homepage Welcome to WebmasterWorld Guest from 54.145.182.50
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

    
Spamming contact forms
heist

10+ Year Member



 
Msg#: 4268 posted 8:36 am on Sep 13, 2005 (gmt 0)

Has anybody noticed a HUGE increase in spam through online contact/quote forms?

I've got two unrelated sites (except they are listed in my portfolio) which are getting spammed daily.

It looks like it's from a variety of IP addresses, with no User-Agent in the HTTP header -- they must be running it from a script.

I can't see any real benefit or gain from spamming the form, it's just jibberish they are posting in every field. There's no visible code or exploit they are trying, and my only fix at the moment is to either implement some rate limiting (seems like overkill for a simple contact form) or ban the users without a valid 'User-Agent' in the HTTP Browser header.

 

swones

10+ Year Member



 
Msg#: 4268 posted 9:56 am on Sep 13, 2005 (gmt 0)

Yes this has been going on since July but there has been a massive increase in the last week. It's a real PITA!

You need to be 100% sure that they are not succeeding, here are some links on this for your further reading:

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

http://securephp.damonkohler.com/index.php/Email_Injection

Does you form processing script strip out illegal characters from any fields that will be used in the email headers, like the From, To, Subject etc? If not then you may have a vulnerable script. Check your mail logs if you are able to and see if there is any unusual activity in there, you might see attempts to send email to a certain group of (long since defunct) aol mail addresses like jrubin3546@aol.com

Regards,

Simon

[edited by: lorax at 12:38 pm (utc) on Sep. 13, 2005]
[edit reason] delinked [/edit]

Corey Bryant

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4268 posted 2:58 pm on Sep 13, 2005 (gmt 0)

Same here - I have noticed that it was usually on sites that are in my signature. So we just added an ASP image verification to stop it. Seems it have worked

-Corey

heist

10+ Year Member



 
Msg#: 4268 posted 3:24 pm on Sep 13, 2005 (gmt 0)

Ah now I see what they are trying to accomplish. Clever little punks.

I have mine trying to report back to jrubin3546@aol.com.

Any other ideas to combat this?

I'd prefer not to have to ask potential customers to enter the 'text on an image' thing just to be able to use a contact form if possible.

hfwd

10+ Year Member



 
Msg#: 4268 posted 5:26 pm on Sep 14, 2005 (gmt 0)

Try googling PHP mail injection or header injection - it's what's going on.

ban the users without a valid 'User-Agent' in the HTTP Browser header

This is not very useful since the spammer's script runs off many different IPs.

heist

10+ Year Member



 
Msg#: 4268 posted 11:02 am on Sep 15, 2005 (gmt 0)

Thanks for the help, implementing fixes now.

Any ideas as to what to leave as an nasy 'error' message?
I was thinking something that would be the most bandwidth/CPU intensive for the spammer to process, but nothing came to mind that wouldn't also affect the webserver.

lorax

WebmasterWorld Administrator lorax us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4268 posted 12:18 pm on Sep 15, 2005 (gmt 0)

>> Any ideas as to what to leave as an nasy 'error' message?

I redirect them to a nice graphic and popup laden porn site. The DN of the particular site I've used says it all.

jcjaxson

10+ Year Member



 
Msg#: 4268 posted 6:42 pm on Sep 15, 2005 (gmt 0)

>> Any ideas as to what to leave as an nasy 'error' message?

<<I redirect them to a nice graphic and popup laden porn site. The DN of the particular site I've used says it all.

I doubt that a redirect makes any difference since these attacks are obviously being coordinated through a bot. For my end, I'm simply allowing the standard "Thanks for your contact" page to appear ... but on the server side of the mail script, I'm using an "if/then" statement to bypass the regular sendmail code. I then redirect a mail to a folder I've set up in exchange to capture all of these attacks. The mail contains all the standard information that would appear in a regular email being generated by the mail script, but with one addition - the IP address from which the attack was generated.

lorax

WebmasterWorld Administrator lorax us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4268 posted 7:11 pm on Sep 15, 2005 (gmt 0)

>> redirect

In some cases it is just gibberish but I'm also seeing injection attacks and those are the ones I'm sending off. I realize the message isnt' getting through to the intended target in some cases but it's still satisfying!

Sunshyn

10+ Year Member



 
Msg#: 4268 posted 5:12 am on Sep 16, 2005 (gmt 0)

I was fed up with getting so many spam tests the other night that I threw in an if/then to disallow anyone with a "-" as the User Agent from actually sending the email through my site's form. I suppose there's a vague chance that a legitmate user may have a blank User Agent, but I've never gotten a feedback from one so I figured it was at least an acceptable temporary measure.

swones

10+ Year Member



 
Msg#: 4268 posted 10:50 am on Sep 16, 2005 (gmt 0)

I've noticed that 60-70% of the IP's that the attacks are coming from are open anonymous web proxies.

Simon.

mikeytj

10+ Year Member



 
Msg#: 4268 posted 10:22 pm on Sep 21, 2005 (gmt 0)

I'm using straight asp for my forms and need to add an image verification app to them. I'm getting emails (as they should be from my asp program) where every line has been filled in with a group of letters followed by @domain . I don't think they are going out anywhere else and it's occuring about once or twice a week.

I would appreciate any sources you could provide. Most of what I see is asp.net (I don't know the difference or if they could be combined) or PHP apps.

Thanks in advance

Mike

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved