Forum Moderators: phranque
The form submit button activates a dll in my scripts directory that controls the specifics of sending the message. I have renamed that file, yet the spam still continues. I have read several posts regarding how to make forms pages more difficult to highjack, but I haven't seen any suggestions as to how to stop the current attack. The dll is a homegrown file created by our developers. It seems to me that if the spammer got a copy of the dll file he could use it at will regardless of what I do at my site. Is this possible? I am fairly experienced with using web servers, email servers etc. but this is my first experience with being attacked like this. Not sure where to start troubleshooting this kind of a problem. The web server is IIS 5.0 and my email server is Communigate Pro.
Any ideas?
TIA,
Ken
Welcome to Webmaster World.
Are you absolutely sure the spam e-mail is originating with the forms? I have a similar situation, many bounce backs from AOL, but it's because the spammer spoofed one of my domains in the e-mail addy (fdhjds@mydomain.com).
Haven't been able to trace anything back because it seems like everything else in the headers is also spoofed.
I'm convinced either the forms are being used or the dll has been grabbed and is being used from the spammers computer (if that's possible. Have to check with the developer to determine if the dll can run standalone). The reason is that the dll contains some text that is places in the mesage body that is showing up in the returned email ("Guestbook submissions form your web site!")
We have the relay turned of like you mentioned Yidaki. Currently I have a computer checking some utility accounts 24x7. It is one of these accounts that has been used. I changed the password on the account several days ago, but that didn't stop it. What I am doing now is setting the computer to check the accounts less frequently than the pop-before-smtp setting. This way the pop will require password authentication each time. As long as the spammer doesn't have the account password, then that should cut down on the available window that the account can be used without password authentication. Is that what you were talking about?
Thanks for the quick replies!
Ken
I found that the default Enabled Settings for all accounts in Communigate were to allow the Mobile option. What this setting does is to allow an authenticated account to continue to send and receive for 15 minutes (configurable) after the account has been authenticated and to recognize any ip address from such an authenticated client as an allowed client ip. Since I have a machine running 24x7 to continually check that account every 5 minutes, the email server has not required authentication for that account in who knows how long. The spammer has been able to use this account and not have to worry about authentication or the ip address it was sending from.
I am in the process of correcting this for all accounts that don't need the Mobile option configured.
Thanks for pointing me in the right direction.
Ken
