Whirlpool

Howdy,

I am having problems with what I can only presume is a robot using a contact form from a site I help maintain at www.riversidechristian.org.au . The email addresses are always random letters followed by our domain.

I am getting 20-30 messages a day which look like this:

Below is the result of your feedback form. It was submitted by myfrjxzt@riversidechristian.org.au on September 11th, 2005 at 07:50AM (EST).

Name: myfrjxzt@riversidechristian.org.au
Submit: myfrjxzt@riversidechristian.org.au
comments: myfrjxzt@riversidechristian.org.au
email: myfrjxzt@riversidechristian.org.au

The Subject line reads: myfrjxzt@riversidechristian.org.au

Headers:
Return-path: <rcf@apollo.unknowndns.net>
Envelope-to: myfrjxzt@riversidechristian.org.au
Delivery-date: Sun, 11 Sep 2005 07:50:27 +1000
Received: from rcf by apollo.unknowndns.net with local (Exim 4.52)
id 1EEDEw-0002ns-R6
for myfrjxzt@riversidechristian.org.au; Sun, 11 Sep 2005 07:50:26 +1000
To: myfrjxzt@riversidechristian.org.au
Subject: myfrjxzt@riversidechristian.org.au Content-Type: multipart/mixed; boundary="===============007076805­ 8==" MIME-Version: 1.0 Subject: 9312476b To: myfrjxzt@riversidechristian.org.au bcc: jrubin3546@aol.com From: myfrjxzt@riversidechristian.org.au This is a multi-part message in MIME format. --===============0070768058== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit glbr --===============0070768058==--
From: myfrjxzt@riversidechristian.org.au
X-Priority: 3
X-Mailer: PHPFormMail Classic v1.06.0 (www.boaddrink.com)
Message-Id: <E1EEDEw-0002ns-R6@apollo.unknowndns.net>
Date: Sun, 11 Sep 2005 07:50:26 +1000

anyone got any idea how I can stop this?

use a robots.txt file to tell the bots not to follow any links to that page...

and then cross your fingers that the bot in question is a nice bot and follows instructions found in robot files. :)

Jacob Williams writes...

use a robots.txt file to tell the bots not to follow any links to that page...

and then cross your fingers that the bot in question is a nice bot and follows instructions found in robot files. :)

just to add to that...
-----------
forum-replies.cfm?t=396009
-----------
theres a link for a tutorial and some info in that thread:)

Hmmm
I have just started getting exactly the same problem....
weird.

Add one of those image things with the code
or
document.write the submit button

b__ writes...

Add one of those image things with the code

called a captcha (Completely Automated Public Turing Test to Tell Computers and Humans Apart)

to the OP - Google captcha and you will find many options for creating captcha images with your preferred web technology

Jacob Williams writes...

and then cross your fingers that the bot in question is a nice bot and follows instructions found in robot files. :)

i doubt it. a bot submitting to forms is most likely malicious

b__ writes...

document.write the submit button

That doesnt work either. it doesn't use the submit button, unless it's a physical robot sitting at a computer!

Does anybody know exactly what is doing this (i.e. What is the robot that is causing this, and what is the purpose of submitting random e-mail addresses made up using the domain of the target server?).

We've been getting the exact same thing through our suggest news page.

Yep thats right. Normally what they do is read the name of the form fields and then generate a POST request straight to the server.

Actually just thinking, if you create the form (and/or) the input boxes through javascript's document.write, that may confuse the bot.

I think in my case, it is completely ignoring the html form and just accessing the php form processing page.

the document.write trick didnt make any difference.

I have emailed our php guy, he's sure to know how ro beat it (I hope!)

Sounds like someone attempting an email injection attack. Yet another example why all input variables should be sanitised ... php email injection

AWOL writes...

anyone got any idea how I can stop this?

Firstly, I'd change the name of your form script. "formmail.php" is a bit obvious, and quite commonly scanned for by spammers. For the most part, people simply use the default settings on these form scripts, and are therefore open to such abuse.

I've found that adding two email input fields (email and confirm email) generally stops this crap. It also cuts down the mistyped email problem too. :)

The image verification solution is also very effective for persistant spammers.

Heh I've been getting the same thing (well attempts at it appearing in the referer logs). :) Best just to use image verification I'd say, these bots just post data directly to your script, and yeah doubtful that they are going to take any notice of robots.txt given their nature. ;)

I notice there's two hidden fields containing email addresses on the contact form (search the HTML source for 'recipient'). Removing them and leaving it in the code on the server would help (if you have access to the scripts, or could code your own).

document.write the action URI. Try mangling it like the mailto links on whirlpool.

