Spam coming through my website

Discussion in 'NZ Computing' started by Vista, Jul 13, 2006.

  1. Vista

    Vista Guest

    Just wondering how the best way to stop people submitting a form on my
    website. Currently there is someone/some people who for the last few weeks
    has been sending messages through the forms on my website, with pornographic
    links etc. I have a lot of required fields on my form, including requiring
    an email address, name and address etc, but they still fill in all the
    fields and use a free gmail address for as the email address. Currently
    there is really nothing I can think of to stop them I have traced their IP
    adddresses, and they trace back to korea. I am considering removing the form
    and just using a normal email link instead. Anyone have any ideas?
    TIA
     
    Vista, Jul 13, 2006
    #1
    1. Advertising

  2. Vista

    Fred Dagg Guest

    On Thu, 13 Jul 2006 17:54:00 +1200, "Vista" <>
    exclaimed:

    >Just wondering how the best way to stop people submitting a form on my
    >website. Currently there is someone/some people who for the last few weeks
    >has been sending messages through the forms on my website, with pornographic
    >links etc. I have a lot of required fields on my form, including requiring
    >an email address, name and address etc, but they still fill in all the
    >fields and use a free gmail address for as the email address. Currently
    >there is really nothing I can think of to stop them I have traced their IP
    >adddresses, and they trace back to korea. I am considering removing the form
    >and just using a normal email link instead. Anyone have any ideas?
    >TIA
    >

    Most likely, it'll be worse than you think. They are probably using it
    to SPAM others, and you are just receiving a copy as a side effect.
    Usually this is accomplished by using an "injection" attack - they
    inject code into your form that your server misinterprets as a
    command.

    What are you using to send your form?
     
    Fred Dagg, Jul 13, 2006
    #2
    1. Advertising

  3. Vista

    XPD Guest

    "Vista" <> wrote in message
    news:1152769838.470881@ftpsrv1...
    > Just wondering how the best way to stop people submitting a form on my
    > website. Currently there is someone/some people who for the last few weeks
    > has been sending messages through the forms on my website, with
    > pornographic links etc. I have a lot of required fields on my form,
    > including requiring an email address, name and address etc, but they still
    > fill in all the fields and use a free gmail address for as the email
    > address. Currently there is really nothing I can think of to stop them I
    > have traced their IP adddresses, and they trace back to korea. I am
    > considering removing the form and just using a normal email link instead.
    > Anyone have any ideas?
    > TIA
    >


    Welcome to my world.... Im running a blog on my site and Im constantly
    getting spam comments.
    Looked all thru the settings for a way to prevent non-registered users from
    posting, and you wouldnt believe it, but theres no option for that. I have
    to code it into the damn thing myself if I want that option.
    SO think Im going to give up on running my blog.... the forums work much
    better :)
     
    XPD, Jul 13, 2006
    #3
  4. Vista

    Shane Guest

    XPD wrote:

    > "Vista" <> wrote in message
    > news:1152769838.470881@ftpsrv1...
    >> Just wondering how the best way to stop people submitting a form on my
    >> website. Currently there is someone/some people who for the last few
    >> weeks has been sending messages through the forms on my website, with
    >> pornographic links etc. I have a lot of required fields on my form,
    >> including requiring an email address, name and address etc, but they
    >> still fill in all the fields and use a free gmail address for as the
    >> email address. Currently there is really nothing I can think of to stop
    >> them I have traced their IP adddresses, and they trace back to korea. I
    >> am considering removing the form and just using a normal email link
    >> instead. Anyone have any ideas?
    >> TIA
    >>

    >


    Um, if you know the ip, or range the problem comes from, why not block by ip
    and or range?

