Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New to the CF scene
    Join Date
    Aug 2005
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Can someone help me from receiving these spam messages through contact form

    Hi all,

    Can someone please tell me if the following is a common spam problem.......I have several hosting accounts on a shared server, we all seem to be getting 100s of messages sent through our contact from which uses a simple mailform script. Each form field result comes back as zfsd@jeztechs.com or something simular like the example below....

    bzmfbqkn@jeztechs.com has submitted the Jeztechs Enquiry Form
    Their details are as follows:

    Email Address: bzmfbqkn@jeztechs.com
    Country: bzmfbqkn@jeztechs.com
    State: bzmfbqkn@jeztechs.com
    Content-Type: multipart/mixed; boundary=\"===============1205436919==\"
    MIME-Version: 1.0
    Subject: 43114a4e
    To: bzmfbqkn@jeztechs.com
    bcc: bergkoch8@aol.com
    From: bzmfbqkn@jeztechs.com

    This is a multi-part message in MIME format.

    --===============1205436919==
    Content-Type: text/plain; charset=\"us-ascii\"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit

    qnbzcelq
    --===============1205436919==--

    URL: bzmfbqkn@jeztechs.com

    May we telephone you:
    Telephone Number: bzmfbqkn@jeztechs.com
    Template Number: bzmfbqkn@jeztechs.com


    Is this common...and is there an easy way I can adjust the mailform script to stop this.

    Many thanks in advance
    Jeremy

  • #2
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    You could add one of those anti-bot images or ban the email address.
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #3
    Regular Coder
    Join Date
    Jul 2004
    Location
    mile high city
    Posts
    482
    Thanks
    0
    Thanked 0 Times in 0 Posts
    This is an email injection attack which seems to be taking place across the net on a pretty large scale. If you search Google for the aol email address used in the Bcc: field you'll find it all over unattended guestbooks and forums. (There are a couple of other aol accounts they use as well.)

    One solution is in this thread, How to point to another page for email thankyou message.
    Computer, kill Flanders... Did I hear my name? My ears are burning...
    Good start. Now finish the job.

  • #4
    New Coder
    Join Date
    Aug 2005
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Is it possible (and legal) to crash such a spam bot? If so, does anyone know how to do it?

    I received 105 emails in the last 2 days, many of which had Bcc: jrubin3546@aol.com, which is another common address used in these attacks. Tonight I used code to search for strings such as "%0A," "Content-Type," etc., and die if those strings are submitted. As an extra precaution, I moved all of the inputted variables including sender name and email to the body instead of the headers, so nobody can enter anything into the headers.

    Someone also suggested adding a hidden field to the form, not allowing POSTs into the script, and not executing the mail script if the hidden field's variable is not submitted. Because of the way the spam bot works, it will probably miss the hidden field.

    Last night I set the script up to send me not only the REMOTE_ADDR but also the X-Forwarded-For, referrering url to the form, and the url of the page that contained the form. In ALL of the emails, the referrer and X-Forwarded-For were blank, and the form was supposedly at mydomain.com and mydomain.com/index.html, even though the contact form is not actually located on my home page, and there is no index.html in my root directory. After contacting tech support for my host, here is what I was told:

    We examined our access logs and found out that the attacker submits the messages with empty referral and user agent HTTP headers.

    Your account is not compromised nor are our servers. Since you already filtered incoming messages, you should not be flooded with such messages any more. There is not much more that can be done as the bots use trivial POST requests to the contact forms.
    So I would guess that it's not possible to crash the spam bots, but I thought I would ask, just in case.

    Another thing I noticed is, for many emails that did not contain Bcc: jrubin3546, the IPs were random. Then there would be a block of emails all from the same IP, and some of them would have jrubin3546 in them. Then more random IPs with no jrubin in any of them, then another block with the same IP (different from the previous block) and a few of them containing jrubin. Of the email blocks with the same IPs, 2 of the IPs went to Italy, one went to France, and the two in Italy were two different companies. I don't know what all this means, but maybe someone else here will know if this info can be used productively.

