Welcome to WebmasterWorld Guest from 54.145.209.34

Forum Moderators: buckworks

Spamming contact forms

   
8:36 am on Sep 13, 2005 (gmt 0)

10+ Year Member



Has anybody noticed a HUGE increase in spam through online contact/quote forms?

I've got two unrelated sites (except they are listed in my portfolio) which are getting spammed daily.

It looks like it's from a variety of IP addresses, with no User-Agent in the HTTP header -- they must be running it from a script.

I can't see any real benefit or gain from spamming the form, it's just jibberish they are posting in every field. There's no visible code or exploit they are trying, and my only fix at the moment is to either implement some rate limiting (seems like overkill for a simple contact form) or ban the users without a valid 'User-Agent' in the HTTP Browser header.

9:56 am on Sep 13, 2005 (gmt 0)

10+ Year Member



Yes this has been going on since July but there has been a massive increase in the last week. It's a real PITA!

You need to be 100% sure that they are not succeeding, here are some links on this for your further reading:

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

http://securephp.damonkohler.com/index.php/Email_Injection

Does you form processing script strip out illegal characters from any fields that will be used in the email headers, like the From, To, Subject etc? If not then you may have a vulnerable script. Check your mail logs if you are able to and see if there is any unusual activity in there, you might see attempts to send email to a certain group of (long since defunct) aol mail addresses like jrubin3546@aol.com

Regards,

Simon

[edited by: lorax at 12:38 pm (utc) on Sep. 13, 2005]
[edit reason] delinked [/edit]

2:58 pm on Sep 13, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Same here - I have noticed that it was usually on sites that are in my signature. So we just added an ASP image verification to stop it. Seems it have worked

-Corey

3:24 pm on Sep 13, 2005 (gmt 0)

10+ Year Member



Ah now I see what they are trying to accomplish. Clever little punks.

I have mine trying to report back to jrubin3546@aol.com.

Any other ideas to combat this?

I'd prefer not to have to ask potential customers to enter the 'text on an image' thing just to be able to use a contact form if possible.

5:26 pm on Sep 14, 2005 (gmt 0)

10+ Year Member



Try googling PHP mail injection or header injection - it's what's going on.

ban the users without a valid 'User-Agent' in the HTTP Browser header

This is not very useful since the spammer's script runs off many different IPs.

11:02 am on Sep 15, 2005 (gmt 0)

10+ Year Member



Thanks for the help, implementing fixes now.

Any ideas as to what to leave as an nasy 'error' message?
I was thinking something that would be the most bandwidth/CPU intensive for the spammer to process, but nothing came to mind that wouldn't also affect the webserver.

12:18 pm on Sep 15, 2005 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



>> Any ideas as to what to leave as an nasy 'error' message?

I redirect them to a nice graphic and popup laden porn site. The DN of the particular site I've used says it all.

6:42 pm on Sep 15, 2005 (gmt 0)

10+ Year Member



>> Any ideas as to what to leave as an nasy 'error' message?

<<I redirect them to a nice graphic and popup laden porn site. The DN of the particular site I've used says it all.

I doubt that a redirect makes any difference since these attacks are obviously being coordinated through a bot. For my end, I'm simply allowing the standard "Thanks for your contact" page to appear ... but on the server side of the mail script, I'm using an "if/then" statement to bypass the regular sendmail code. I then redirect a mail to a folder I've set up in exchange to capture all of these attacks. The mail contains all the standard information that would appear in a regular email being generated by the mail script, but with one addition - the IP address from which the attack was generated.

7:11 pm on Sep 15, 2005 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



>> redirect

In some cases it is just gibberish but I'm also seeing injection attacks and those are the ones I'm sending off. I realize the message isnt' getting through to the intended target in some cases but it's still satisfying!

5:12 am on Sep 16, 2005 (gmt 0)

10+ Year Member



I was fed up with getting so many spam tests the other night that I threw in an if/then to disallow anyone with a "-" as the User Agent from actually sending the email through my site's form. I suppose there's a vague chance that a legitmate user may have a blank User Agent, but I've never gotten a feedback from one so I figured it was at least an acceptable temporary measure.
10:50 am on Sep 16, 2005 (gmt 0)

10+ Year Member



I've noticed that 60-70% of the IP's that the attacks are coming from are open anonymous web proxies.

Simon.

10:22 pm on Sep 21, 2005 (gmt 0)

10+ Year Member



I'm using straight asp for my forms and need to add an image verification app to them. I'm getting emails (as they should be from my asp program) where every line has been filled in with a group of letters followed by @domain . I don't think they are going out anywhere else and it's occuring about once or twice a week.

I would appreciate any sources you could provide. Most of what I see is asp.net (I don't know the difference or if they could be combined) or PHP apps.

Thanks in advance

Mike

 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month