    > Welcome to my world.... Im running a blog on my site and Im constantly
    > getting spam comments.
    > Looked all thru the settings for a way to prevent non-registered users
    > from posting, and you wouldnt believe it, but theres no option for that. I
    > have to code it into the damn thing myself if I want that option.
    > SO think Im going to give up on running my blog.... the forums work much
    > better :)



    What blog software?
    Im using wordpress, and nonregistered users cant comment, I can even control
    who is and isnt registered, and moderate comments

    Looking for forum software that wont get me owned :)

    --
    Rule 6: There is no rule 6

    Blog: http://shanes.dyndns.org
     
    Shane, Jul 13, 2006
    #4
  5. Vista

    Shank Guest

    Vista wrote:
    > Just wondering how the best way to stop people submitting a form on my
    > website. Currently there is someone/some people who for the last few weeks
    > has been sending messages through the forms on my website, with pornographic
    > links etc. I have a lot of required fields on my form, including requiring
    > an email address, name and address etc, but they still fill in all the
    > fields and use a free gmail address for as the email address. Currently
    > there is really nothing I can think of to stop them I have traced their IP
    > adddresses, and they trace back to korea. I am considering removing the form
    > and just using a normal email link instead. Anyone have any ideas?
    > TIA
    >
    >

    If you don't want to code out webmail addresses (gmail, hotmail etc)
    with 'for i in etc, do
    if then else

    and go with a normal email link, code that with javascript to stop bots
    picking it up

    http://javascript.internet.com/forms/auto-email-link.html

    or

    http://innerpeace.org/escrambler.shtml





    --
    Rob

    In poker you have to show your hand eventually if called. So f
     
    Shank, Jul 13, 2006
    #5
  6. Vista

    Fred Dagg Guest

    On Thu, 13 Jul 2006 21:08:20 +1200, Shank <Here@home> exclaimed:

    >Vista wrote:
    >> Just wondering how the best way to stop people submitting a form on my
    >> website. Currently there is someone/some people who for the last few weeks
    >> has been sending messages through the forms on my website, with pornographic
    >> links etc. I have a lot of required fields on my form, including requiring
    >> an email address, name and address etc, but they still fill in all the
    >> fields and use a free gmail address for as the email address. Currently
    >> there is really nothing I can think of to stop them I have traced their IP
    >> adddresses, and they trace back to korea. I am considering removing the form
    >> and just using a normal email link instead. Anyone have any ideas?
    >> TIA
    >>
    >>

    >If you don't want to code out webmail addresses (gmail, hotmail etc)
    >with 'for i in etc, do
    >if then else
    >
    >and go with a normal email link, code that with javascript to stop bots
    >picking it up
    >
    >http://javascript.internet.com/forms/auto-email-link.html
    >
    >or
    >
    >http://innerpeace.org/escrambler.shtml


    That's a silly idea. You have no control over a user's environment,
    and if they choose to not have Javascript enabled (which is their
    choice) they cannot contact you.

    The best idea is to just code the mail form properly.
     
    Fred Dagg, Jul 13, 2006
    #6
  7. Vista

    Vista Guest

    "Fred Dagg" <> wrote in message
    news:...
    > On Thu, 13 Jul 2006 17:54:00 +1200, "Vista" <>
    > exclaimed:
    >
    >>Just wondering how the best way to stop people submitting a form on my
    >>website. Currently there is someone/some people who for the last few weeks
    >>has been sending messages through the forms on my website, with
    >>pornographic
    >>links etc. I have a lot of required fields on my form, including requiring
    >>an email address, name and address etc, but they still fill in all the
    >>fields and use a free gmail address for as the email address. Currently
    >>there is really nothing I can think of to stop them I have traced their IP
    >>adddresses, and they trace back to korea. I am considering removing the
    >>form
    >>and just using a normal email link instead. Anyone have any ideas?
    >>TIA
    >>

    > Most likely, it'll be worse than you think. They are probably using it
    > to SPAM others, and you are just receiving a copy as a side effect.
    > Usually this is accomplished by using an "injection" attack - they
    > inject code into your form that your server misinterprets as a
    > command.
    >
    > What are you using to send your form?


    That sounds possible, and would explain all the links in the message. I am
    using NMS formmail http://nms-cgi.sourceforge.net/ and running the latest
    version. I have used a similar script for the last 5 years on my website,
    and have never had this type of problem.
     
