[thelist] spammers - perpetrators
pturmel-webdev at turmel.org
Wed Oct 31 19:46:43 CDT 2007
Bob Meetin wrote:
> I have a spammer faking identity and emailing me crap like:
> From: Neophytos Neophytos
> Email: IacovosFewrte64 at gawab.com
> Subject: Neophytos
> Website: http://fast-food.ophyu.com
> Request details:
> very well made it .All information on this site is represented
> <a href=http://fast-food.ophyu.com/fast-food-nation.html>
> The form that I used to use to collect feedback doesn't even look like
> that any more. I changed some of the line words (Website is not there),
> so I don't know where this one is coming from.
> With a second problem a couple times I've found some spam entries in the
> login, email or name fields of a table. The program that folks use to
> register both checks for garbage like: http, www, angelfire, porn,
> common nasty words and will reject submissions. I also include a simple
> math question.
Common problem, unfortunately:
Spammers try to hijack comment forms not just to send YOU spam, but to
use your server to spread it further. If your form's target script
doesn't sanitize the subject field, or offers a variety of To:
addresses, the script might be tricked into mailing the spam to other's,
not just the intended recipients. If the comment form is used with blog
or other public web-site, then visitors to the site also see the spam.
Spammers especially like forms that ask for a return e-mail address, in
the hope that your script automatically sends an acknowledgement via
e-mail. They'll put a target e-mail address in the 'from' variable.
You aren't seeing the correct format for these emails because the
spammer isn't actually opening your blank form. They are just
submitting the GET or POST action directly (no real web browser on their
end at all).
Spammers generally don't hunt for vulnerable websites by hand. They
typically use robot scripts that look for forms on any page they
encounter. The robot script notes the input field names and guesses
which ones are the from, to, and subject lines. Everything else is
treated as a body field, in the hopes of getting through. Your second
problem is most likely caused by a spammer's script trying to send spam
through your registration form, and your registration program isn't
sophisticated enough to catch all the evasive maneuvers.
In any case, there are some best practices to follow:
Include a hidden field on every form that contains a session-based
random token. Check for and change the token every time a form is
actually submitted. ANY form! Not just comment forms. Especially
login forms. If a form is submitted with no session, no token, or wrong
token, display a fresh blank form and log the IP address as a likely
Check all variables submitted for reasonableness... If a userid is
supposed to only have letters and digits, reject anything that has
anything else. Where you are expecting an email address, use a regular
expression to make sure it is syntactically valid. Subject lines should
be only one line, and no more characters than the maxlength on the input
field. If you find a newline or carriage return in the subject, it's
almost guaranteed to be a spammer.
Never send an acknowledgement via e-mail. Use the form script to
acknowledge a valid submission right on the web. Never accept actual
To: addresses in submitted variables. If you must have multiple-choice
To: addresses, use a numeric index on a combo box, and look up the
numeric index in your script. Don't put any submitted variable into a
database if any check fails. Always use parameterized queries or the
equivalent in your language of choice.
If you do all of the above, and still have an objectionable amount of
spam coming to you, add some form of captcha. (But only as a last
resort, as accessibility standards can be tough to meet when captchas
More information about the thelist