How to ban IP that use my forms to submit spam

Forum Moderators: open

Message Too Old, No Replies

How to ban IP that use my forms to submit spam

Ultimatesources

1:38 pm on Aug 7, 2006 (gmt 0)

I am losing my mind. I started with 1000 forms and I have some rogue spammer that fills in the contact as BOSS and submits spam on all of the forms on my website. My website is a service site and I need to be able to receive my forms from real and actual professionals but this spammer is clogging my inbox with bogus spam form submissions. Is there an HTML code or any code for that matter that I can ban his IP addresses from (Yes, he does it from multiple IP addresses) I don't know what to do anymore. The spammer is taking over my form submissions.

[edited by: encyclo at 2:01 pm (utc) on Aug. 7, 2006]
[edit reason]
[1][edit reason] no personal URLs please, see forum charter [/edit] [/edit][/1]

encyclo

2:03 pm on Aug 7, 2006 (gmt 0)

Welcome to WebmasterWorld Ultimatesources. What technology are you using for processing your forms, and what kind of server are you running (Apache or IIS)?

There is little that you can do with HTML, but you can use Apache mod_rewrite or server-side scripting to control access to your scripts.

ScottM

2:18 pm on Aug 7, 2006 (gmt 0)

A similar thing just started on one of my sites. Using a FrontPage form, shared hosting on a LAMP box. Unless this is an exploit by some hole in Front Page, just changing the form a bit should rule out most automated stuff. If it's a 'hand job', it should be a little easier to stop them I would think.

Multiple IP's, I've just disabled the form results right now and I'm collecting IP addresses and will use .htaccess to deny them once I see they gone through their whole list.

The sites being listed are all .de sites, so that gives me a little bit of a clue where it's coming from.

Ultimatesources

4:19 pm on Aug 7, 2006 (gmt 0)

I am hosting my site on Freewebs and the forms are also through them. I am a novice and the codes that I have been able to find only work for a day, if that, before the spammer starts over again. Over 40 IP Addresses already and when I check them they are all working off of APNIC, all from China, Phillipines, AU and so on. I feel like throwing myself off of the sidewalk already. I can't get this guy off of my forms. I'd like to ban all of those countries because it's obvious that I am only doing business in the US, mainly in NY at that.

Thanks

Tourz

5:36 pm on Aug 7, 2006 (gmt 0)

I have found that making forms secure keeps the bots from filling them out. Used a GeoTrust certificate. A downfall is that the pages become slower loading.

rocknbil

3:53 pm on Aug 8, 2006 (gmt 0)

A very related topic is also under discussion here [webmasterworld.com].

First as has been mentioned they are not attacking the form. Once they figure out where the form posts to, they are only attacking that processor, so anything you do to the form will not help.

Chasing IP's won't help a lot, as those are likely compromised computers or servers. What you want to be sure of is that this type of attack is not one as described in the above link. If it is, the email you actually receive is the least of your worries.

Once you insure against the possibility your processor is being abused as in the above link, you can use whatever language it's in to loop through IP addresses and die immediately if any are in your "ban list." I usually do the ban list as a set of wildcard lists, because it's usually a range of IP addresses and as you say, they change frequently. I'm sure these guys have a list of available "zombies."

After a while they give up and don't return, they'll only keep hitting you if you can be exploited. Then you can remove the IP's from the ban list, and allow any legitimate emails from that set of IP's to come through. I know this requires diligent maintenance but at this point I think it's necessary as the IP is the only identifying factor.

MatthewHSE

8:43 pm on Aug 8, 2006 (gmt 0)

There's a post somewhere here at WW that describes a great method to help prevent this kind of thing. Basically you start a PHP session on your form page, and set the session ID as a hidden form field. Then, in your processing script, you check the session ID (stored on the server) against the submitted value of the hidden form field. If it doesn't match, the form submission isn't legitimate and you can just exit processing before sending any mail. If it does match, there's a much better chance that the submission is legitimate.

penders

9:51 am on Aug 9, 2006 (gmt 0)

Just to add my pennies worth... Yeah, I think chasing the IP address is a lost cause, as like you say, it changes all the time. I have found, however, that in rogue form submissions the User-Agent of the submitting person/robot is often fake ie:


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) 
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Yes, that really does say 'User-Agent' inside the user agent! And is googlebot really trying to submit my forms? Admittedly this is from a guestbook script, but similar idea.

Also, the way the form has been filled in. ie. Entering exactly the same text in 2 or more fields, where it really wouldn't make sense is a sure sign of a robot. Also checking for URLs having been entered in fields, if not allowed.

Are you using POST or GET for your forms?

Marz5

7:24 pm on Aug 9, 2006 (gmt 0)

I have 2 solutions for you, but 1 might not work

1) if you have some sort of Cpanel in your webhost package, there should be an option to IP Deny (or ban) a particular IP from not accessing the whole site. That is not only the form but your whole site is blocked for this fellow

2) Alternatively, edit the file .htaccess (if you dont have it, create it with a text editor)This is found in the root folder of your website. Most websites have it, but if you dont see it you have to create it. Then this is a special comman to deny the IP from your whole website

I cant remeber excactly the code/command you have to write but I am sure you find yourreply if you google it (eg search ".htaccess deny IP")

hope it helps