Results 1 to 22 of 22
  1. #1
    Join Date
    Nov 2002
    Posts
    392

    Spamming form on my site

    I have a simple PHP form on my website at http://www.access-programmers.co.uk...ct2/contact.htm

    Some spammer is using that form - I believe - to send out loads of emails. How do I know this? Well, I keep getting these bounced messages:

    Mailbot
    DSN: failed (Access World enquiry)

    This is a Delivery Status Notification (DSN).

    I was unable to deliver your message to
    [email protected].

    I said
    RCPT TO:<[email protected]>

    And they gave me the error;
    554 Sorry, no mailbox here by that name. (#5.1.1)
    How do I stop this? It is driving me nuts!

    Thanks,

    Jon

  2. #2
    You can use image verification, since image verification is nothing but creating a random image with some text and/or numbers and make the user input that number and see if it matches. If it is a bot that is filling the form then it will not be able to recognise it and you simply refuse to send the information input.

    or else captcha
    Live Your DreamZ
    ~Besty

  3. #3
    Join Date
    Dec 2003
    Location
    Pakistan
    Posts
    343
    I recommend using The free CAPTCHA-Service which is availble for PHP, ASP, Perl and Python.
    Muhammad Waseem
    Inspedium Corporation (Pvt) Ltd.
    InsPanel - Hosting Control Panel for Windows 2000/2003

  4. #4
    Join Date
    Nov 2002
    Posts
    392
    I have actually removed the page that has the enquiry form. But I am still getting these bounced emails. Looks like they are filling in my enquiry form (which is no longer up there) and doing a BCC to a huge list of people. Then they put their spam message at the top.

    Since the enquiry page is no longer there, what have they done? How can I stop it?

    Example enquiry email below:

    Attention men!

    By taking just one simple pill per day (filled with a scientific formulation of ALL NATURAL ingredients) you can improve your sex life dramatically.

    Achieve greater physical stamina, larger and harder erections, greater ejaculatory control (extremely effective for those who have premature ejaculation issues), more enjoyable orgasms and greatly improved sexual performance overall.

    If you\'re a male and have any sexual issues whatsoever, or if you\'re simply looking to greatly enhance an already enjoyable sex life, look no further.
    A recent study proved that over 92% of users reported seeing \'significant improvements\' within the first two weeks, and over 95% of users reported effective improvements after a month.

    Chances are, we can improve your love life quickly and effectively. We\'re so sure in our product and track record that we\'re offering a completely free bottle for a limited time, and all orders are backed by a complete money back guarantee in which we will refund your every penny if you\'re not entirely satisfied and you don\'t see the changes you want/expect to see.

    <A HREF=http://www.headithgnow.info> click here </A>












    114708d99c5df6b1097effdb1217da04
    .



    Name:
    Position:
    Company:
    Phone:
    Email: salting
    Content-Transfer-Encoding: 7bit
    Content-Type: text/plain
    X-Mailer: Mutt 1.0.1i
    Subject: Become a better lover
    bcc: <<REMOVED E-MAIL ADDRESSES TO PREVENT FURTHER SPAMMING>>
    Attention men!

    By taking just one simple pill per day (filled with a scientific formulation of ALL NATURAL ingredients) you can improve your sex life dramatically.

    Achieve greater physical stamina, larger and harder erections, greater ejaculatory control (extremely effective for those who have premature ejaculation issues), more enjoyable orgasms and greatly improved sexual performance overall.

    If you\'re a male and have any sexual issues whatsoever, or if you\'re simply looking to greatly enhance an already enjoyable sex life, look no further.
    A recent study proved that over 92% of users reported seeing \'significant improvements\' within the first two weeks, and over 95% of users reported effective improvements after a month.

    Chances are, we can improve your love life quickly and effectively. We\'re so sure in our product and track record that we\'re offering a completely free bottle for a limited time, and all orders are backed by a complete money back guarantee in which we will refund your every penny if you\'re not entirely satisfied and you don\'t see the changes you want/expect to see.

    <A HREF=http://www.headithgnow.info> click here </A>












    114708d99c5df6b1097effdb1217da04
    .

    Source:
    Country:
    Type of project:
    Notes:
    Last edited by sirius; 09-28-2006 at 12:03 PM.

  5. #5
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    Although you have now removed the form page, eMails were previously sent using it. What you are receiving is probably bounce-backs from those previous send outs. Might take a few days before it stops.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  6. #6
    Join Date
    Apr 2004
    Location
    San Jose
    Posts
    902
    Did you only remove the html page? You need to remove the CGI that processes that form data. The spammers are unlikely to need the html page if the CGI is still there.
    Specializing in MySQL and website tuning for high traffic sites. cmwsci.com/

  7. #7
    Join Date
    Nov 2002
    Posts
    392
    When someone goes to my enquiry form, I get an email with the enquiry details and then they get sent an email confirming that their enquiry has been submitted. I have removed the php page which sends out both these emails. I am now only left with the Form page.

    The DNS:failed emails come in from the email confirmation to the client. But the other email (as posted above) is sent directly to me. Therefore, I believe I am getting these spam emails immediately and are not bounce-backs. Perhaps they obsorbed some of the Form info into a desktop application or something. There is no CGI, only PHP.

