Terror from a spider sending forms

Forum Moderators: DixonJones

Message Too Old, No Replies

Terror from a spider sending forms

Over 100 unfilled forms send by the same spider

jetteroheller

5:22 am on Sep 14, 2005 (gmt 0)

I have since some days a problem with always the same spider.

The spider creates a push to the send button of the form.

Reports as

[ HTTP_USER_AGENT ]=[ mozilla/5.0 (compatible; heritrix/1.0.4 +http://example.com) ]

[edited by: Receptional at 9:24 am (utc) on Sep. 14, 2005]
[edit reason] examplified domain [/edit]

dcrombie

9:24 am on Sep 14, 2005 (gmt 0)

Spiders don't/can't "press buttons". They only request URL's based on the HTML/JavaScript code on your site. Some are smarter than others ;)

To prevent it you need a better form handling script that first checks the input values and where they come from ($GET, $POST, ...) and only sends an email if they are valid.

Receptional

9:31 am on Sep 14, 2005 (gmt 0)

It's becoming an issue, form spam.

[webmasterworld.com...]
[webmasterworld.com...]
[webmasterworld.com...]

I THINK (I'm no techie) that the game is, fill in a form with the form owner's email, then CC thousands of other email addresses on the back of it, using the form fields to peddle your wares. Correct me if I am wrong guys?

Receptional Andy

10:12 am on Sep 14, 2005 (gmt 0)

It's definitely becoming more of a problem, and you have the technique right.

The method used is to attack insecure forms using 'email injection' by adding new lines or mime type headers into posted data, in order to add CC or BCC recipients. This seems to work pretty well with a large number of PHP scripts (due to the mail() function, don't think it affects other languages).

I've dealt with it by checking if posted data contains stuff like "\r", "\n", "Content-Type:" or "MIME-Version:" and delivering a custom 403 message if so.

Part of the problem is that even if a form is secure, the spammers keep trying attempt after attempt (from a seemingly endless supply of zombie PCs) which causes a lot of junk to be sent through forms if they aren't filtered.

Spiders don't/can't "press buttons". They only request URL's based on the HTML/JavaScript code on your site

While that's true, you don't need to push a button to post a form. You just need to scan web pages for "form action=" and POST data to the form handler.

jetteroheller

10:17 am on Sep 14, 2005 (gmt 0)

The mentioned problem with spam sending over insecure forms is solved by me in 2003

Each field

$text=~ s/to\:/to\ \:/gi;
$text=~ s/cc\:/cc\ \:/gi;
$text=~ s/bcc\:/bcc\ \:/gi;
$text=~ s/from\:/from\ \:/gi;

$visitor::username =~ s/\n�\r�\:�\%�\ //g;
#stop trick with multi line username

This stops the spamers trick

dcrombie

10:21 am on Sep 14, 2005 (gmt 0)

While that's true, you don't need to push a button to post a form. You just need to scan web pages for "form action=" and POST data to the form handler.

Isn't that what I said? ;)

AFAIK there's nothing about the PHP mail() function that makes it more vulnerable than other languages. It just happens that there are more PHP scripts that are vulnerable. A few years ago it was Perl formmail scripts that were getting hammered.

The problem IMHO is people using 'generic' form-handling scripts that offer more functionality than the site needs. If you're never going to use Cc or Bcc then the script shouldn't even be capable of doing so.