Attempted abuse via a contact form, have you seen this before?

Forum Moderators: phranque

Message Too Old, No Replies

Attempted abuse via a contact form, have you seen this before?

4 attempts in several waves, last attempts a BCC to get my email addy...

JAB Creations

5:06 am on Sep 11, 2005 (gmt 0)

Has anyone seen this before? I'm sure someone has, they come in waves of 4 at a time and I keep getting a wave or two every day or other day. They are hitting a contact form on my site that you can only access if your UA is disabled/non-existant (hence the blank field at the bottom that is autofilled if you use the contact form). I'll post more but I'm going to bed.

Comments: @
Content-Type: multipart/mixed; boundary="===============1792506598=="
MIME-Version: 1.0
Subject: 47618f9b
To: @
bcc: @
From: @
This is a multi-part message in MIME format.
--===============1792506598==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
jxueqrwzn
--===============1792506598==--
User Agent:

thewebboy

5:18 am on Sep 11, 2005 (gmt 0)

Yeah I got that too about a day ago. Was the BCC an @aol.com address?

bumpaw

5:50 am on Sep 11, 2005 (gmt 0)

They are reporting the same sort of attack on the phplists forum. It is going for the subscribe form.

DoppyNL

6:52 am on Sep 11, 2005 (gmt 0)

Exact same here.
Although it hits my login page mostly; with an `accidental` hit on the contact page.

Also, no useragent is set (it's non-existant).

I figure it is attempting to find faulty contact pages that it can use to send spam.

the bcc-adress is an aol-adres. I've seen 3 different aol-adresses so far.
The to field is set to something from the domain it's hitting, alltough the user-part is garbage.

Eltiti

8:53 am on Sep 11, 2005 (gmt 0)

[webmasterworld.com...]

JAB Creations

4:39 pm on Sep 11, 2005 (gmt 0)

Anyone have any suggestions on how I could use the current spam ip-list to mass block these pricks via apache for example?