I hope I am in the right category for this query. It regards email scripts that pick up data from a form and mail it to a designated address by utilising sendmail that is installed on the server. I have been using one of these forms which recently I had to remove as it seemed to have been hijacked by someone. All over sudden I started getting emails from my own address containing the following in the message body:
The script was a very simplistic, freely available Perl which is placed in the CGI folder and called from within the form - which was a big mistake as the form seemed to have become an easy pray for malicious robots. Initially I was keep getting an email every 2-3 days and more recently almost on a daily basis (it was the same message in all the cases so far). What worried me the most was that the log indicated that within those last few days there was a sudden increase of people accessing the site without a referring URL, which at least in my mind suggested the visitors in question pasted the address directly, rather that visiting the site 'naturally' via a link on another site or the search engines - probably investigating to see where the spam came from. I went to the advertised site's page, which looked a bit suspicious as it seemed to promote a large company through very few pages that didn't give too much information about it. There wasn't even a way to contact them online. The only thing I found regarding my case was a mailing list removal form. Although I never subscribed to any list in the past, I entered the address requesting for it to be removed, just in case someone else had 'subscribed' it without my consent. Few days letter, nothing happened; I still keep receiving the usual advertising messages. I emailed the domain owner of emailadvertisinginc telling them of the situation and that they should take action fast or else. The message bounced back 2 days later with a timeout error, which probably means that the owner didn't even supplied a valid address for their Whois records. Right now I want to do two things: a) Stop spam being send from my domain (or pretending to be my domain) and fix/enhance the form to be robust against common spamming techniques, b) Find the offender (yeah, right).
Regarding (a) I would preferably like to modify the existing form, if that is to be of any use. My time is limited, so is my Perl programming skills, but I am sure there is got to be something out there that would allow me to have an anti-spam, robust form. Surely.
Regarding (b), are there any steps/actions that I can take for punishing the abuser? Any sort of reporting for blacklisting or any other action that will damage their intentions of abusing somebody else in the future. I am sure many of you may think that this is rather unrealistic - and I concur with you, so do I. The reason I am pressing this forward is that, if my guess about this whole situation is correct, someone is wasting my bandwidth and damaging the site's reputation by broadcasting advertising messages on my behalf. This is a serious issue and as such I would really appreciate any suggestions or thoughts that could help me solve it. The most shocking thing about the whole story is that even now, having removed the form itself as well as the Perl script, I still receive the advertising messages and the sender seems to be my domain! In the message header data I pasted above the X-ClientAddr seems to be changing every time with every new message, which is no surprise. Amazingly the Received from: is also changing; sometimes it is my domain's IP address and sometimes an unknown one. Given my limited knowledge, this is as far as I could go. Can someone with experience in the area shed some light into this?
Please note that the "#*$!.#*$!.#*$!.#*$!" is the IP address. I had already #*$!-ed it but it was scrambled anyway.
[edited by: trillianjedi at 7:22 am (utc) on Sep. 22, 2006]
[edit reason] No specifics or emails please as per TOS [/edit]