<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%> <% 'ASP Contact Form sender 'Version 2008.03.04 'Copyright 2008 by Christopher Congdon and Congdon Web, LLC 'Usage of this form on websites not hosted by Congdon Web LLC requires a licensing fee. 'Removal of this copyright notice is a violation of our copyright and will result in legal action. 'This form is what we call our 'armored' contact form. It has built-in defenses against remote scripting used by spammers. 'The following measures are in place: '1) Check for typical spam payload such as HTML fragments. Normal people don't send true HTML through a contact form. '2) Check for header insertion. Scripts sometimes attempt to insert additional headers to send the mail to more e-mail addresses. '3) Check to see if the form was filled out EXTREMELY fast. A user probably can't get pertinent info filled in within 2 seconds. '4) Check to see if the form took a LONG time to fill out. Sometimes spammers cache a copy of the form on their box to use later. '5) Check to see if the form is blank. If there is nothing in the form, why send it? The submit button should be called submit ' or else this check won't work properly. This check has a high risk of false negatives which is acceptable. '6) Check to see if the contact form was sent by the same web site that is sending the request. This is another check to help ' defeat copies of this form cached elsewhere. '7) Check the IP address against the current server. Yet another cached copy defeater. This form is currently set to ONLY be ' sent by and to the exact same server. There is a flag in the configuration to disable this behavior. '8) Invisible field check. Another scripting defense. There is a field called 'CCEmail' If you looked at the names of hte fields ' in the form without seeing the HTML output of what the form looks like, this field might innocently suggest and additional ' e-mail address to send to. Surprise! If this field is filled out, the contact form won't function. CSS is used to prevent ' the field from display in modern browsers. In case CSS is disabled, there is a visual warning stating that the field shouldn't ' be used. '9) E-mail address injeciton protection. Prevents the use of multiple e-mail address in the e-mail field. This is sometimes used to ' inject multiple e-mail addresses for the mail server to send to. '10) Same domain source prevention. This is a check that may or may not be appropriate. It ensures that the from e-mail address is NOT ' the same domain as the customer whose site uses the form. Normally there isn't a good reason for one of their users to fill ' out their own contact form. There is a flag in the configuration to disable this behavior. 'Proper operation of the contact form using this code requires the following hidden fields to appear on the contact form: 'Name: refID Value: ASP variable `hash` 'Name: checkRef Value: Text "http://" and the ASP Server Variables SERVER_NAME and URL 'Name: action Value: Text "contact" 'The following optional fields may be included in the contact form to interact with this program: 'Name: Subject Value: anything - This passes a subject line to the program. May or may not be a hidden field 'Name: CCEMail Value: NONE - See check #8 above. 'IMPORTANT NOTE: Certain domain names should not be used in the To, BCC, and Dev addresses. They will most likely be blocked. ' aol.com : VERIFIED: Sending to AOL with a script is generally a bad idea since it usually doesn't get through. ' sbcglobal.net : not fully verified: Hit or miss. Sometimes goes, sometiems doesn't ' cox.net : not fully verified: Hit or miss. Sometimes goes, sometiems doesn't ' insightbb.com : not fully verified: It appears they may contact our server to see if the from address is legit ' verizon.net : unverified: Had some reports of problems but nothing definite. Function unHex(data) unHex = "&H" & data unHex = CInt(unHex) End Function If ((LCase(Request.Form("Action")) = "contact") AND (Request.Form("checkRef") = Request.ServerVariables("HTTP_REFERER"))) Then '******************************************************************************************************************************* 'Change these variables for the customer's information '******************************************************************************************************************************* Dim CustDomain : CustDomain = "nelsonalarm.com" 'Domain name of the customer for this site. Dim CustName : CustName = "Nelson Alarm" 'This is the name of customer Dim ToAddr : ToAddr = "nelsonalarm@nelsonalarm.com" 'Recipient e-mail address - NO AOL ADDRESSES! Dim BCCAddr : BCCAddr = "" 'This is the Blind Carbon Copy for all messages. Set equal to "" for none Dim DevAddr : DevAddr = "ccongdon@congdonweb.com" 'This is the e-mail address to send to when on the DEV server Dim MSGLine : MSGLine = "Nelson Alarm website information request." 