Thanks for all the relplies. I will take action and see what happens.

Nope, the only way is to have a captcha system.

speedmeup writes...

document.write the action URI. Try mangling it like the mailto links on whirlpool.

Security by obscurity isn't the solution - besides you might make it harder for your users to use ur script by having too much unnecessary javascript in ur page.

manian writes...

Firstly, I'd change the name of your form script. "formmail.php" is a bit obvious, and quite commonly scanned for by spammers. For the most part, people simply use the default settings on these form scripts, and are therefore open to such abuse.

Again, security by obscurity. Besides the bot can easily grep through the output of html to find this.

Powerboy writes...
I notice there's two hidden fields containing email addresses on the contact form (search the HTML source for 'recipient'). Removing them and leaving it in the code on the server would help (if you have access to the scripts, or could code your own).

See what pyslenced said: the spambot is sending a direct POST/GET to your script, so there is no use in diddling with the html... changing what you send to the client (the browser) isn't going to change whether your script is secure or not.

The fact is: nothing you do can stop this kind of anti-social web behaviour, so you have to code your scripts to respond accordingly and correctly.

1) Just let them post/get and make sure u taint check your variables in php.

2) You can also drop the form response if u detect the from domain is from yourdomain.com, (just drop silently and ignore the request)

3) Another possible technique is to set a cookie on the previous page, if it's a home grown spambot, it's unlikely to pass the cookie back to you. Ie, "test for a human" (again obscurity, but a slightly better one, and easy to implement)

EDIT 4) Oh, yes, and captcha is the other good option, depends on how hard for you to implement.

In any case, once you detect it ain't "kosher", just respond gracefully and don't let on that your script has done nothing (just say "thanks, for the form submission etc"). Then ignore any sending.

The most important thing is to make sure that your scripts are taint checked to avoid injection.

Well, Im logging IP addresses now, so I'll see which ones they come from and the set the script to open loads of windows and direct that user to a porn site

:-)

if they can have fun, then I can have fun with them back!

Probably some little kid who think's he's hacking

-roger- writes...

direct that user to a porn site

I thought you're trying to discourage them? :)

it will be a gender specific porn site... (can't use the g word here it seems)

This may help from forum-replies.cfm?t=396942

Stars in the sky writes...

The PHP package to get is VeriWord www.phpclasses.org/browse/package/1768.html

Good luck

-roger- writes...

Well, Im logging IP addresses now, so I'll see which ones they come from and the set the script to open loads of windows and direct that user to a porn site

:-)

if they can have fun, then I can have fun with them back!

Probably some little kid who think's he's hacking

Please re-read the replies about the bot, it's not a "person" navigating the internet, it's just an automated script firing off POST/GET data to your website, it most likely doesn't even record or take notice of any reply you might give it.

-roger- writes...

Well, Im logging IP addresses now, so I'll see which ones they come from and the set the script to open loads of windows and direct that user to a porn site

Often a bot will be using open proxies, so dont be suprised if you find attacks from multiple IP's.

You'll find there are scripts that just search tens of thousands of domains just looking for vunerable scripts.

Edit: another example of how people scan using google.

www.google.com/search?q=...l%3Aformmail.php

(108,000 possible sites that can be exploited).

Well, I got the kid doing it to me. he's in germany. His ISP already know about him.

Ok here are the steps that I have taken and for now the mail has stopped.

1. Changed the name of the script and the folder is resided in.
2. Updated to the latest formail.php forphpformail classic 1.07.1 (which I realised I didn't have)
3. Used option 3 in the script for security.

see the help file it looks like this:

Example #3
$recipient_array = array('fcf7b465cc30923b02a8cecc2ed­ e239331c7990e' => 'email@example.com', ' 2bd7df9fbc9f87040e617b5c09ad16aa85­ d73ecc ' => 'somebodyelse@example.com');

the latest formail can be grabbed here www.boaddrink.com/projects/files/index.php

Hope this can help others

Yeh, I just made mine check for a human, and if it didn't find one, it doesn't email, but sends the bot into a loop, which it might find interesting..

hehe

I didn't think robots could access forms ... especially submitting them

www.afallon.com/spamtrap.htm

www.parnasse.com/trap.html