It's hard to find the script because we have several hundred hosting customers on this particular server. Even if the cfmail scripts are properly coded to prevent email injection, the spammer might actually be a regular customer just abusing his account. I will look into those programs to see if they can help me monitor the cfmail usage. Mail server logs don't help because it just shows the web server as the sender.
-----Original Message----- From: Robertson-Ravo, Neil (RX) [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 15, 2006 1:23 PM To: CF-Server Subject: Re: CFMAIL Abuse Well, if you know it is a customers script then you should be well placed to find out what script is triggering it. You could log all ColdFusion calls using FusionReactor or SeeFusion or could simply log what goes in and out of your mail server and block any bogus relays. What business are you in? You could disble cfmail for a short period :-) N "This e-mail is from Reed Exhibitions (Oriel House, 26 The Quadrant, Richmond, Surrey, TW9 1DL, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions." Visit our website at http://www.reedexpo.com -----Original Message----- From: Steve Nguyen - Anumina.com <[EMAIL PROTECTED]> To: CF-Server <[email protected]> Sent: Wed Mar 15 18:15:15 2006 Subject: RE: CFMAIL Abuse Thanks for your reply Mike. The problem is that it isn't our form script, it's one of our customer's script. It may not even be email injection - it may be a customer just abusing the cfmail tag to spam, but I can't figure out who it is because the domain's he's using is from some other host. If there's a way to tell what script the cfmail command came from, I'd be set. I've run a search on all scripts on the server for the email addresses and content, but came up with nothing, so I'm assuming they have it all in a database. -----Original Message----- From: Mike Chytracek [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 15, 2006 1:06 PM To: CF-Server Subject: RE: CFMAIL Abuse If you are using cfmail to send a form submission, check the referrer to make sure that the form is actually posting and not a user with their own script. One thing we have done is place a log on every script that uses the cfmail tag so we can track the usage independent of client. Sucks if you have A LOT of files using cfmail. But an ounce of prevention.... Mike ----- NOTE: Sorry, i had posted this earlier to the wrong forum =( We are experiencing a problem with a spammer using CFMAIL to send out spam. I don't know if it's a direct customer or someone using email injection on a customer's site. The mail logs only show when, who, where and what was emailed, but I need to figure out who's scripts are being run that is doing this. The CF logs don't help. Is there a way to find out who's abusing the cfmail tag? The only thing I can do is add filters on the mail server to prevent the email from going through, but the spammer just keeps changing his domain name and content. Any ideas on how to fight this? ://www.houseoffusion.com/tiny.cfm/54 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:10:5867 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/10 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:10 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.10 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