    Vista, Jul 13, 2006
    #7
  8. Vista

    Dave Taylor Guest

    Dave Taylor, Jul 13, 2006
    #8
  9. Vista

    Shank Guest

    Fred Dagg wrote:
    > On Thu, 13 Jul 2006 21:08:20 +1200, Shank <Here@home> exclaimed:
    >
    >> Vista wrote:
    >>> Just wondering how the best way to stop people submitting a form on my
    >>> website. Currently there is someone/some people who for the last few weeks
    >>> has been sending messages through the forms on my website, with pornographic
    >>> links etc. I have a lot of required fields on my form, including requiring
    >>> an email address, name and address etc, but they still fill in all the
    >>> fields and use a free gmail address for as the email address. Currently
    >>> there is really nothing I can think of to stop them I have traced their IP
    >>> adddresses, and they trace back to korea. I am considering removing the form
    >>> and just using a normal email link instead. Anyone have any ideas?
    >>> TIA
    >>>
    >>>

    >> If you don't want to code out webmail addresses (gmail, hotmail etc)
    >> with 'for i in etc, do
    >> if then else
    >>
    >> and go with a normal email link, code that with javascript to stop bots
    >> picking it up
    >>
    >> http://javascript.internet.com/forms/auto-email-link.html
    >>
    >> or
    >>
    >> http://innerpeace.org/escrambler.shtml

    >
    > That's a silly idea. You have no control over a user's environment,
    > and if they choose to not have Javascript enabled (which is their
    > choice) they cannot contact you.
    >
    > The best idea is to just code the mail form properly.


    There is no completely secure way of hiding your email address from a
    well constructed bot. Better to go with the lowest common denominator,
    than nothing at all.

    Those who choose to disable javascript will most likely have enough
    clues to figure out the email address by looking at the source, which is
    a darn sight easier than expecting everyone who puts up a web page to
    know how to code properly in whatever language.


    --
    Rob
     
    Shank, Jul 13, 2006
    #9
  10. Vista

    Vista Guest

    "Dave Taylor" <> wrote in message
    news:Xns97FFE85F346EDdaveytaynospamplshot@203.97.37.6...
    > "Vista" <> wrote in news:1152769838.470881@ftpsrv1:
    >
    >> I am considering removing the form
    >> and just using a normal email link instead. Anyone have any ideas?
    >>

    >
    > Force the user to be a human; the form is for people to fill out isn't
    > it?.
    > See:
    > http://www.javascriptsearch.com/news/news/060410KittenAuth.html
    > http://www.thepcspy.com/kittenauthtest
    > http://www.kittenauth.com/
    >
    > --
    > Ciao, Dave


    Thanks that is an interesting idea. I however suspect that many of the
    people visiting my site wouldn't actually know what to do, or why they have
    to press 3 kittens to send the form, they would just wonder 'why don't you
    have a normal submit button. However it is probably a good idea for forums
    or even online banking.
     
    Vista, Jul 13, 2006
    #10
  11. Vista wrote:
    > I have a lot of required fields on my form, including requiring
    > an email address, name and address etc, but they still fill in all the
    > fields and use a free gmail address for as the email address


    Well obviously. Client-side validation is easily bypassed. Validate your
    data on the server as well!

    They are injecting their own headers by putting newline characters into
    the fields that you accept. Strip these out.

    Cheers,
    Nicholas Sherlock

    --
    http://www.sherlocksoftware.org
     
    Nicholas Sherlock, Jul 13, 2006
    #11
  12. Vista

    Allistar Guest

    wrote:

    > Vista wrote:
    >> Just wondering how the best way to stop people submitting a form on my
    >> website. Currently there is someone/some people who for the last few
    >> weeks has been sending messages through the forms on my website, with
    >> pornographic links etc. I have a lot of required fields on my form,
    >> including requiring

    >
    > 1. Make sure they are not able to spam through your form. If you are
    > using contents of the form to set any of the mail headers (from, to,
    > subject reply-to etc) then make sure there are no extra headers being
    > slipped in (easy way, strip out all CR and LF from the values).


    Putting mail headers as hidden fields on the form is dangerous and silly -
    this should be done on the back end. I know though that many ISPs have
    backend emailing scripts that work this way. Putting anything in a POST
    that you don't want users to change is a bad idea unless it's validated on
    the server.

