I have a contact form which when used, sends me
an email OK, but doesn't send confirmation that it
has been sent.

It is supposed to be set up to Cc. the original
message back to the sender and also Bcc. it to
my secondary email address.

This is the relevant snippet of code,

ObjNewMail.From = strFromName & " <" & strFromEmail & ">"
ObjNewMail.To = "my main email address"
ObjNewMail. Cc = strFromName & " <" & strFromEmail & ">"
ObjNewMail.Bcc="my secondary email address"
ObjNewMail.Subject = "Title of email"
ObjNewMail.MailFormat = (0)
ObjNewMail.Body = strMsg
ObjNewMail.Importance =(2)
ObjNewMail.Send
Set ObjNewMail = Nothing

Is there anything obviously wrong or should I be
looking elsewhere for the problem?

TIA.

--
T.J.
http://www.uksmallbusinessdirectory.co.uk

"T.J." <no1@home.invalid> wrote in message
news:T7Sdnfc70q-3VGzZRVnyjA@bt.com...
> I have a contact form which when used, sends me
> an email OK, but doesn't send confirmation that it
> has been sent.
>
> It is supposed to be set up to Cc. the original
> message back to the sender and also Bcc. it to
> my secondary email address.
>
> This is the relevant snippet of code,
>
> ObjNewMail.From = strFromName & " <" & strFromEmail & ">"
> ObjNewMail.To = "my main email address"
> ObjNewMail. Cc = strFromName & " <" & strFromEmail & ">"

Instead of the above, use:
ObjNewMail. Cc = strFromName

Its a :CC so there is no added tagging to the email address/name.

T.J. wrote:

> It is supposed to be set up to Cc. the original message back to the
> sender ...

Additionally, let's hope the spammers don't find your form and use it to
spam the millions of addresses on their list. Unless you have some kind
of testing built-in, expect this to happen soon.

--
-bts
-Motorcycles defy gravity; cars just suck.

"Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in message
news:HVkIg.708227$Fs1.489461@bgtnsc05-news.ops.worldnet.att.net...
> T.J. wrote:
> 
>
> Additionally, let's hope the spammers don't find your form and use it to
> spam the millions of addresses on their list. Unless you have some kind
> of testing built-in, expect this to happen soon.
>


Thanks for the reply,
How would they do this, what have I done wrong
and what do I need to do to correct it?

T.J. wrote:

> "Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote: 
>
> Thanks for the reply,
> How would they do this, what have I done wrong and what do I need to
> do to correct it?

How?  By entering a victim's address in the "From" place, to which you
then send a "confirmation" message. Does this confirmation include
whatever the visitor typed in a comment field? If so, that is where the
spammer enters his spam message. Then, you send it to the victim's
address. And, the victim sees it as coming FROM: you, so you get
reported for spamming.

--
-bts
-Motorcycles defy gravity; cars just suck.

"Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in message
news:8SoIg.708557$Fs1.707657@bgtnsc05-news.ops.worldnet.att.net...
> T.J. wrote:
> 
>
> How?  By entering a victim's address in the "From" place, to which you
> then send a "confirmation" message. Does this confirmation include
> whatever the visitor typed in a comment field? If so, that is where the
> spammer enters his spam message. Then, you send it to the victim's
> address. And, the victim sees it as coming FROM: you, so you get
> reported for spamming.
>

Thanks,
I thought that is what you meant.
So I'm better off removing the CC. altogether
and setting up a re-direct to a "Thank you for your
email page"?
Out of interest, how could spammers know it is
set up to CC (it didn't work anyway)?

T.J. wrote:

> Out of interest, how could spammers know it is
> set up to CC (it didn't work anyway)?

Spammers find these forms by searching. Then they test them. If they get
a response to their own test address, they know they found a live one
and will write a script to exploit it.

Several weeks ago, one was trying (desperately) to use one of my site's
contact form. I would get trials in groups of three about every twenty
minutes for several hours, repeat next day. Finally, he gave up because
he couldn't make it send any spam.

--
-bts
-Motorcycles defy gravity; cars just suck.

Make sure you are "injection clean". From a previous post of mine:

I'm not sure I understood you, but if you are getting a lot of spam in
your mail form (especially spam seemingly addressed to others) then your
form might be exploitable.

