Welcome to WebmasterWorld Guest from 54.224.160.42

Forum Moderators: buckworks

Message Too Old, No Replies

Spamming contact forms

     
8:36 am on Sep 13, 2005 (gmt 0)

New User

10+ Year Member

joined:Jan 16, 2004
posts:5
votes: 0


Has anybody noticed a HUGE increase in spam through online contact/quote forms?

I've got two unrelated sites (except they are listed in my portfolio) which are getting spammed daily.

It looks like it's from a variety of IP addresses, with no User-Agent in the HTTP header -- they must be running it from a script.

I can't see any real benefit or gain from spamming the form, it's just jibberish they are posting in every field. There's no visible code or exploit they are trying, and my only fix at the moment is to either implement some rate limiting (seems like overkill for a simple contact form) or ban the users without a valid 'User-Agent' in the HTTP Browser header.

9:56 am on Sept 13, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 8, 2003
posts:89
votes: 0


Yes this has been going on since July but there has been a massive increase in the last week. It's a real PITA!

You need to be 100% sure that they are not succeeding, here are some links on this for your further reading:

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

http://securephp.damonkohler.com/index.php/Email_Injection

Does you form processing script strip out illegal characters from any fields that will be used in the email headers, like the From, To, Subject etc? If not then you may have a vulnerable script. Check your mail logs if you are able to and see if there is any unusual activity in there, you might see attempts to send email to a certain group of (long since defunct) aol mail addresses like jrubin3546@aol.com

Regards,

Simon

[edited by: lorax at 12:38 pm (utc) on Sep. 13, 2005]
[edit reason] delinked [/edit]

2:58 pm on Sept 13, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 28, 2004
posts:1786
votes: 0


Same here - I have noticed that it was usually on sites that are in my signature. So we just added an ASP image verification to stop it. Seems it have worked

-Corey

3:24 pm on Sept 13, 2005 (gmt 0)

New User

10+ Year Member

joined:Jan 16, 2004
posts:5
votes: 0


Ah now I see what they are trying to accomplish. Clever little punks.

I have mine trying to report back to jrubin3546@aol.com.

Any other ideas to combat this?

I'd prefer not to have to ask potential customers to enter the 'text on an image' thing just to be able to use a contact form if possible.

5:26 pm on Sept 14, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Dec 9, 2003
posts:210
votes: 0


Try googling PHP mail injection or header injection - it's what's going on.

ban the users without a valid 'User-Agent' in the HTTP Browser header

This is not very useful since the spammer's script runs off many different IPs.

11:02 am on Sept 15, 2005 (gmt 0)

New User

10+ Year Member

joined:Jan 16, 2004
posts:5
votes: 0


Thanks for the help, implementing fixes now.

Any ideas as to what to leave as an nasy 'error' message?
I was thinking something that would be the most bandwidth/CPU intensive for the spammer to process, but nothing came to mind that wouldn't also affect the webserver.

12:18 pm on Sept 15, 2005 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


>> Any ideas as to what to leave as an nasy 'error' message?

I redirect them to a nice graphic and popup laden porn site. The DN of the particular site I've used says it all.

jcjaxson

6:42 pm on Sept 15, 2005 (gmt 0)

Inactive Member
Account Expired

 
 


>> Any ideas as to what to leave as an nasy 'error' message?

<<I redirect them to a nice graphic and popup laden porn site. The DN of the particular site I've used says it all.

I doubt that a redirect makes any difference since these attacks are obviously being coordinated through a bot. For my end, I'm simply allowing the standard "Thanks for your contact" page to appear ... but on the server side of the mail script, I'm using an "if/then" statement to bypass the regular sendmail code. I then redirect a mail to a folder I've set up in exchange to capture all of these attacks. The mail contains all the standard information that would appear in a regular email being generated by the mail script, but with one addition - the IP address from which the attack was generated.

7:11 pm on Sept 15, 2005 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


>> redirect

In some cases it is just gibberish but I'm also seeing injection attacks and those are the ones I'm sending off. I realize the message isnt' getting through to the intended target in some cases but it's still satisfying!

5:12 am on Sept 16, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:June 6, 2003
posts:162
votes: 0


I was fed up with getting so many spam tests the other night that I threw in an if/then to disallow anyone with a "-" as the User Agent from actually sending the email through my site's form. I suppose there's a vague chance that a legitmate user may have a blank User Agent, but I've never gotten a feedback from one so I figured it was at least an acceptable temporary measure.
10:50 am on Sept 16, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 8, 2003
posts:89
votes: 0


I've noticed that 60-70% of the IP's that the attacks are coming from are open anonymous web proxies.

Simon.

10:22 pm on Sept 21, 2005 (gmt 0)

New User

10+ Year Member

joined:Mar 11, 2004
posts:7
votes: 0


I'm using straight asp for my forms and need to add an image verification app to them. I'm getting emails (as they should be from my asp program) where every line has been filled in with a group of letters followed by @domain . I don't think they are going out anywhere else and it's occuring about once or twice a week.

I would appreciate any sources you could provide. Most of what I see is asp.net (I don't know the difference or if they could be combined) or PHP apps.

Thanks in advance

Mike