I've been getting these for about a month -- mostly from Windows computers in China and India. I think it's a new virus that pastes random words and phrases into web forms. I'm not sure to what end. It's something of a nuisance. Some days I'll get 500 of these messages, and it's really hurting my bandwidth.

At first I was blocking ISPs in China to control the flood. Now it's spread to Cox customers in New Jersey.

Question:

Are you sure it's coming from a form on your sites? Or could it be that someone is just using your mail. If it's the latter there are ways to deal with that. With a combination of a few lines in your .htaccess and a trap.pl script they can be stopped cold.

This is what I have in my .htaccess:

RewriteCond %{REQUEST_URI} ^/FormMail [NC,OR]
RewriteCond %{REQUEST_URI} ^/FormMail\.(cgi如l如hp) [NC,OR]
RewriteCond %{REQUEST_URI} ^/cgi(\-local吒-bin)/FormMail [NC,OR]
RewriteCond %{REQUEST_URI} ^/cgi(\-local吒-bin)/FormMail\.(cgi如l如hp) [NC,OR]
RewriteCond %{REQUEST_URI} (mail.?form圩orm圩orm.?mail妃ail妃ailto)\.(cgi圯xe如l)$ [NC]
RewriteRule .* /cgi-bin/trap.pl [L]

Then in cgi-bin, trap.pl rewrites my .htaccess to include the offenders in the ban list. As far as I can tell, using this setup, I'm the only person that can use my mail function. A search for trap.pl should give you all the details you need. If the mail truly is coming from a form on your site then this won't work.

It's coming from one of my forms. I wish there was a way to stop it. Form validation doesn't work because it bypasses Javascript.

The exact situation is happening on our setup.

Not only is our contact.cgi being hit on multiple sites on the server, a different contact page that adds the person's data to the database is also being hit. The form pulls the IP, and so we know that many of the spams that hit that page are off of proxies. No real surprise, I guess. I just don't understand the motivation.

> Form validation doesn't work because it bypasses Javascript.

If it's a 'bot that won't run JavaScript, how about coding the
<form METHOD="POST" ACTION="yourmailer.cgi">
line as a JavaScript document.write. You could also make a <noscript> section that posts to a different --even fake-- script. Or it could omit the form action completely.

You'd need to sniff for JS at the top of the form and warn human visitors that it requires JS, though.

If they are simply lifting the Action URL from your page, then you could again use JS to break up that URL into pieces and document.write it a piece at a time.

The best solution is to switch to a mailer that restricts access, but maybe some of these simple ideas will help short-term.

Jim

I had the same problem, I ended up making a random user validation jpg where the user has to type the alphanumeric in the jpg in a input field. I found the code to randomly generate the jpg with a background on the web and it seems to have stopped them. Without the right code, it just returns and does nothing.

3 of my clients got hit the same thing and one kind of complained about the user auth jpg solution but he is happy now that its done.

I'm having the same problem these last few days...

Mikeyr: I like your solution; I'll try that!

Well at least I'm not alone!

As I mentioned, one of my sites uses the PHP mail function so I'm assuming that blocking things with .htaccess wouldn't have any affect on that anyway?

Guess I should consider the javascript or random JPG options. Seems a shame to add this complication.

As to motivation: I've noticed that all the mails I've received seem to have a legitimate AOL address as the BCC recipient. I'm wondering whether the motivation is that the sender hopes that confused webmasters may eventually email that address, thus getting added to a spam list?

[en.wikipedia.org...]

:-)

The Javascript method sounds promising.
The captcha doesn't.

The problem is that this bot is looking for forms to fill. It doens't care what the forms are and it doesn't know or care if the submission works or not.

I looked at a few of the captcha methods mentioned on the Wikipedia article and they all verify the captcha after the form is submitted. That's exactly what this bot is looking for -- forms to submit. This doesn't solve the problem, it creates a playground and a target for the bot to happily play in sucking up bandwidth.

I think the only way to fight this bot is to have something it can't submit, or can't figure out how to submit.

Does anyone know of a script or code sample where the "submit" function doesn't become available or functional until a valid captcha is entered in the form?

Well I am happy with my solution, they may be attacking my form or not but I don't know about it (unless I look in the logs and for now they are not). While looking for a solution I did find some perl code that checks to see if a form was submitted by a robot or a real person, you may be able to call it using server side includes and put up the submit button based on its results but I was not sure it would work and I knew this would, so I went this way.

Not sure where I found that code, if you want it and can't find it, let me know and I will try and research how I found it.

I've managed to obscure my forms from the bots with a little Javascipt.
Now I have to get my .htaccess working properly so I can ban known botnets from scanning my sites looking for forms.

Posted some php stuff on this topic here:

[webmasterworld.com...]

See Msg #11 -- might help someone out.

Justin

I have the same problem, however. I have used simple JavaScript validation and the problem seemed (so far) has been eliminated.

Hi guys,

I too have had this problem a lot recently. All messages that have come through to me so far have been with a random email address as the contents of every single form field. Example:

Server Date / Time: jzz@mydomain.com.au
This is a contact from: jzz@mydomain.com.au
Name: jzz@mydomain.com.au
Phone: jzz@mydomain.com.au
Email: jzz@mydomain.com.au
Comments:
jzz@mydomain.com.au

So all I have done is some simple checking on the DateTime variable like so:

----------
'check for automated form spammer bots.
if instr(DateTime, "@") then
Response.Redirect "thankyou.asp"
else
'carry on.
end if
----------

As the DateTime variable could never really have the @ character in it, if I find it there I just redirect the bot to the thankyou page.

Obviously this is using ASP, but the same principle should apply to PHP.

This seems to be working well for now.

Cheers,
Damian

Recently, I did post that Java Script was helping me with this situation too! However, I was wrong.

We have back traced the IP address and it's coming from a company in the NL. The company's name is RIPE Network Coordination Centre. Also, there is an IP address coming from Poland!

Yesterday, I made a new contact and shortened the character width for each field. E.g. email, 40 characters allowed. name, 30 characters allowed, phone 10 characters allowed etc! Also, address must contact a number with only 6 characters allowed. I have my finers crossed.

dfogels, where do I insert the code? I'm using a PHP mailer. Do I insert the code in my form or in the PHP?

bartainer,

"RIPE Network Coordination Centre" is the WHOIS database administrator for IP addresses assigned to the European/Middle East region. You need to go to RIPE at [ripe.net...] and type in the IP address, and they will display the ISP that that IP address is assigned to. If RIPE itself was spamming the 'net, it would be front-page news.

WHOIS info for the world is split up between ARIN, RIPE, APNIC, JPNIC, KRNIC, LACNIC, AfrNIC, and several others. When you see them come as as the result of a WHOIS search, you need to 'follow the trail' to them, and then re-enter the IP address you want to look up.

Jim