The spammer injects the characters '\n' and '\r'_(end of line and
carriage return) in an explotiable web form_ and then adds "bcc:"
followed by a long list of spamees. (If you start getting "bounces" then
that is what has happened). If he is allowed to do this several times,
you end up on a set of email blocklists from which removal is damn near
impossible. At that point your provider either disconnects you or puts a
contract out on you (depending on where you live) or both.

Spammers aren't usually the brightest bulbs in the box, so they like this
technique because it requires virtually no talent and can be run from a
script. Also, about a 10-15% of the forms I see are exploitable, despite
the stellar credentials of some of the webmasters owning then. It's just
that easy to overlook.

Verify that there is a control character filter on you web form or that
the mail handler you use does not accept the "bcc" statement._Either one
will foil his attempts._
To filter:
with php use
"if(egregi("\r",[field]) || egregi("\n",[field])) die("No Spam From
Me!") __
with perl use regular expression matching
with C and C++ use regexec and regcomp.
to trap these characters.

I Hate Stock Spams wrote:
> Make sure you are "injection clean". From a previous post of mine:
>
> I'm not sure I understood you, but if you are getting a lot of spam in
> your mail form (especially spam seemingly addressed to others) then your
> form might be exploitable.
>
> The spammer injects the characters '\n' and '\r' (end of line and
> carriage return) in an explotiable web form  and then adds "bcc:"
> followed by a long list of spamees. (If you start getting "bounces" then
> that is what has happened). If he is allowed to do this several times,
> you end up on a set of email blocklists from which removal is damn near
> impossible. At that point your provider either disconnects you or puts a
> contract out on you (depending on where you live) or both.
>
> Spammers aren't usually the brightest bulbs in the box, so they like this
> technique because it requires virtually no talent and can be run from a
> script. Also, about a 10-15% of the forms I see are exploitable, despite
> the stellar credentials of some of the webmasters owning then. It's just
> that easy to overlook.
>
> Verify that there is a control character filter on you web form or that
> the mail handler you use does not accept the "bcc" statement. Either one
> will foil his attempts.
> To filter:
> with php use
> 	"if(egregi("\r",[field]) || egregi("\n",[field])) die("No Spam Fr
om
> Me!")
> 	with perl use regular expression matching
> 	with C and C++ use regexec and regcomp.
> to trap these characters.
>
>
I have a site that does a fair amount of traffic.  There are a couple of
mail forms that someone has been trying to use to send spam from.  So
far (as far as I know), the only person receiving any mail is the
intended recipient of the form.  He is not happy about it (about a dozen
emails over a week), but he needs a way for members to contact him.

I recently switched to a CMS program that requires users to logon and
receive a password at an email address before they can access a mail
form.  I reason that if someone attempts to send spam I can cut them off
from the site.

Is it reasonable to believe this is more effective than trying to keep
spammers from hacking the form?


--
Wayne
http://www.glenmeadows.us
With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
—Steven Weinberg

> I have a site that does a fair amount of traffic.  There are a couple of
> mail forms that someone has been trying to use to send spam from.  So
> far (as far as I know), the only person receiving any mail is the
> intended recipient of the form.  He is not happy about it (about a dozen
> emails over a week), but he needs a way for members to contact him.
Some form mails  will hide the "bcc:" list, some won't. A tell tale sign
in the mail the form recipient gets is the phrase "cc:" or "bcc:" anywhere
in the headers. ONLY your mail logs provide the answer of whether or not
spam is coming out of the server. If you use a hosting service, insist that
they keep accessible maillogs.

> I recently switched to a CMS program that requires users to logon and
> receive a password at an email address before they can access a mail
> form.  I reason that if someone attempts to send spam I can cut them off
> from the site.
That will protect you if the CMS is secure. That makes you a more
difficult target for the spammers and that is a good thing for you because
they will go elsewhere to get results with much less effort.

> Is it reasonable to believe this is more effective than trying to keep
> spammers from hacking the form?
Fixing the form is not normally difficult and should have top priority.
As I said, you no longer provide low hanging fruit for the spammers and
that is good. However, in the unlikely event that one of your users ends up
with a back door/keylogger, all  bets are off unless the form is secured.
~