Welcome to WebmasterWorld Guest from 3.227.3.146

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

Website contact forms being spammed?

Strange emails from website contact forms

     
4:42 pm on Sep 6, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:June 19, 2004
posts:152
votes: 0


The last couple of days, 2 of the websites I look after have had strange emails forwarded from their contact forms. In each case the emails look something like the extract below.

I'm guessing that what's happening is someone is trying to paste something into the contact form and it's coming up like this. But it doesn't really look like spam because there are no links or anything. Any ideas what's going on?

On one of the websites the form is powered by PHP which just uses the 'mail' function. The other one uses the traditional SendMail CGI method.

Content-Type: multipart/mixed; boundary=\"===============0777806587==\"
MIME-Version: 1.0
Subject: a13cac1
To: qpoltpszm@websitename.com
bcc: bergkoch8@aol.com
From: qpoltpszm@websitename.com

This is a multi-part message in MIME format.

--===============0777806587==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

ltof
--===============0777806587==--

8:39 pm on Sept 6, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:July 18, 2005
posts:82
votes: 0


I've been getting these for about a month -- mostly from Windows computers in China and India. I think it's a new virus that pastes random words and phrases into web forms. I'm not sure to what end. It's something of a nuisance. Some days I'll get 500 of these messages, and it's really hurting my bandwidth.

At first I was blocking ISPs in China to control the flood. Now it's spread to Cox customers in New Jersey.

9:03 pm on Sept 6, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 7, 2003
posts:1408
votes: 0


Question:

Are you sure it's coming from a form on your sites? Or could it be that someone is just using your mail. If it's the latter there are ways to deal with that. With a combination of a few lines in your .htaccess and a trap.pl script they can be stopped cold.

This is what I have in my .htaccess:

RewriteCond %{REQUEST_URI} ^/FormMail [NC,OR]
RewriteCond %{REQUEST_URI} ^/FormMail\.(cgi如l如hp) [NC,OR]
RewriteCond %{REQUEST_URI} ^/cgi(\-local吒-bin)/FormMail [NC,OR]
RewriteCond %{REQUEST_URI} ^/cgi(\-local吒-bin)/FormMail\.(cgi如l如hp) [NC,OR]
RewriteCond %{REQUEST_URI} (mail.?form圩orm圩orm.?mail妃ail妃ailto)\.(cgi圯xe如l)$ [NC]
RewriteRule .* /cgi-bin/trap.pl [L]

Then in cgi-bin, trap.pl rewrites my .htaccess to include the offenders in the ban list. As far as I can tell, using this setup, I'm the only person that can use my mail function. A search for trap.pl should give you all the details you need. If the mail truly is coming from a form on your site then this won't work.

12:22 am on Sept 7, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:July 18, 2005
posts:82
votes: 0


It's coming from one of my forms. I wish there was a way to stop it. Form validation doesn't work because it bypasses Javascript.
1:23 am on Sept 8, 2005 (gmt 0)

New User

10+ Year Member

joined:Sept 8, 2005
posts:2
votes: 0


The exact situation is happening on our setup.

Not only is our contact.cgi being hit on multiple sites on the server, a different contact page that adds the person's data to the database is also being hit. The form pulls the IP, and so we know that many of the spams that hit that page are off of proxies. No real surprise, I guess. I just don't understand the motivation.

4:29 am on Sept 8, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


> Form validation doesn't work because it bypasses Javascript.

If it's a 'bot that won't run JavaScript, how about coding the
<form METHOD="POST" ACTION="yourmailer.cgi">
line as a JavaScript document.write. You could also make a <noscript> section that posts to a different --even fake-- script. Or it could omit the form action completely.

You'd need to sniff for JS at the top of the form and warn human visitors that it requires JS, though.

If they are simply lifting the Action URL from your page, then you could again use JS to break up that URL into pieces and document.write it a piece at a time.

The best solution is to switch to a mailer that restricts access, but maybe some of these simple ideas will help short-term.

Jim

7:15 am on Sept 8, 2005 (gmt 0)

New User

10+ Year Member

joined:Dec 3, 2004
posts:9
votes: 0


I had the same problem, I ended up making a random user validation jpg where the user has to type the alphanumeric in the jpg in a input field. I found the code to randomly generate the jpg with a background on the web and it seems to have stopped them. Without the right code, it just returns and does nothing.

3 of my clients got hit the same thing and one kind of complained about the user auth jpg solution but he is happy now that its done.

9:10 am on Sept 8, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 26, 2003
posts:371
votes: 0


I'm having the same problem these last few days...

Mikeyr: I like your solution; I'll try that!

9:34 am on Sept 8, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:June 19, 2004
posts:152
votes: 0


Well at least I'm not alone!

As I mentioned, one of my sites uses the PHP mail function so I'm assuming that blocking things with .htaccess wouldn't have any affect on that anyway?

Guess I should consider the javascript or random JPG options. Seems a shame to add this complication.

As to motivation: I've noticed that all the mails I've received seem to have a legitimate AOL address as the BCC recipient. I'm wondering whether the motivation is that the sender hopes that confused webmasters may eventually email that address, thus getting added to a spam list?

10:15 am on Sept 8, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 4, 2004
posts:388
votes: 0


[en.wikipedia.org...]

:-)

2:10 pm on Sept 8, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:July 18, 2005
posts:82
votes: 0


The Javascript method sounds promising.
The captcha doesn't.

The problem is that this bot is looking for forms to fill. It doens't care what the forms are and it doesn't know or care if the submission works or not.

I looked at a few of the captcha methods mentioned on the Wikipedia article and they all verify the captcha after the form is submitted. That's exactly what this bot is looking for -- forms to submit. This doesn't solve the problem, it creates a playground and a target for the bot to happily play in sucking up bandwidth.

I think the only way to fight this bot is to have something it can't submit, or can't figure out how to submit.

Does anyone know of a script or code sample where the "submit" function doesn't become available or functional until a valid captcha is entered in the form?

8:04 pm on Sept 9, 2005 (gmt 0)

New User

10+ Year Member

joined:Dec 3, 2004
posts:9
votes: 0


Well I am happy with my solution, they may be attacking my form or not but I don't know about it (unless I look in the logs and for now they are not). While looking for a solution I did find some perl code that checks to see if a form was submitted by a robot or a real person, you may be able to call it using server side includes and put up the submit button based on its results but I was not sure it would work and I knew this would, so I went this way.

Not sure where I found that code, if you want it and can't find it, let me know and I will try and research how I found it.

4:47 am on Sept 11, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:July 18, 2005
posts:82
votes: 0


I've managed to obscure my forms from the bots with a little Javascipt.
Now I have to get my .htaccess working properly so I can ban known botnets from scanning my sites looking for forms.
7:11 am on Sept 11, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 9, 2005
posts:1509
votes: 0


Posted some php stuff on this topic here:

[webmasterworld.com...]

See Msg #11 -- might help someone out.

Justin

6:51 pm on Sept 11, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Mar 22, 2005
posts:243
votes: 0


I have the same problem, however. I have used simple JavaScript validation and the problem seemed (so far) has been eliminated.

dfogels

7:35 am on Sept 15, 2005 (gmt 0)

Inactive Member
Account Expired

 
 


Hi guys,

I too have had this problem a lot recently. All messages that have come through to me so far have been with a random email address as the contents of every single form field. Example:

Server Date / Time: jzz@mydomain.com.au
This is a contact from: jzz@mydomain.com.au
Name: jzz@mydomain.com.au
Phone: jzz@mydomain.com.au
Email: jzz@mydomain.com.au
Comments:
jzz@mydomain.com.au

So all I have done is some simple checking on the DateTime variable like so:

----------
'check for automated form spammer bots.
if instr(DateTime, "@") then
Response.Redirect "thankyou.asp"
else
'carry on.
end if
----------

As the DateTime variable could never really have the @ character in it, if I find it there I just redirect the bot to the thankyou page.

Obviously this is using ASP, but the same principle should apply to PHP.

This seems to be working well for now.

Cheers,
Damian

1:01 pm on Sept 15, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Mar 22, 2005
posts:243
votes: 0


Recently, I did post that Java Script was helping me with this situation too! However, I was wrong.

We have back traced the IP address and it's coming from a company in the NL. The company's name is RIPE Network Coordination Centre. Also, there is an IP address coming from Poland!

Yesterday, I made a new contact and shortened the character width for each field. E.g. email, 40 characters allowed. name, 30 characters allowed, phone 10 characters allowed etc! Also, address must contact a number with only 6 characters allowed. I have my finers crossed.

1:20 pm on Sept 15, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Mar 22, 2005
posts:243
votes: 0


dfogels, where do I insert the code? I'm using a PHP mailer. Do I insert the code in my form or in the PHP?
2:36 pm on Sept 15, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


bartainer,

"RIPE Network Coordination Centre" is the WHOIS database administrator for IP addresses assigned to the European/Middle East region. You need to go to RIPE at [ripe.net...] and type in the IP address, and they will display the ISP that that IP address is assigned to. If RIPE itself was spamming the 'net, it would be front-page news.

WHOIS info for the world is split up between ARIN, RIPE, APNIC, JPNIC, KRNIC, LACNIC, AfrNIC, and several others. When you see them come as as the result of a WHOIS search, you need to 'follow the trail' to them, and then re-enter the IP address you want to look up.

Jim