Send Form Action

As Walter said, the email address is stored in the PHP script used to generate the email from the form contents and send it. This all happens on the server, the visitor’s browser sends the form to the script and then just waits (a very, very small amount of time) for it to finish and respond, which in this case just tells it to “go to the error page” or “go to the success page”.

We had another one this evening. ~30Hrs later.

Does this mean that someone, or a bot, is filling in the form and sending … and if they get an error (CAPTCHA) it doesn’t matter, because they’ve had a split-second to grab the email address via the PHP script?

It means that someone cares enough to deploy the “room full of underpaid bored people” attack against you. The PHP script won’t leak anything. Even if you request it by name, the only thing you should get is a blank page or a cryptic error that doesn’t include the address.

Walter

That’s amazing really. Specifically because my wife’s site is really just a business-card. She doesn’t actually get any work through it. So the only emails she gets really, are the spams. Just a handful of legits over the years.

Do the underpaid bored people get an auto-alert if the email changes? Or if the site changes? How do they know it’s changed? Or was it just a fluke?

I imagine that the bored people are following a script. Once they find a site with a form on it, they come back to it on a regular basis. My own site’s traffic seems to follow this pattern. My contact form has a lot of validation on it that screens out the worst of it, but I still get some very similar messages over and over, week in and week out.

I had a double-check of your wife’s site, and I tried getting the form handler to expose any of its secrets, without any success. It just works as it should, and keeps the address hidden.

PS: I did see something you could fix on your site – the Google Fonts link in the head of the page is to http rather than https, and you’re getting a mixed-security warning (and the fonts don’t load). If you added that manually, then it’s easy to fix (hopefully you did this on a master page). If it’s coming in courtesy of an Action, you might look to see if there is an updated version of that Action that uses the secure url. If neither is true, then I have an Action you can apply to the pages that will rewrite all links that have http prefixes to https. HTTPS Helper - ActionsForge

Walter

1 Like