Re: OT - Nice site I will recommend you to all my friends.
On Friday 11 August 2006 21:18, Al Musella, DPM wrote: somehow set the referrer to be the action page.. but some set it to Sending custom HTTP headers is trivial. Referer should not be used as part of security. the original form page also.. but the time never looks right.. usually either 0 seconds or way over an hour for the bot . Normal people take anywhere from 10 seconds to a minute. So a combination of time To prevent the obvious counter attack, you should store the original time server side in the users session and recheck it on form post. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249703 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT - Nice site I will recommend you to all my friends.
Assuming you were doing it manually... you'd just look yourself. We all know these guys are scumbags for doing it but I doubt half of them could figure out how to do it without the help of an automated script kiddie tool. The idea would be to automate 1002, 10002, even millions of the posts a day... I dont think ANYONE would want to verify any of those manually. Just automate it and wait about 7 days and hit google. ..:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Friday, August 11, 2006 9:18 AM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. Tom or Andy, Fill me in on this a little more. If I'm a hacker posting to a blog or guestbook, what advantage is there to not waiting for the POST request to return and googling for my text later? I'm trying to think of a scenario where this would save time rather than waste time. -Mark -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Friday, August 11, 2006 8:10 AM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. Ah...I gotcha. So they Google for the unique text they posted (on your site) and if they find it, they know that form is vulnerable? Not only are they sneaky bastards, but they're lazy as well? !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 4:55 PM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. Once they've ran it for a while, they'll give it a week or so and search Google for the text. If they find it, that means their method of posting it worked and the site is exactly what they are looking for. (vulnerable) .:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 10:44 AM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. What would they be waiting for? !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 9:30 AM To: CF-Talk Subject: Re: OT - Nice site I will recommend you to all my friends. On Thursday 10 August 2006 14:52, Les Mizzell wrote: Nice site I will recommend you to all my friends. guess It's a test to find vulnerable sites without bothering to wait for a POST of a form to come back - just submit the request and check back at some future point. -- Tom Chiverton ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249696 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: OT - Nice site I will recommend you to all my friends.
If you wrote your own form to post to the remote action page, you'd set the time field yourself anyway. yeah, you could check the referrer but thats easily spoofed or simply not reported ..:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Brian Dumbledore [mailto:[EMAIL PROTECTED] Sent: Friday, August 11, 2006 11:32 AM To: CF-Talk Subject: Re: OT - Nice site I will recommend you to all my friends. One of my colleagues suggested a solution that almost works, On the form page you have a form field which has the time when the form is loaded (now()), on the action page, you make sure hte field exists, and then also see if now() now is atleast 1-2 seconds more than the formfield value (hoping that if it is a bot post, it would be very quick and less than whatever the interval we set it as, and hence a bot). Only if the time difference is human, do you process further. Hope this helps. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249697 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT - Nice site I will recommend you to all my friends.
Ah...I gotcha. So they Google for the unique text they posted (on your site) and if they find it, they know that form is vulnerable? Not only are they sneaky bastards, but they're lazy as well? !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 4:55 PM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. Once theyve ran it for a while, theyll give it a week or so and search Google for the text. If they find it, that means their method of posting it worked and the site is exactly what they are looking for. (vulnerable) ...:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 10:44 AM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. What would they be waiting for? !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 9:30 AM To: CF-Talk Subject: Re: OT - Nice site I will recommend you to all my friends. On Thursday 10 August 2006 14:52, Les Mizzell wrote: Nice site I will recommend you to all my friends. guess It's a test to find vulnerable sites without bothering to wait for a POST of a form to come back - just submit the request and check back at some future point. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249549 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT - Nice site I will recommend you to all my friends.
Tom or Andy, Fill me in on this a little more. If I'm a hacker posting to a blog or guestbook, what advantage is there to not waiting for the POST request to return and googling for my text later? I'm trying to think of a scenario where this would save time rather than waste time. -Mark -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Friday, August 11, 2006 8:10 AM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. Ah...I gotcha. So they Google for the unique text they posted (on your site) and if they find it, they know that form is vulnerable? Not only are they sneaky bastards, but they're lazy as well? !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 4:55 PM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. Once they've ran it for a while, they'll give it a week or so and search Google for the text. If they find it, that means their method of posting it worked and the site is exactly what they are looking for. (vulnerable) :.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 10:44 AM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. What would they be waiting for? !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 9:30 AM To: CF-Talk Subject: Re: OT - Nice site I will recommend you to all my friends. On Thursday 10 August 2006 14:52, Les Mizzell wrote: Nice site I will recommend you to all my friends. guess It's a test to find vulnerable sites without bothering to wait for a POST of a form to come back - just submit the request and check back at some future point. -- Tom Chiverton ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249553 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT - Nice site I will recommend you to all my friends.
