Sebastian's Pamphlets

If you've read my articles somewhere on the Internet, expect something different here.

MOVED TO SEBASTIANS-PAMPHLETS.COM

Please click the link above to read actual posts, this archive will disappear soon!

Stay tuned...

Wednesday, February 15, 2006

How to stop email spammers abusing contact forms

Recently some email spammers figured that my contact forms aren't that safe and started relaying their spam through my machine. I've spotted the abuse late on a Saturday, as my inbox got flooded with cc'd emails and bounce messages. I forwared such an email to my hosting service and whilst I cleaned up my inbox they stopped the spammer. Awesome service, thank you National Net!

NationalNet support patched my PHP scripts
if (ereg('^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$', $email-from))
mail($email-to, $email-subject, $email-message, $email-headers...

and they sent me an email explaining what they did to stop the spammer within 15 minutes or so.

GrayWolf posts a similar case and recommends this helpful page with PHP code to stop header injection, there is more useful stuff in the manual's comment section, and a great thread at WMW. I found that a combination of the NatNet patch and the tips provided there, plus a few custom add-ons like database lookups, should secure my email forms in the future. Next step is sending automated complaints to the spammers ISP.
Share this post at StumbleUpon
Stumble It!
    Share this post at del.icio.us
Post it to
del.icio.us
 


-->

2 Comments:

  • At Thursday, February 16, 2006, Anonymous John said…

    Sebastian, your layout is blocking the display of the code you're using :). Are you sure you didn't have something like this in effect already? My forms were spammed with that issue 1-2 years ago and I got a "chance" to clean them up then. I get probed for these issues about once a month!

    If you have a dedicated server or a firewall-PC you can run "snort" (snort.org) on it, couple it with "DShield" (dshield.org) and mynetwatchman.com to help recognize new issues and respond to massive attacks, Symantec DeepSight Analyzer (analyzer.symantec.com; free as well) to analyze and send out mails to the ISP + upstream providers (also correlates data from other users). These systems work at most levels of the OSI reference model (http://en.wikipedia.org/wiki/OSI_model) and can recognize most forms of guesbook (mail-form, etc.) spam attempts. Once you have a system set up like that, you'll be surprised at what you didn't know / didn't see before :-). It's amazing (sick) how often a server on the net is probed for known attack vectors...

     
  • At Thursday, February 16, 2006, Blogger Sebastian said…

    John, you can copy and paste the regex ;)

    I had something in place and got alerted on many "spam probes", but the spammers never figured out how to abuse my forms - until recently.

    Thank you for the bunch of information! My post is pretty vague because I think it makes no sense to tell the fuckers how my stuff is protected. I've posted the regex first because I didn't found it on the linked resources, and second because it's only a tiny component of my code.

     

Post a Comment

Links to this post:

Create a Link

<< Home