Yes this has been going on since July but there has been a massive increase in the last week. It's a real PITA!

You need to be 100% sure that they are not succeeding, here are some links on this for your further reading:

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

http://securephp.damonkohler.com/index.php/Email_Injection

Does you form processing script strip out illegal characters from any fields that will be used in the email headers, like the From, To, Subject etc? If not then you may have a vulnerable script. Check your mail logs if you are able to and see if there is any unusual activity in there, you might see attempts to send email to a certain group of (long since defunct) aol mail addresses like jrubin3546@aol.com

Regards,

Simon

[edited by: lorax at 12:38 pm (utc) on Sep. 13, 2005]
[edit reason] delinked [/edit]

Same here - I have noticed that it was usually on sites that are in my signature. So we just added an ASP image verification to stop it. Seems it have worked

-Corey

Ah now I see what they are trying to accomplish. Clever little punks.

I have mine trying to report back to jrubin3546@aol.com.

Any other ideas to combat this?

I'd prefer not to have to ask potential customers to enter the 'text on an image' thing just to be able to use a contact form if possible.

Try googling PHP mail injection or header injection - it's what's going on.

ban the users without a valid 'User-Agent' in the HTTP Browser header

This is not very useful since the spammer's script runs off many different IPs.

Thanks for the help, implementing fixes now.

Any ideas as to what to leave as an nasy 'error' message?
I was thinking something that would be the most bandwidth/CPU intensive for the spammer to process, but nothing came to mind that wouldn't also affect the webserver.

>> Any ideas as to what to leave as an nasy 'error' message?

I redirect them to a nice graphic and popup laden porn site. The DN of the particular site I've used says it all.

>> Any ideas as to what to leave as an nasy 'error' message?

<<I redirect them to a nice graphic and popup laden porn site. The DN of the particular site I've used says it all.

I doubt that a redirect makes any difference since these attacks are obviously being coordinated through a bot. For my end, I'm simply allowing the standard "Thanks for your contact" page to appear ... but on the server side of the mail script, I'm using an "if/then" statement to bypass the regular sendmail code. I then redirect a mail to a folder I've set up in exchange to capture all of these attacks. The mail contains all the standard information that would appear in a regular email being generated by the mail script, but with one addition - the IP address from which the attack was generated.

>> redirect

In some cases it is just gibberish but I'm also seeing injection attacks and those are the ones I'm sending off. I realize the message isnt' getting through to the intended target in some cases but it's still satisfying!

I was fed up with getting so many spam tests the other night that I threw in an if/then to disallow anyone with a "-" as the User Agent from actually sending the email through my site's form. I suppose there's a vague chance that a legitmate user may have a blank User Agent, but I've never gotten a feedback from one so I figured it was at least an acceptable temporary measure.

I've noticed that 60-70% of the IP's that the attacks are coming from are open anonymous web proxies.

Simon.

I'm using straight asp for my forms and need to add an image verification app to them. I'm getting emails (as they should be from my asp program) where every line has been filled in with a group of letters followed by @domain . I don't think they are going out anywhere else and it's occuring about once or twice a week.

I would appreciate any sources you could provide. Most of what I see is asp.net (I don't know the difference or if they could be combined) or PHP apps.

Thanks in advance

Mike