I suspect it's purely about getting google etc to pickup the links thus falsely inflating the number of sites linked by the advertising ones, and so increasing their search engine ranking. If you're not getting any text in the message it may be your naming convention on the form - specifically the message field - is outside the bounds of what's acceptable to the bot. Not sure how that ranking thing would work though as I expect a corp the scale of google would spot these things fairly quickly. Cheers, --Aegis Tom or Andy, Fill me in on this a little more. If I'm a hacker posting to a blog or guestbook, what advantage is there to not waiting for the POST request to return and googling for my text later? I'm trying to think of a scenario where this would save time rather than waste time. -Mark -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Friday, August 11, 2006 8:10 AM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. Ah...I gotcha. So they Google for the unique text they posted (on your site) and if they find it, they know that form is vulnerable? Not only are they sneaky bastards, but they're lazy as well? !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 4:55 PM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. Once they've ran it for a while, they'll give it a week or so and search Google for the text. If they find it, that means their method of posting it worked and the site is exactly what they are looking for. (vulnerable) ...:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 10:44 AM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. What would they be waiting for? !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 9:30 AM To: CF-Talk Subject: Re: OT - Nice site I will recommend you to all my friends. On Thursday 10 August 2006 14:52, Les Mizzell wrote: Nice site I will recommend you to all my friends. guess It's a test to find vulnerable sites without bothering to wait for a POST of a form to come back - just submit the request and check back at some future point. -- Tom Chiverton ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249561 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT - Nice site I will recommend you to all my friends.
On Friday 11 August 2006 14:17, Mark A Kruger wrote: guestbook, what advantage is there to not waiting for the POST request to return and googling for my text later? I'm trying to think of a scenario where this would save time rather than waste time. Because google do the indexing and returning of which sites are vulnerable for you. Otherwise you'd have to either check back yourself after some amount of time, or maintain a list and/or cache. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249564 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT - Nice site I will recommend you to all my friends.
If you're not getting any text in the message it may be your naming convention on the form Nice site I will recommend you to all my friends. *is* the text. That's why I was initially confused about this particular spam bot. Seemed to serve no purpose. I understand the bots that fill the message area with links to viagra/porn/whatever sites as a way to try and increase search engine rankings for those sites, but Google is to smart to fall for it anyway. Having no link in the message of any kind threw me off at first. Why not go ahead and try to post all the intended spam the first time around instead of a two tiered attack? Twice the work to do it that way, right? unless there's something a little more sinister in store at a later date for the vunerable form addresses that get collected. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249566 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT - Nice site I will recommend you to all my friends.
Tom, Don't most guestbooks or blogs automatically post the message? Why would you need to wait to check? Couldn't you check right away? I must be missing something. -Mark -Original Message- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Friday, August 11, 2006 8:52 AM To: CF-Talk Subject: Re: OT - Nice site I will recommend you to all my friends. On Friday 11 August 2006 14:17, Mark A Kruger wrote: guestbook, what advantage is there to not waiting for the POST request to return and googling for my text later? I'm trying to think of a scenario where this would save time rather than waste time. Because google do the indexing and returning of which sites are vulnerable for you. Otherwise you'd have to either check back yourself after some amount of time, or maintain a list and/or cache. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249568 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT - Nice site I will recommend you to all my friends.
It's likely they're testing their system so they can charge people to send their spam. We can guarantee your message will appear on 50,000 websites and will be indexed by Google within 1 week! -Original Message- From: Les Mizzell Sent: Friday, August 11, 2006 9:50 AM To: CF-Talk Subject: Re: OT - Nice site I will recommend you to all my friends. Having no link in the message of any kind threw me off at first. Why not go ahead and try to post all the intended spam the first time around instead of a two tiered attack? Twice the work to do it that way, right? . unless there's something a little more sinister in store at a later date for the vunerable form addresses that get collected. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249569 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT - Nice site I will recommend you to all my friends.
Don't most guestbooks or blogs automatically post the message? Why would you need to wait to check? Couldn't you check right away? I must be missing something. I think it's because these guys are using software to post to thousands of sites at once. It would be quite a job to manually go check all of those sites. I read on Michael Dinowitz' blog recently that these guys often purchase a huge list of web forms that they can try to spam, and they just use software to do it. Often times they just go straight to the form's action page, which is why you want to have something in your form processor to make sure the submission actually came from your site. -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. A1. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249587 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: OT - Nice site I will recommend you to all my friends.