'This is the first line of the message body Dim Sent : Sent = "default.htm" 'Name of the page to redirect to after the mail is sent Dim defSubject : defSubject = "Information Request" 'Default subject line if none is sent with the form. Dim noCustFill : noCustFill = True 'Set this to False to allow the Customer's domain to be able to fill out the contact form. Dim SameServer : SameServer = True 'The server sending the data must have the same IP as the server hosting this program. Dim devIP : devIP = "10.0.0.64" 'IP Address of the development server. Dim nonStd : nonStd = False 'Turn on to send a simple listing of non standard fields that might exist in the contact form '******************************************************************************************************************************* 'The following code makes checks on the data entered into the form 'We are checking for data that might be possibly entered by a spammer Dim badForm : badForm = False 'Flag to catch spammer garbage in the form fields Dim blankForm : blankForm = True 'Flag to see if the form has been submitted and is empty. Buttons mess with this. For Each frmField in Request.Form If (InStr(LCase(Request.Form(frmField)),"bcc:") > 0) Then badForm = True If (InStr(LCase(Request.Form(frmField)),"cc:") > 0) Then badForm = True If (InStr(LCase(Request.Form(frmField)),"content-type") > 0) Then badForm = True If (InStr(LCase(Request.Form(frmField)),"mime-version") > 0) Then badForm = True If (InStr(LCase(Request.Form(frmField)),"content-transfer-encoding") > 0) Then badForm = True If (InStr(LCase(Request.Form(frmField)),"") > 0) Then badForm = True If (InStr(LCase(Request.Form(frmField)),"[url=") > 0) Then badForm = True If ((Request.Form(frmField) <> "") AND (InStr("refid,checkref,action,submit,ccemail",LCase(frmField)) < 1)) Then blankForm = False If badForm Then Exit For 'No reason to continue processing if it has been marked bad Next If (InStr(Request.Form("EMail"),">") > 0) Then badForm = True If (InStr(Request.Form("EMail"),"<") > 0) Then badForm = True If (InStr(Request.Form("EMail"),",") > 0) Then badForm = True If (InStr(Request.Form("EMail"),";") > 0) Then badForm = True If ((InStr(Request.Form("EMail"),CustDomain) > 0) AND (noCustFill)) Then badForm = True 'The site's domain can't 'send' this form If (Request.Form("CCEMail") <> "") Then badForm = True 'Someone filled out an invisible field!!! refID = Split(Request.Form("refID"),"-") If (UBound(refID) <> 8) Then badForm = True ServerIP = unHex(refID(1)) & "." & unHex(refID(3)) & "." & unHex(refID(5)) & "." & unHex(refID(7)) If ((ServerIP <> Request.ServerVariables("LOCAL_ADDR")) AND (SameServer)) Then badForm = True yr = unHex(refID(4)) If Len(yr) = 1 Then yr = "0" & yr yr = unHex(refID(2)) & yr subDate = DateSerial(yr, unHex(refID(6)), unHex(refID(0))) 'Work with the timer to see the number of seconds it took to complete the form. exTime = Timer - refID(8) exDays = DateDiff("D",subDate,Date) If (exDays = 1) Then exTime = exTime + 86399 If ((exTime < 2) OR (exTime > 3600) OR (exDays > 1) OR (exDays < 0)) Then badForm = True 'Less than 2 seconds or more than 1 hour If ((badForm) OR (blankForm)) Then Response.Redirect(Sent & "?Sent=True") 'Configure Mail object Dim CDO : Set CDO = Server.CreateObject("CDO.Message") Dim CDOConfig : Set CDOConfig = Server.CreateObject("CDO.Configuration") Dim urn : urn = "http://schemas.microsoft.com/cdo/configuration/" With CDOConfig .Fields(urn & "sendusing") = 2 .Fields(urn & "smtpserver") = "127.0.0.1" .Fields(urn & "smtpserverport") = 25 .Fields(urn & "smtpconnectiontimeout") = 60 .Fields.Update End With 'This basic version of the program supports the following fields: 'Company Name, First Name, Last Name, Address, Address2, City, State, ZIP, EMail 'DayPhone, Phone, FAX, Body, and a checkbox called ccSelf to indicate a CC: address to field "EMail" 'PrefContact, ContactTime 'This configures the list of standard fields as shown in the segment that builds the body of the message 'along with some of the fields required to drive the code. If the nonStd flag is True, any form object with a name 'that doesn't appear in the following variable will have it's name and value appened to the body of the message. Dim stdFields : stdFields = "submit, refid, checkref, action, ccemail, subject, companyname, firstname, lastname, address, address2, city, state, zip, email, dayphone, phone, fax, body, ccself, prefcontact, contacttime" MSG = MSGLine & vbCrLf & vbCrLf If (Request.Form("CompanyName") <> "") Then MSG = MSG & Request.Form("CompanyName") & vbCrLf If (Request.Form("FirstName") <> "") Then MSG = MSG & Request.Form("FirstName") If (Request.Form("LastName") <> "") Then MSG = MSG & " " & Request.Form("LastName") If ((Request.Form("FirstName") <> "") OR (Request.Form("FirstName") <> "")) Then MSG = MSG & vbCrLf If (Request.Form("Address") <> "") Then MSG = MSG & Request.Form("Address") & vbCrLf If (Request.Form("Address2") <> "") Then MSG = MSG & Request.Form("Address2") & vbCrLf If (Request.Form("City") <> "") Then MSG = MSG & Request.Form("City") If ((Request.Form("City") <> "") AND (Request.Form("State") <> "")) Then MSG = MSG & ", " If (Request.Form("State") <> "") Then MSG = MSG & Request.Form("State") If (Request.Form("ZIP") <> "") Then MSG = MSG & " " & Request.Form("ZIP") MSG = MSG & vbCrLf & vbCrLf MSG = MSG & "My E-Mail Address is: " & Request.Form("EMail") & vbCrLf 'EMail should always be a required field If (Request.Form("DayPhone") <> "") Then MSG = MSG & "My Daytime Phone Number is: " & Request.Form("DayPhone") & vbCrLf If (Request.Form("Phone") <> "") Then MSG = MSG & "My Phone Number is: " & Request.Form("Phone") & vbCrLf If (Request.Form("FAX") <> "") Then MSG = MSG & "My FAX Number is: " & Request.Form("FAX") & vbCrLf If (Request.Form("PrefContact") <> "") Then MSG = MSG & "I would prefer to be contacted by: " & Request.Form("PrefContact") & vbCrLf If (Request.Form("ContactTime") <> "") Then MSG = MSG & "The best time to contact me is: " & Request.Form("ContactTime") & vbCrLf MSG = MSG & vbCrLf MSG = MSG & Request.Form("Body") 'Senders Message 'Scan for additional non-standard fields if this flag has been turned on If nonStd Then MSG = MSG & vbCrLf & vbCrLf For Each frmField in Request.Form If (InStr(stdFields,LCase(frmField)) < 1) Then If Request.Form(frmField) <> "" Then MSG = MSG & frmField & ": " & Request.Form(frmField) & vbCrLf End If Next End If 'Configure Message to be Sent With CDO Set Header = .Fields With Header 'Add some fields to assist in IDing the system that filled out the contact form .Item("urn:schemas:mailheader:X-Mailer") = Request.ServerVariables("SERVER_SOFTWARE") & " CDO" .Item("urn:schemas:mailheader:X-Originating-IP") = Request.ServerVariables("REMOTE_ADDR") .Item("urn:schemas:mailheader:X-Originating-Email") = Request.Form("EMail") .Item("urn:schemas:mailheader:X-Originating-Page") = Request.ServerVariables("SERVER_NAME") & Request.ServerVariables("URL") .Item("urn:schemas:mailheader:X-Abuse-Contact") = "abuse@congdonweb.com" .Update End With .To = CustName & "<" & ToAddr & ">" 'Set the recipient If (Request.ServerVariables("LOCAL_ADDR") = devIP) Then .To = DevAddr 'Set the recipient .From = CustName & "" 'Set the sender .ReplyTo = Request.Form("EMail") If ((Request.Form("ccSelf") <> "") AND (InStr(Request.Form("EMail"),"aol.com") < 1)) Then .CC = Request.Form("EMail") If (BCCAddr <> "") Then .Bcc = BCCAddr 'Set the Blind Carbon Copy .Subject = CustName & ": " & Request.Form("Subject") If Request.Form("Subject") = "" Then .Subject = CustName & ": " & defSubject .TextBody = MSG 'Send the above formatted body .Send() 'Send the message End With Set CDO = Nothing Set CDOConfig = Nothing Response.Redirect(Sent) End If 'End contact form sender 'Start contact form authentication code 'This code section is required to be in any page that sends to the e-mail generation program. 'Proper operation of the contact form using this code requires the following hidden fields to appear on the contact form: 'Name: refID Value: ASP variable `hash` 'Name: checkRef Value: Text "http://" and the ASP Server Variables SERVER_NAME and URL 'Name: action Value: Text "contact" Function hexFill(data,last) hexFill = Hex(data) If Len(hexFill) = 1 Then hexFill = "0" & hexFill If NOT(last) Then hexFill = hexFill & "-" End Function Dim info(3) Dim hash info(0) = Day(Now) info(1) = Left(Year(Now),2) info(2) = Right(Year(Now),2) info(3) = Month(Now) ip = Split(Request.ServerVariables("LOCAL_ADDR"),".") hash = "" For X = 0 to 3 hash = hash & hexFill(info(X),False) hash = hash & hexFill(ip(X),False) Next hash = hash & Timer 'End contact form authentication code %> Nelson Alarm
 
 


CONTACT INFORMATION 
First Name
Last Name
E-Mail
Home Phone
Day Phone
Fax
Preferred Contact
Address
City
State
Zip Code
MESSAGE
Subject
Message Text


Please uncheck if you do not want a copy of this message sent to yourself.
Filling out this field will result in your form being rejected.
">

 
2602 East 55th Street Indianapolis, IN 46220 Phone 317.255.2125
©2011 by Nelson Alarm. This website was designed by and is hosted by Congdon Web