    The IPs, whether randomly generated somehow or routed through someone else's compromised systems, tell me that crashing the spam bots probably isn't a possibility. But I'm no expert in this area, so I could be wrong.

    Email addresses that have been associated with these attacks:

    bergkoch8@aol.com
    jrubin3546@aol.com
    Homeiragtime@aol.com
    mhkoch321@aol.com
    damnitmayn@aol.com
    cameronmtc@aol.com
    wolfione@aol.com
    wnacyiplay@aol.com
    wwjdkid14@aol.com
    angelrrsmr@aol.com
    kolyathekid1@aol.com
    kshmng@aol.com
    lshmng@aol.com
    jshmng@aol.com

    Notice they are all AOL. If anyone here has AIM and wants to look up their profiles, it would be interesting to see if these screen names still exist. Since they were still doing it tonight, I doubt AOL has done anything about it.
    Last edited by webby; 09-12-2005 at 02:43 AM. Reason: to remove duplicate address in list of emails

  • #5
    $object->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Jun 2003
    Posts
    3,088
    Thanks
    2
    Thanked 23 Times in 23 Posts
    Something else you can do is test the "from" email address by using a regular expression. This will test to see that they're only using one "from" email address (so you don't end up doing a reply-all when you answer the inquiry) and that the addy they're using is in proper format, for example:

    Code:
    if (eregi('^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$', $_POST['from'])) {
     // set up and send the email
    } else {
     // error message
    }
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    SNAP to it!

  • #6
    New Coder
    Join Date
    Aug 2005
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    That's a good suggestion, vinyl-junkie, but after looking at these injection attacks in a few guestbooks, it seems that many times the attempted injection can occur in the name or subject field, and only one email address may or may not be in the email field. So yes, it would catch many of them, but not all.

    I received two more of these emails after my last script change, and they were both blank form submissions. Using a regex like you suggest should account for this one (I think?), since a blank email doesn't contain an @ or a dot.

    There is one thing that all of these injection attacks seem to have in common, and that is whatever email address they enter (if the form isn't submitted blank), it always contains the domain name of the form being attacked. Therefore, everyone should add a check in their script to see if the email address contains their domain name and not send an email if this is the case. Of course, this is only a good suggestion if no legitimate person submitting the form has an email address with that domain, but how often does that happen on a contact form?

    To avoid spam in places other than email, people should also be using these techniques in their guestbooks and in other places where people can post without an account.

  • #7
    $object->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Jun 2003
    Posts
    3,088
    Thanks
    2
    Thanked 23 Times in 23 Posts
    Quote Originally Posted by webby
    There is one thing that all of these injection attacks seem to have in common, and that is whatever email address they enter (if the form isn't submitted blank), it always contains the domain name of the form being attacked. Therefore, everyone should add a check in their script to see if the email address contains their domain name and not send an email if this is the case.
    Ah yes. I neglected to mention that I had beefed up my contact form with a check for this very thing also.

    Code:
    $fromtest = strpos($from, 'napathon.net'); // checking to se if the sender is using napathon.net (my domain) as their email address
    if($from == "" || $fromtest == true) {
     header("location: $YourWebsiteURL");
     exit();
    }
    I also have code that tests to see if the message being sent is fewer than 10 characters in length (you can adjust that as you wish):

    Code:
    // Send 'em back to the contact form if their message is fewer than 10 characters in length
    if (strlen($message) <= 10) {
    	header("location: $contactURL");
    	exit();
    }
    BTW, my contact form was spammed recently (first time that had ever happened, and I've been using it for a while). That's why I made these changes.

    This thread and the other one mentioned both have some excellent suggestions!
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    SNAP to it!

  • #8
    New Coder
    Join Date
    Aug 2005
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Yes, this does seem to be a new outbreak. I have had my contact form up for 2 years without a single incident, before being bombarded just this past week.

    Thanks for posting that code, vinyl-junkie. It can help a lot of webmasters.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •