Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: phranque
It would seem to me that it is VERY OBVIOUS this is not a comment submission area, and that it is heavily moderated in that I take the submission, and if I deem it appropriate, I work it into my Blue Widget page in my words or ways, I NEVER quote a submission.
So why do I get submissions that make no sense? Some forms are fully filled out (name, e-mail, comment), some have a name only. For the comment, I get the "page title". Or sometimes the page URL (that would be MY PAGE Url, not a spammer url). And that is it- title and/or URL. WTH?
It happens so regularly, I know they are trying to do something. But what? I am mystified! I even added a captcha, they still keep coming in!
I also do have page comments (which are also moderated)- they NEVER try to add there... just my "Add Additional Info" or "Add Youtube link" pages....
There's no complete solution, because this is an arms race between spammers and regular webmasters. But you can get ahead by getting as far away as possible from using standard form elements. Try replacing your captcha with a trivia question about Blue Widgets, or putting in hidden form fields that should not be filled, and so on.
So why do I get submissions that make no sense?
They are "tasting." Seeing what they can do with it. Their "bots" are testing the form fields, seeing which once are required, seeing if they receive an email from it, seeing if they can inject directly into mail headers . . . . which may also mean, what you are seeing is not the whole story. Because they keep at it, I tend to believe this might be the case.
One question: do you receive an email notification when these are submitted?
If you do, you **definately** are not seeing the whole story. What if I can somehow submit the following into an email address field?
firstname.lastname@example.org\n bcc:email@example.com,firstname.lastname@example.org . . . (thousands here)
The \n is a newline. So if this works, I've just created my OWN BCC field in your mail headers, and sent thousands of emails using your server. And being a BCC, you'll never know it.
Another example is to inject a multipart header and multipart email in the "message body". Same thing, you only see the "main" part, which may have nothing at all in it. The real meat is in the multipart, and it's already been done and sent by the time you get that, they don't care what you receive. The confusion, I imagine, is just a "bonus."
Also know that they don't need to be "on your form" to do it. If I know the URI of the form, I can post to it from command line, from anywhere, which is what bots do.
If you have coded this up, or had someone do it for you, I suggest you start doing one thing, immediately. Add a bit to your script that logs the raw data input from these forms. Open a file somewhere, every time something is submitted, dump the raw input into it, put a time stamp and IP address on it. Review it often. You'll be surprised . . . but this is where you start. Next is figuring out why, and most likely it's related to poor input filtering of data, which is what has made you a target. This is extremely different from the data you will get from your server logs.
CAPTCHA is totally hackable, I've seen it happen. I've no clue how they do it, I just know they do. In-form tricks - a hidden field that is supposed to stay empty, changing form field names, the trivia question challenge, other front end fixes - these will give temporary or maybe even permanent relief, but they won't deter the truly determined.
For that there is really only one solution, and it's STILL not "hack - proof". Filter your data well enough to make it as much a pain for them to abuse your site as they are a pain to you. If you can make them go off to greener pastures, it's all good.
I have some rather over-engineered forms on my websites. All submissions are recorded, failures record *all* details. I have persistent "tastings" that haven't even worked out which field is which (it changes ;) ) let alone having "broken the (custom) captcha". There are bots out there whose owners don't seem to mind if they keep banging their heads against the wall. I'm not seeing these attempts evolve closer to a solution at all.
But it's good to keep your fingers on the pulse . . . knowing is better than just assuming everything is OK until there's a problem.
There are bots out there whose owners don't seem to mind if they keep banging their heads against the wall.
at which point they may move on ..
like rocknbill says ..if you make it harder ..they may be switched to something else ..eventually ..before they can cause you grief ..