    Basically, these spammers have effectively disabled my enquiry form for programming so I don't get these leads anymore, and they are filling my inbox up with spam. It is costing me a fortune and I don't know how to stop them.

  8. #8
    /usr/local/apache/conf/modsec.user.conf:

    SecFilterScanPOST On <- make sure that's at the top
    SecFilter "bcc:" <- put this wherever


    restart httpd, call it a day


    edit: even wiser would be to sanitize the variables in the form before they get passed to the mail function in the first place, such as exiting if the variables contain carriage returns or line feeds, like %0a and %0d.
    Last edited by jpetersen; 09-28-2006 at 08:10 AM.

  9. #9
    Join Date
    Nov 2002
    Posts
    392
    Must confess to not understanding a word of that. Not sure if I would have access to changing apache variables as I do not have my own virtual server. I just have a basic hosting account.

  10. #10
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    Terminate the eMail address that you used previously and start using a new one.

    Presuming you are not using the 'catch-all' settings and can only receive/send eMail using addresses you have created, the above will effectively stop the Spam from being sent and you from receiving bounce-backs.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  11. #11
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    You have 3 forms on that page submitting to 3 different php scripts. Only the first script has been removed - the other 2 are probably equally insecure and being exploited to send spam.

    Edit: clarity
    Last edited by foobic; 09-28-2006 at 09:14 AM.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  12. #12
    Join Date
    Nov 2002
    Posts
    392
    Yes, the other ones are equally insecure. But I have not received any spam from those. They have a different subject header if someone submits an enquiry from there.

  13. #13
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    You need to delete, disable or fix ALL your insecure scripts. It's not rocket science - if you can't do it hire someone who can. It's a wonder your host hasn't suspended your account yet.
    At a guess your current problem is contact-development.php3 but they will switch to others if you fix only that one.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  14. #14
    Join Date
    Sep 2004
    Posts
    182
    Hi do you try: nms FormMail --->> h**p://nms-cgi.sourceforge.net/scripts.shtml

    or check ( from h**p://spamlinks.net/prevent-secure-webapps.htm):

    dr. J&#248;rgen Mash's FormMail.pl --->> moensted.dk/formmail/
    Contact Form ---->> ostermiller.org/contactform/
    form2mail ---->> phlyingpenguin.net/?form2mail
    MailWebForm ---->> freshmeat.net/projects/mailwebform/
    SCForm - --->> jimsun.linxnet.com/SCForm.html
    Soupermail ---->> soupermail.sourceforge.net/
    PHP/ASP FormMail ---->> nutbar.chemlab.org/news/?id=1046844858
    Jack's FormMail.php ---->> dtheatre.com/scripts/formmail.php
    Tectite FormMail PHP - --->> tectite.com/formmailpage.php
    WebPro ---->> geocel.com/webpro/
    Rock Solid Contact US System ---->> rockcontact.rebusnet.biz/


    Good luck

  15. #15
    Join Date
    Nov 2002
    Posts
    392
    I've decided to remove all the forms to see if that makes any difference. That way, I can check to see if my forms security actually makes any difference or not anymore.

  16. #16
    Join Date
    Nov 2002
    Posts
    392
    Despite removing all forms, I am still receiving hundreds of spam enquiries. Can I forward to someone the 2 emails I am getting to see if it gives any clues? This has basically disabled my business for some sodding spammers benefit.

  17. #17
    Join Date
    Jun 2005
    Location
    Ohio, USA
    Posts
    208
    I just had the SAME thing happen to me. For 3 weeks it boggled me, but I own my server and found out that I had open relay. So I've closed that and it looks like its fixed it, now just waiting for the 49,000+ in queue to finish. =\
    NuPixel - Custom Web Design & Graphics
    Extraordinary, Not Ordinary
    Web & Graphic Design, HTML, XHTML, CSS, Script Customization & Integration + More!
    Click Today! --> NuPixelStudios.com

  18. #18
    One easy way to see if it is your PHP form is to match the time the original mail was sent with the time in your Apache logs...if you see the php form being accessed you know what form it is...You need to install modsecurity, that will stop the BCC injections...also check to see if you are an open relay!

  19. #19
    Join Date
    Nov 2002
    Posts
    392
    Well, I have taken the Form pages for about 3-4 weeks now and I am still getting spammed. It means I'm not getting any enquiries and it is still messed up.

    Any other suggestions?

  20. #20
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    The form pages are irrelevant - spammers won't use them anyway. The problem is you still haven't removed the offending script(s).

    contact-development.php3:
    Thank you for your enquiry. An email has been sent with our details for your future reference.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  21. #21
    Join Date
    Mar 2006
    Location
    New York USA
    Posts
    402
    IN the php script add a function to check a text file with IP"s yous et to be beanned before it can send mail. IT won't send the mail if the users ip is in thet text file.

  22. #22
    Removing the forms won't do you any good. You need to remove the script that does the actual sending of the emails. Securing all your scripts would be something to consider in the future.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •