Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Abuse of email form

Any countermeasures?

6:37 pm on Sep 20, 2006 (gmt 0)

Junior Member

5+ Year Member

joined:May 12, 2006
votes: 0

I hope I am in the right category for this query. It regards email scripts that pick up data from a form and mail it to a designated address by utilising sendmail that is installed on the server. I have been using one of these forms which recently I had to remove as it seemed to have been hijacked by someone. All over sudden I started getting emails from my own address containing the following in the message body:

<snip>Generic spam</snip>

The script was a very simplistic, freely available Perl which is placed in the CGI folder and called from within the form - which was a big mistake as the form seemed to have become an easy pray for malicious robots. Initially I was keep getting an email every 2-3 days and more recently almost on a daily basis (it was the same message in all the cases so far). What worried me the most was that the log indicated that within those last few days there was a sudden increase of people accessing the site without a referring URL, which at least in my mind suggested the visitors in question pasted the address directly, rather that visiting the site 'naturally' via a link on another site or the search engines - probably investigating to see where the spam came from. I went to the advertised site's page, which looked a bit suspicious as it seemed to promote a large company through very few pages that didn't give too much information about it. There wasn't even a way to contact them online. The only thing I found regarding my case was a mailing list removal form. Although I never subscribed to any list in the past, I entered the address requesting for it to be removed, just in case someone else had 'subscribed' it without my consent. Few days letter, nothing happened; I still keep receiving the usual advertising messages. I emailed the domain owner of emailadvertisinginc telling them of the situation and that they should take action fast or else. The message bounced back 2 days later with a timeout error, which probably means that the owner didn't even supplied a valid address for their Whois records. Right now I want to do two things: a) Stop spam being send from my domain (or pretending to be my domain) and fix/enhance the form to be robust against common spamming techniques, b) Find the offender (yeah, right).

Regarding (a) I would preferably like to modify the existing form, if that is to be of any use. My time is limited, so is my Perl programming skills, but I am sure there is got to be something out there that would allow me to have an anti-spam, robust form. Surely.

Regarding (b), are there any steps/actions that I can take for punishing the abuser? Any sort of reporting for blacklisting or any other action that will damage their intentions of abusing somebody else in the future. I am sure many of you may think that this is rather unrealistic - and I concur with you, so do I. The reason I am pressing this forward is that, if my guess about this whole situation is correct, someone is wasting my bandwidth and damaging the site's reputation by broadcasting advertising messages on my behalf. This is a serious issue and as such I would really appreciate any suggestions or thoughts that could help me solve it. The most shocking thing about the whole story is that even now, having removed the form itself as well as the Perl script, I still receive the advertising messages and the sender seems to be my domain! In the message header data I pasted above the X-ClientAddr seems to be changing every time with every new message, which is no surprise. Amazingly the Received from: is also changing; sometimes it is my domain's IP address and sometimes an unknown one. Given my limited knowledge, this is as far as I could go. Can someone with experience in the area shed some light into this?

Please note that the "#*$!.#*$!.#*$!.#*$!" is the IP address. I had already #*$!-ed it but it was scrambled anyway.

[edited by: trillianjedi at 7:22 am (utc) on Sep. 22, 2006]
[edit reason] No specifics or emails please as per TOS [/edit]

7:17 am on Sept 22, 2006 (gmt 0)

Junior Member

5+ Year Member

joined:May 12, 2006
votes: 0

Just an update. Still getting the spam email where my domain is the 'sender', even though I have completely removed the form and the Perl script 3 days ago. I really don't know what to do to stop it, as I read in several threads that other people could be BCC-ed in that mail and think that my domain spams them! I also noticed something rather strange in the logs. 2-3 daily occurrences within several minutes of an IP address from Singapore accessing the site without a referring link:


and so on.

Could that have something to do with it? Apologies for the long initial thread; I can now see this topic has been discussed to death over the last few years. At the moment I am more concerned in stopping the particular spammer by any means necessary and worry about re-enforcing the form later!


[edited by: trillianjedi at 7:23 am (utc) on Sep. 22, 2006]
[edit reason] See above, thanks. [/edit]

7:32 am on Sept 22, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:Jan 9, 2003
votes: 0

First thing you'll need to do is to probably look for your server's ip address in the content of the bounced mails.

Is the original spam mail sent from your server? If it is, you will need to secure the script on your site. You may also want to check various blacklists to see if your ip address is listed.

If the mail isn't coming from your server, there isn't much you can or need to do since most of the recipients of spam know that the sender info is forged and that it is not you.