I hate spammers. I really hate spammers. Worthless scum attempting to
sell worthless shite to gullible fools. But even worse than the
spammers themselves are the people who actually have the skills to write
good code but who instead use their knowledge to write ever-more-complicated
programs to get around our spam defences rather than coding for some
useful purpose..


I've just received a dollop of spam via the contact form on one of my
websites. The mails in question are basically random phrases rather than
coherent messages (presumably to get around the likes of spamassassin).

The contact form is a little script I wrote myself, and while it was
simple, I had thought it was reasonably robust. The recipient address
was hardcoded (and hidden) in the script, meaning that the only person
who could receive mails from the form should (unfortunately) be me,
although the spammer has attempted to add additional recipient headers,
which appear in the body of the message. To make things worse, the scum
in question had the cheek to use random alphanumerics@mydomain as
their From address, very fucking amusing..

What perhaps worries me most of all is that somehow a spammer managed to
*find* the form at all and chose to write something to target it (given
that it's a custom script, and not a well-known target such as FormMail).
It's only been online for a few months, and by my own admission, it's
not exactly on a major website..

I guess I'll have to take down my contact form for some modification.
I'm wondering whether I should look into adding a Captcha to try to
deflect automated submissions. Does anybody have any other ideas to
counter misuse?

The only useful information that I have from the script (I did think to
include some level of logging in case this situation ever arose, not that
I ever expected it to) is the IP address of the abuser: 208.44.246.70,
although I'm not actually very sure what use I can make of that
information.. (I'm wary of looking up the address in case that marks me
as a person worthy of further cracking attempts, I'm presuming it
belongs to a darkside network rather than a conventional ISP with an
'innocently'-trojaned customer..)


Bah, and grumble,


David.

--
David M. -- Edinburgh, Scotland.--[en, fr, (de)]--[reply-to valid <365d]
» Please trim quotes & interleave reply for readability, don't be lazy «
» Please feel free to help me by correcting my foreign language errors «

David M wrote:

It isn't hard to find contact forms.
http://www.google.com/search?q=contact%20us%20form

If I were the type of person who wanted to use forms to spam people, I'd
write up a standard set of tests that could get through common security
flaws and have a script punch those into forms it finds (noting the names
of the available inputs). I doubt its anything written to target you
directly.

You said that they failed to send spam to third parties through the form, so
only you were targetted. I wouldn't bother removing it in that case.

There are two main problems with CAPTCHA:

1. They work by being hard for computers to decipher. The problem is that
they are not impossible for computers to decipher, and the harder it is for
a computer to decipher than the harder it is for a human to decipher.

2. Users who can't see the image (including, but not limited to, the blind)
are rather stuck.

Run a good spam filter on your incoming email.

Look up the ip submitting the form on black lists and score submissions from
there as more likely to be spam.

Edit you script to recognise the common ways people try to break through
security and consider automatically blocking requests from ip addresses
that start such attacks (or increasing the spam score).

--
David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
Home is where the ~/.bashrc is

David M wrote:

No, it's just a 'bot probing you for common vulnerabilities.
If your script can be hijacked to send spam, it'll send a single
message to some throwaway address. It contains garbage, but what
matters to the probe is whether *anything* is received.

If something is received, they've found a form they can use to send
the real spam. That's when you start getting them for real, sending
"hot stocks" or somesuch to 500 bcc: addresses, repeat with new
address list every few minutes.

Let us hope you're right.

The recipient address
Then you're probably OK. But check your mail logs, and if anything was
sent from the script to another address, take the script down
immediately and fix it!

Oh for such innocence :-)

I'd think a trojanned customer is the more likely. But ICBW.
This isn't a newsgroup where you're likely to find expertise,
unless by coincidence.

Indeedie.

--
Nick Kew

On Sun, 26 Feb 2006 23:22:54 +0000, David M put finger to keyboard and
typed:

The additional headers are the primary point. The aim is to use header
injection in order to use your form to spam other people, not you. If
the form itself is well-written, that won't happen and you're OK -
this particular spammer will give up when it doesn't achieve what they
want. But you will get another one along later, to try the same trick,
so it's still a pain for you.

