempt you from their 30 day inactivity policy.

As an additional security measure change often your email account and registrar account passwords to avoid hacking.

4. Place a registrar lock on your domain. This will lock your domain record at the registry level and prevent it from being transferred, modified or deleted by a third party. This feature is very helpful in protecting your name against unauthorized transfers and hijacking.

5. Do not reply (or click on any links) in any domain related e-mail correspondence you do not recognize. Also be careful not to reply to any ‘official looking’ renewal notices you receive in the mail from companies you do not recognize. Domain hijackers and unscrupulous registrars have been known to submit mass amounts of transfers hoping that a small percentage of confused registrants will accidentally confirm the transfers. When in doubt, contact your original registrar to verify any suspicious messages.

6. Add your registrar’s domain name to your spam filter’s approved sender list. If you (or your ISP) are using a spam blocking service, you run the risk of not receiving domain renewal notices from your registrar if they are incorrectly categorized. You can prevent this from occuring by adding your registrar to your list of ‘approved senders’. This will automatically bypass any filtering and ensure that all renewal notices make it straight to your inbox.

7. Consider renewing your domain name early and for a longer amount of time. If your domain name is critical to your business and is one you will want for years to come, consider renewing your domain registration in five year increments. This will avoid yearly registration hassles and prevent your domain from accidentally expiring.

[Reference betterwhois.com]

So how to defend your website from spies and hackers?

The first thing to do is pursuing the best programming practice. If your website, like the vast majority nowadays, is developed using php language you can follow these easy steps:

1. Set register_globals to OFF
2. Turn off Display Error/Warning Messages. Set display_error to ZERO.
3. Never run unescaped queries
4. Validate all user inputs. Items on Forms, in URLs and so on
5. Move config.php and files containing Passwords to MySQL to a secure directory outside of the public_html folder
6. Change permissions on any configuration files containing private information such as database passwords or email accounts to 440 so they cannot be written to and so there is no world permissions. If you need to edit them at a later time you will need to change it back to 640.
7. Access Control: You don’t want the user to have access to any Admin function or Clean up scripts
8. The .htaccess file is your friend. Use it to deny access to your site or files. (We also have an easy IP Deny Manager tool in the cpanel)
9. PHP can parse any valid script, whether it is called foo.php, very_long_name.php.php.php, or even deleteme.bat.
* Using the default extension of “.php” means that before your hackers start you have already told them you are using PHP.
* As mentioned, you can use any filename for your scripts – if you are using PHP for every script on your server, consider using the “.html” extension for your scripts and making PHP parse HTML files.
* You can change your file extension by adding this line to the .htaccess or turn it on via the Apache Handlers in the cPanel (AddHandler application/x-httpd-php5 .html)
* To protect against SQL injection attacks Sometimes hackers will try to screw up your database by inserting SQL code into your form input fields. They can for example, insert code that could delete all the data in your database!
* To protect against this, you need to use this PHP function:
* mysql_real_escape_string()
* This function escapes (makes safe) any special characters in a string (programmers call text a ’string’) for MySQL.
10. Example: $name = $_REQUEST['name']; $safe_name = mysql_real_escape_string($name); Now you know the variable $safe_name, is safe to use with your SQL code.
11. Keep the PHP code to yourself. If anyone can see it they can exploit vulnerabilities.
* You should take care to store your PHP files and the necessary passwords to access your MySQL databases in protected files or folders.
* The easy way to do this is to put the database access passwords in a file with a .inc.php extension (such as config.inc.php), and then place this file in a directory which is above the server’s document root (and thus not accessible to surfers of your site).
* Then, refer to the file in your PHP code with a require_once command.
* By doing things this way, your PHP code can read the included file easily but hackers will find it almost impossible to hack your site.

You can find more information about hardening your PHP scripts at: PHPsec.org

Also, for security purposes, you can refer to these two websites:

PHPIDS – Web Application Security 2.0 – Index

BlogSecurity