log in | register | forums
Show:
Go:
Forums
Username:

Password:

User accounts
Register new account
Forgot password
Forum stats
List of members
Search the forums

Advanced search
Recent discussions
- Elsear brings super-fast Networking to Risc PC/A7000/A7000+ (News:)
- Latest hardware upgrade from RISCOSbits (News:)
- RISCOSbits releases a new laptop solution (News:4)
- Announcing the TIB 2024 Advent Calendar (News:2)
- RISC OS London Show Report 2024 (News:1)
- Code GCC produces that makes you cry #12684 (Prog:39)
- Rougol November 2024 meeting on monday (News:)
- Drag'n'Drop 14i1 edition reviewed (News:)
- WROCC November 2024 talk o...ay - Andrew Rawnsley (ROD) (News:2)
- October 2024 News Summary (News:3)
Latest postings RSS Feeds
RSS 2.0 | 1.0 | 0.9
Atom 0.3
Misc RDF | CDF
 
View on Mastodon
@www.iconbar.com@rss-parrot.net
Site Search
 
Article archives
The Icon Bar: Site Comments: Spam attempts via suggestion form
 
  Spam attempts via suggestion form
  rich (09:10 22/11/2005)
  alpha (10:24 22/11/2005)
    rich (11:27 22/11/2005)
      Phlamethrower (15:09 22/11/2005)
        rich (15:18 22/11/2005)
  Matthew (09:11 23/11/2005)
    rich (01:20 24/11/2005)
      Matthew (23:02 24/11/2005)
 
Richard Goodwin Message #72001, posted by rich at 09:10, 22/11/2005
Rich
Dictator for life
Posts: 6828
Looks like someone found a hole in our suggestion form, which I'm passing on to you guys so that you don't get "done" too. Luckily I caught it before too much traffic went through, and according to Spamhaus we've not been put on the naughty list yet. It's a very old script that hasn't been changed in recent years, so I guess it's just one of those things you have to put up with these days :(

Basically the suggestion form responded to either POST or GET requests - this means a web page request formed in a certain way would trigger the suggestion sending. I've switched it to just using the POST method for starters, as they seem to be ignoring scripts using this method - presumably because it's slightly harder to generate POST requests. Not hugely, but enough that these guys can't be arsed.

The message that's sent is crafted in such a way as to add headers to the outgoing message, such as changing the subject and adding BCC: with addresses attached. So, if you grep the message for certain tell-tale signs before allowing it to be sent - e.g. MIME-Version:, BCC: and Subject: at the start of a line (case insensitive) - you can catch the bastards before they go through. I'm stripping the content and sending myself their details - IP addresses and suchlike.

I've changed the script to do some other stuff - e.g. better IP reporting - but I doubt blocking IPs would be very productive as I'm sure they're using a botnet of compromised machines. However, if the messages aren't getting through, they'll stop using the script!
________
RichGCheers,
Rich.
  ^[ Log in to reply ]
 
Tim Fountain Message #72006, posted by alpha at 10:24, 22/11/2005, in reply to message #72001
Forum bod
Posts: 570
I've seen this problem on a lot of sites recently. The simplest fix is to prevent newlines on any data which is going to be put directly into the header of the email (e.g. the from name/address).
  ^[ Log in to reply ]
 
Richard Goodwin Message #72007, posted by rich at 11:27, 22/11/2005, in reply to message #72006
Rich
Dictator for life
Posts: 6828
Ah, good one!

Right, I'll go round doing that too ;)
________
RichGCheers,
Rich.
  ^[ Log in to reply ]
 
Jeffrey Lee Message #72008, posted by Phlamethrower at 15:09, 22/11/2005, in reply to message #72007
PhlamethrowerHot Hot Hot Hot Hot Hot Hot Hot Hot Hot Hot Hot Hot stuff

Posts: 15100
/me blames whoever wrote the shoddy script
  ^[ Log in to reply ]
 
Richard Goodwin Message #72010, posted by rich at 15:18, 22/11/2005, in reply to message #72008
Rich
Dictator for life
Posts: 6828
/me blames the people who are supposed to maintain the scripts :P

I didn't write it, if that's what you're getting at; but looking at it, it wasn't that bad a piece of code for the time. It has some content verification, just not enough for this particular "attack". You can't always foresee how desperate and sneaky spammers are going to become.

Looking at the messages that were sent through it (about half a dozen, last night), it looks like someone was "perfecting" their code and only sent one fully mangled message through it - the others didn't have proper subject changing etc. And the "perfect" one was only sent to a couple of dozen AOL users, so f*** 'em ;)
________
RichGCheers,
Rich.
  ^[ Log in to reply ]
 
Matthew Somerville Message #72035, posted by Matthew at 09:11, 23/11/2005, in reply to message #72001
Matthew

Posts: 520
presumably because it's slightly harder to generate POST requests. Not hugely, but enough that these guys can't be arsed.
Sadly, I've been getting this recently, and having a POST form hasn't stopped them. :(
However, if the messages aren't getting through, they'll stop using the script!
And they still try every few weeks, even though they must know by now it doesn't work. Just more spam to deal with, I guess.
  ^[ Log in to reply ]
 
Richard Goodwin Message #72063, posted by rich at 01:20, 24/11/2005, in reply to message #72035
Rich
Dictator for life
Posts: 6828
I've only seen one more attempt since I added more security - and it failed :)

BTW - just because a form uses a POST method doesn't mean that the code it posts to is set to only work on POST requests. Is this what you mean? because all our forms are POST in the HTML but the problem one responded to whatever you threw at it.
________
RichGCheers,
Rich.
  ^[ Log in to reply ]
 
Matthew Somerville Message #72099, posted by Matthew at 23:02, 24/11/2005, in reply to message #72063
Matthew

Posts: 520
BTW - just because a form uses a POST method doesn't mean that the code it posts to is set to only work on POST requests. Is this what you mean? because all our forms are POST in the HTML but the problem one responded to whatever you threw at it.
No, my script only accepts POSTed stuff, and it definitely hasn't worked on any email they've tried, and yet they still try. Fuckers.
  ^[ Log in to reply ]
 

The Icon Bar: Site Comments: Spam attempts via suggestion form