    > 2. Add a CAPTCHA, this will stop scripts spamming you.
    >
    > What language is the form processor written in?


    Allistar.
     
    Allistar, Jul 13, 2006
    #12
  13. Vista

    jasen Guest

    On 2006-07-13, Vista <> wrote:

    > Just wondering how the best way to stop people submitting a form on my
    > website.


    remove the form from your website.

    > Currently there is someone/some people who for the last few weeks
    > has been sending messages through the forms on my website, with pornographic
    > links etc. I have a lot of required fields on my form, including requiring
    > an email address, name and address etc, but they still fill in all the
    > fields and use a free gmail address for as the email address. Currently
    > there is really nothing I can think of to stop them I have traced their IP
    > adddresses, and they trace back to korea. I am considering removing the form
    > and just using a normal email link instead. Anyone have any ideas?


    probably you need to check the data before you email it.
    what's the purpose of the form.





    > TIA
    >
    >



    --

    Bye.
    Jasen
     
    jasen, Jul 14, 2006
    #13
  14. Vista

    jasen Guest

    On 2006-07-13, Shank <Here@home> wrote:

    > There is no completely secure way of hiding your email address from a
    > well constructed bot. Better to go with the lowest common denominator,
    > than nothing at all.


    > Those who choose to disable javascript will most likely have enough
    > clues to figure out the email address by looking at the source, which is
    > a darn sight easier than expecting everyone who puts up a web page to
    > know how to code properly in whatever language.


    here's an example some of some fairly transparent javascript for de-mangling
    one or more email addresses.

    do this sort if thing in the HTML:

    my Email address is <a name="email">jasen _at_ free _dot_ net _dot_ nz</a>

    and then use this javascript

    <script type="text/javascript">
    var i,m=document.getElementsByName("email");
    for(i=0 ; i<m.length; i++){
    var s=m.firstChild['nodeValue'];
    s=s.split(' _at_ ').join('@').split(' _dot_ ').join('.');
    m.firstChild['nodeValue']=s;
    m['href']="mai"+"lto:"+s;
    }
    </script>

    those without javascript can read it reasonably, those with can click the
    link.


    --

    Bye.
    Jasen
     
    jasen, Jul 14, 2006
    #14
  15. Vista

    jasen Guest

    On 2006-07-13, Allistar <> wrote:

    > Putting mail headers as hidden fields on the form is dangerous and silly -
    > this should be done on the back end. I know though that many ISPs have
    > backend emailing scripts that work this way. Putting anything in a POST
    > that you don't want users to change is a bad idea unless it's validated on
    > the server.


    At work we have a mail script on a site we maintain
    http://www.destination-nz.com/mail.php that has been in the past abused like
    that, now it does extensive validation on all the fields. it's used by a
    number of pages whose content is generated dynamically so it needs to accept
    the to address in a hidden field, but it rejects any to address pointing
    outside the intended domain snd any address with more than 1 "@" in it.

    >> 2. Add a CAPTCHA, this will stop scripts spamming you.


    they seem to turn people away too.

    Bye.
    Jasen
     
    jasen, Jul 14, 2006
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. righter

    Picture Not Coming Through...

    righter, Oct 20, 2003, in forum: Computer Support
    Replies:
    7
    Views:
    465
    righter
    Oct 22, 2003
  2. C A Preston

    Spam-Spam and more Spam

    C A Preston, Apr 12, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    627
    Hywel
    Apr 12, 2004
  3. Christian Amodeo

    How do I ban anyone coming through a certian domain?

    Christian Amodeo, Apr 15, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    441
    Blinky the Shark
    Apr 15, 2005
  4. T.D. Shadow

    Re: Is DVD Sell-Through Coming To An End?

    T.D. Shadow, Aug 4, 2003, in forum: DVD Video
    Replies:
    1
    Views:
    391
    Impmon
    Aug 4, 2003
  5. Clwddncr
    Replies:
    6
    Views:
    716
    Dave - Dave.net.nz
    Feb 7, 2005
Loading...

Share This Page