Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > SMTPsvg.Mailer error

Reply
Thread Tools

SMTPsvg.Mailer error

 
 
Mike H
Guest
Posts: n/a
 
      01-27-2007
I'm using a block of ASP to allow a user to send a form via e-mail.
However, someone keeps sending me spam through this form
and they're using a bogus return address. I'm testing for a
successful send, which should fail if the return address is
not valid, but I'm still getting the junk.
The block looks like this:

Set Mailer = Server.CreateObject("SMTPsvg.Mailer")
Mailer.RemoteHost = "smtp.xxx.com"
Mailer.FromName = Request.QueryString ("Name")
Mailer.FromAddress = Request.QueryString ("Email")
Mailer.AddRecipient "Web Mail", "(E-Mail Removed)"
Mailer.Subject = "P.C.T. E-mail"
Mailer.BodyText = UserString
if Mailer.SendMail then
Response.Write " - Sucessful - "
else
Response.Write " - Failed - "
Response.Write Mailer.Response
end if

Should this block be stopping bogus From addresses?
Or do I need to be doing something different?

 
Reply With Quote
 
 
 
 
Daniel Crichton
Guest
Posts: n/a
 
      01-29-2007
Mike wrote on Sat, 27 Jan 2007 12:13:00 -0800:

> I'm using a block of ASP to allow a user to send a form via e-mail.
> However, someone keeps sending me spam through this form
> and they're using a bogus return address. I'm testing for a
> successful send, which should fail if the return address is
> not valid, but I'm still getting the junk.
> The block looks like this:
>
> Set Mailer = Server.CreateObject("SMTPsvg.Mailer")
> Mailer.RemoteHost = "smtp.xxx.com"
> Mailer.FromName = Request.QueryString ("Name")
> Mailer.FromAddress = Request.QueryString ("Email")
> Mailer.AddRecipient "Web Mail", "(E-Mail Removed)"
> Mailer.Subject = "P.C.T. E-mail"
> Mailer.BodyText = UserString
> if Mailer.SendMail then
> Response.Write " - Sucessful - "
> else
> Response.Write " - Failed - "
> Response.Write Mailer.Response
> end if
>
> Should this block be stopping bogus From addresses?
> Or do I need to be doing something different?


That mailer component cannot verify if the from address is valid or not - to
do so would require it to connect to the destination server for that domain
and then determine if the address exists; either start a dummy SMTP
conversation sending to that address and looking for an error response, or
and use the verify command to ask if the address exists - although most
servers that support ESMTP should have the VRFY command disabled if they
have any sense, as it can be used to pull a list of valid addresses from a
server using a dictionary scan. What would happen if the server was down?
Would you want the message rejected? What if the message was legitimate, but
the person's ISP was having some mail server issues at the time?

There really is very little you can do to block someone spamming you this
way if they're persistent. You could look for specific strings in the
UserString variable and reject on that (such as web addresses, or certain
words). You could add a random number + check digit as hidden fields, and
have your code verify that they match before accepting the rest of the
data - this prevents direct use of the form from a script, but won't prevent
one that pulls the form HTML from the server prior to generating the
necessary POST data string to send back to ensure it's complete.

I've had problems with spam to a customer comment system on one of my own
sites in the past; luckily all comments require admin moderation before
being published to the site, so the spam never got displayed to the public -
I used a combination of variable inspection (rejecting all submissions that
had a URL in the title, which most of the spam ones did), and the random
number + check digit (which stopped the ones that didn't have a URL in the
title field, but were being posted from a script).

Dan


 
Reply With Quote
 
 
 
 
Mike H
Guest
Posts: n/a
 
      01-29-2007
Thanks for the reply.
I was considering the random number scheme previously,
but I don't know if the spammer is sitting at the keyboard
or if it's automated. Two months ago, he sent 30 messaged
in a single day (twice), and I don't know why an automated
system would do that, nor why someone at the keyboard
would waste that much time.
For the time being, I've disabled the mail handler page.

 
Reply With Quote
 
Daniel Crichton
Guest
Posts: n/a
 
      01-30-2007
Mike wrote on Mon, 29 Jan 2007 09:11:02 -0800:

> Thanks for the reply.
> I was considering the random number scheme previously,
> but I don't know if the spammer is sitting at the keyboard
> or if it's automated. Two months ago, he sent 30 messaged
> in a single day (twice), and I don't know why an automated
> system would do that, nor why someone at the keyboard
> would waste that much time.
> For the time being, I've disabled the mail handler page.



Do these comments get posted anywhere on a web page? If so, and the spam is
full of URLs, it's being done to increase the number of links back to the
URL, and in doing so will increase Google Page Rank. This is what was being
done on my site, and the random number field plus filtering on URLs stopped
it dead. It probably is automated, it's pretty easy to write a script that
navigates sites looking for forms that ask for a set of information (such as
"email address" and "comment"), and then post to them using the form data as
it was presented at the time the form HTML was retrieved. What you need to
be careful of is that even here the random number + check digit will allow
the form to be posted unless your random number and/or check digit
calculation is also site time dependent. For instance, factor in the current
date into the calculation somehow.

Dan


 
Reply With Quote
 
Mike H
Guest
Posts: n/a
 
      01-30-2007
> "Daniel Crichton" wrote:
> Do these comments get posted anywhere on a web page? If so, and the spam is
> full of URLs, it's being done to increase the number of links back to the
> URL, and in doing so will increase Google Page Rank. This is what was being
> done on my site, and the random number field plus filtering on URLs stopped
> it dead. It probably is automated, it's pretty easy to write a script that
> navigates sites looking for forms that ask for a set of information (such as
> "email address" and "comment"), and then post to them using the form data as
> it was presented at the time the form HTML was retrieved. What you need to
> be careful of is that even here the random number + check digit will allow
> the form to be posted unless your random number and/or check digit
> calculation is also site time dependent. For instance, factor in the current
> date into the calculation somehow.


The comments don't get posted anywhere, they're just e-mailed to me.
But they include links to porn and pills web sites, so I guess he thinks
they're posted somewhere. I wonder if changing form text and variable
to nonstandard wording would throw off his bot?

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ERROR [HY000] [Microsoft][ODBC Microsoft Access Driver]General error Unable to open registry key 'Temporary (volatile) Jet DSN for process 0xffc Thread 0x228 DBC 0x437b94 Jet'. ERROR [IM006] [Microsoft][ODBC Driver Manager] Driver's SQLSetConnectAttr bazzer ASP .Net 0 03-30-2006 03:16 PM
Error connecting to SQLExpress 2005 locally (error: 26 - Error Locating Server/Instance Specified) hfk0 ASP .Net 2 03-27-2006 08:43 PM
ERROR [HY000] [Microsoft][ODBC Microsoft Access Driver]General error Unable to open registry key 'Temporary (volatile) Jet DSN for process 0x8fc Thread 0x934 DBC 0x437b94 Jet'. ERROR [IM006] [Microsoft][ODBC Driver Manager] Driver's SQLSetConnectAttr bazzer ASP .Net 1 03-24-2006 04:20 PM
ERROR [HY000] [Microsoft][ODBC Microsoft Access Driver]General error Unable to open registry key 'Temporary (volatile) Jet DSN for process 0x8fc Thread 0x934 DBC 0x437b94 Jet'. ERROR [IM006] [Microsoft][ODBC Driver Manager] Driver's SQLSetConnectAttr bazzer ASP .Net 0 03-24-2006 02:22 PM
Error 500: ERROR: Cannot forward. Writer or Stream already obtained. Error JavaQueries Java 1 03-01-2005 06:30 PM



Advertisments