On Friday 11 August 2006 15:02, Mark A Kruger wrote: Don't most guestbooks or blogs automatically post the message? Why would I think it is Blogger that goes so far as to say 'there may be a delay before your message appears' you need to wait to check? Couldn't you check right away? I must be missing something. See the other comment about being able to prove how many blogs you can spam *and have google index* in X amount of time. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249589 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT - Nice site I will recommend you to all my friends.
Ah... I see... So they are now purchasing web forms... (sigh) -Original Message- From: Munson, Jacob [mailto:[EMAIL PROTECTED] Sent: Friday, August 11, 2006 10:01 AM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. Don't most guestbooks or blogs automatically post the message? Why would you need to wait to check? Couldn't you check right away? I must be missing something. I think it's because these guys are using software to post to thousands of sites at once. It would be quite a job to manually go check all of those sites. I read on Michael Dinowitz' blog recently that these guys often purchase a huge list of web forms that they can try to spam, and they just use software to do it. Often times they just go straight to the form's action page, which is why you want to have something in your form processor to make sure the submission actually came from your site. -- This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. A1. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249593 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT - Nice site I will recommend you to all my friends.
One of my colleagues suggested a solution that almost works, On the form page you have a form field which has the time when the form is loaded (now()), on the action page, you make sure hte field exists, and then also see if now() now is atleast 1-2 seconds more than the formfield value (hoping that if it is a bot post, it would be very quick and less than whatever the interval we set it as, and hence a bot). Only if the time difference is human, do you process further. Hope this helps. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249605 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT - Nice site I will recommend you to all my friends.
I implemented something like that a few weeks ago ( checking time to post and also the referrer) and it does help a lot... most of the bots somehow set the referrer to be the action page.. but some set it to the original form page also.. but the time never looks right.. usually either 0 seconds or way over an hour for the bot . Normal people take anywhere from 10 seconds to a minute. So a combination of time and checking the referer look like it might get 99% of the spam bots for now.. until they start checking and fixing the time code then we can play around by encoding the time or just offset it by an hour - so they overfix it! One of my colleagues suggested a solution that almost works, On the form page you have a form field which has the time when the form is loaded (now()), on the action page, you make sure hte field exists, and then also see if now() now is atleast 1-2 seconds more than the formfield value (hoping that if it is a bot post, it would be very quick and less than whatever the interval we set it as, and hence a bot). Only if the time difference is human, do you process further. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249630 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: OT - Nice site I will recommend you to all my friends.
Wonder if they're trying to see if they can use it to send spam to other people... Are there any funky headers or anything like that? -Original Message- From: Les Mizzell [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 9:52 AM To: CF-Talk Subject: OT - Nice site I will recommend you to all my friends. Nice site I will recommend you to all my friends. Jezz, this is the newest spam that seems to be targeting my guestbook and contact forms. 30 or 40 of them a day on one particular site! The forms are all protected using various CF schemes and the spam doesn't get though, but what the heck is the purpose of this one? It's not advertising anything or trying to post links to some stupid blog. Any admins out there with access to logs? Is this one trying to do something else that I'm not seeing since I've got them all blocked? ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249455 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT - Nice site I will recommend you to all my friends.
On Thursday 10 August 2006 14:52, Les Mizzell wrote: Nice site I will recommend you to all my friends. guess It's a test to find vulnerable sites without bothering to wait for a POST of a form to come back - just submit the request and check back at some future point. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249457 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: OT - Nice site I will recommend you to all my friends.
What would they be waiting for? !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 9:30 AM To: CF-Talk Subject: Re: OT - Nice site I will recommend you to all my friends. On Thursday 10 August 2006 14:52, Les Mizzell wrote: Nice site I will recommend you to all my friends. guess It's a test to find vulnerable sites without bothering to wait for a POST of a form to come back - just submit the request and check back at some future point. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249459 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: OT - Nice site I will recommend you to all my friends.
On Thursday 10 August 2006 15:44, Andy Matthews wrote: What would they be waiting for? Google to reindex the site. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249467 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: OT - Nice site I will recommend you to all my friends.
Once theyve ran it for a while, theyll give it a week or so and search Google for the text. If they find it, that means their method of posting it worked and the site is exactly what they are looking for. (vulnerable) ..:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Andy Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 10:44 AM To: CF-Talk Subject: RE: OT - Nice site I will recommend you to all my friends. What would they be waiting for? !//-- andy matthews web developer certified advanced coldfusion programmer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: Tom Chiverton [mailto:[EMAIL PROTECTED] Sent: Thursday, August 10, 2006 9:30 AM To: CF-Talk Subject: Re: OT - Nice site I will recommend you to all my friends. On Thursday 10 August 2006 14:52, Les Mizzell wrote: Nice site I will recommend you to all my friends. guess It's a test to find vulnerable sites without bothering to wait for a POST of a form to come back - just submit the request and check back at some future point. -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:249524 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