They search for anything which looks like a contact form.

The simplest, and one which will deal with spammers but have no effect
on legitimate users, is to check form submissions for the presence of
a newline character in a field which shouldn't contain one - the "your
name" or "your email" fields are the best for this. Anything with a
newline in there causes the script to exit without actually sending
the mail - or, if you're feeling a little more mischievous, goes to
sleep() for a while causing the spambot to hang until it times out.

Another good defence against this type of automated attack is to use
non-obvious field names on your forms. Instead of <input
name="email">, for example, have <input name="athd"> or something
equally random. It makes no difference to the script - you can still
match that up to the email address when you process the submission -
but it will deter spambots which look for common form field names in
the HTML of the target sites.

It's in the US, so probably a trojanned end-user rather than part of a
black hat network.

Mark
--
Visit: http://names.orangehedgehog.com - British surname distribution profiles
Listen: http://www.goodge.co.uk/files/dweeb.mp3 - you'll love it!

Message-ID: <hab502951nq61ca46nnb8d83lb2s2s9l7d@news.markshous e.net>
from Mark Goodge contained the following:

I'm a little worried about a script I am working on. I'm running the
following function on all input:

function clean($input){
$find =
array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i","/MIME\-Version\:/i");
$input= preg_replace($find, "", $input);
return $input;
}

However, a key feature of the script is that it sends a confirmation
back to the person who fills it in.

Several of the fields in the form are required and so all would have to
be filled with something to get any output from the script.

Am I doing all I can?

--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011

In article <nnc502l5gmbudi60ttqqjcblpp9su87fqp@4ax.com>, Geoff Berrow wrote:
Yeuch. If you're relying on that to prevent emails be sent to places
you don't expect then (a) you're doing it fundamentally wrong and
(b) it almost certainly fails to do anything of the sort.

<uk.net.web.authoring , Geoff Berrow , blthecat@ckdog.co.uk>
<nnc502l5gmbudi60ttqqjcblpp9su87fqp@4ax.com>
<Mon, 27 Feb 2006 08:11:17 +0000>

More than one @ dont send it ? .


--
(c) The Amazing Krustov

David M wrote:

I don't know if this would help, but if you site is specialised, you
might try something like I wrote here in Perl. There is a web page where
people can list test equipment manuals they have or want.

http://www.drkirkby.co.uk/cgi-bin/manual.cgi

Before a person can post a message to a list, they need to know
something about the subject in question. There are 5 or so technical
questions. You don't need a PhD in electronics to answer them, but
unless you have some electronics knowledge, you are unlikely to be able
to post a message.

But I guess if someone is determined enough to write a script that tries
lots of different responses, they will get lucky eventually.

It does make you wonder what people get out of it. Perhaps like jigsaw
puzzles, it is a challenge and once complete you go onto something else.

--
Dave K

Minefield Consultant and Solitaire Expert (MCSE).

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

David M <david@bogus.domain.dom.invalid> wrote:

[snip]

You could make use of one of the web based IP reverse lookup facilities
if you are really worried about this, although I have never heard
of anyone bothering to log DNS requests.

One idea of dealing with potential spam would be to keep a record
of each IP address that is used to send mail through your form. If
the same address attempted to send more than one email in a given
period (up to you to judge this - maybe 24 hours?) then the email
is not sent but appended to a file (actually I do this will all
emails submitted through a form just as a backup). The mail would
also not be sent if it looks suspicious according to whatever
criteria you set, e.g. attempted use of Cc: or Bcc:.

A log should also be kept with details of each email - originating
IP address, From address, Subject (First 30 characters, only allowing
a small set of characters to be recorded, maybe [a-zA-Z0-9 _-],
and flags for whether the mail was sent or not and if not the reason
why (multiple emails from the same address or suspcious content/headers).
This log could be emailed to you once a day. The main purpose would
be to check to see if there was a valid multiple submission - not
knowing the purpose of the form I can only guess at maybe someone
having sent an initial email wanting to follow it up with a
postscript.

Axel

Message-ID: <slrne05mu3.4oi.jon+usenet@snowy.squish.net> from Jon
Ribbens contained the following:

I'm all ears Jon...

--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011