re: [Declude.JunkMail] Version 4.4.0 leaving some trash?

[Gary Steiner]

I noticed that I also have a newly created 25MB file called $RNCD.AVG in the 
C:\WINDOWS\Temp directory.

Could this file be related to this problem?

Gary



 Original Message 
> From: "David Barker" <[EMAIL PROTECTED]>
> Sent: Friday, April 04, 2008 9:34 PM
> To: declude.junkmail@declude.com
> Subject: re: [Declude.JunkMail] Version 4.4.0 leaving some trash?
> 
> We have been made aware of this and are currently looking into the cause, it 
> seems to be AVG that is the source, if used in combination with a 3rd party 
> scanner. We are trying to replicate the issue to have it resolved.
> 
> David B
> 
> 
> From: "Adolfo Justiniano" <[EMAIL PROTECTED]>
> Sent: Friday, April 04, 2008 7:13 PM
> To: declude.junkmail@declude.com
> Subject: [Declude.JunkMail] Version 4.4.0 leaving some trash? 
> 
> Is someone else noticing that version 4.4.0 is leaving a lot of txt files in
> the proc/work directory? Version 4.3.46 didn't do this, I've noticed since
> we upgraded.
> 
> Adolfo Justiniano
> Santa Cruz BBS
> e-mail: [EMAIL PROTECTED]
> http://www.scbbs.net 
> 
> ---
> [This E-mail was scanned for viruses by the Santa Cruz BBS anti-virus system]
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> 
> 
> 
> 
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com. 





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] form spam filter

[Matt]

Note that I'm not claiming that I have the absolute best way to go about 
doing this, but I do have my opinions.


If a form mail spamming software is going to go through the process of 
parsing JavaScript and CSS, it wouldn't be a leap at all to see them 
parsing CAPTCHA's.  There is open source CAPTCHA parsing code, and it 
has been around for a long time, and spammers are known to use this code 
for at least cracking accounts at places like Hotmail and Yahoo for 
sometime.


If I was a spammer, I would start cracking CAPTCHA's before I bothered 
with JavaScript and CSS.  While there may very well be code out there 
that mimicks keystrokes and the like, spammers are not trying to hit 
100%, and that's why adding DIV visibility hidden fields fools these guys.


I do consider CAPTCHA's a barrier for legitimate users, and I personally 
feel they are a pain, especially if they are messed up enough to not be 
easily broken with CAPTCHA parsing code.  Since this is the most common 
automation blocking method, it is also the most likely to fail to 
protect things down the line.


My take is to do something custom/non-standard, and essentially reverse 
engineer their methods.  They test forms for success, so you fool them 
by pretending there is success.  If a simple solution like DIV 
visibility hidden used on extra fields that will cause the mail not to 
be sent, but nevertheless verified, stops working, then I would jump to 
other methods.  They have to have a payload, so blocking URL's with 
JavaScript is appropriate for many contact forms, and you check for 
URL's in the mail sending script and pretend success if found.  Again, 
spammers won't know the difference, and they aren't going to great 
lengths to obfuscate URL's currently, so that would be 100% effective, 
but an occasional pain for visitors who for some reason desire to send 
URL's.


I also like some of Mark's designer's tricks, and there are tons of 
tricks out there that can be effective.  For instance, you could use 
JavaScript to read the screen sizes, and if they are too small, or 
non-existent, you pretend success, but do not send the E-mail.


The pretend success is a major component of all of these tricks, and it 
is easy enough to create some sort of multi-factor hurdle that is just 
too custom for a generic form submission program to get right.  
CAPTCHA's on the other hand are a burden for legitimate users, and their 
utility will likely disappear in time, whereas these other methods are 
neither a burden, nor are they likely to cease being effective.


That's my take on it.

Matt



Darin Cox wrote:
Hmmm... good idea.  Though the testing/form filler tools I've seen 
aren't using pasting.  They are generating keystrokes and targeting 
them into the appropriate fields.
 
With the tools I've seen, the ability exists to put pauses in, but 
that would effectively restrict volume submissions for a spammer, and 
therefore cut down significantly on traffic.  The only drawback is for 
forms that a user accesses multiple times and may use previously 
submitted data.  In those cases, they might resubmit the form as-is, 
thus invalidating the timer.  Also, note that the confirmation page is 
CAPTCHA.


Darin.
 
 
- Original Message -

*From:* Marc Catuogno 
*To:* declude.junkmail@declude.com 
*Sent:* Wednesday, April 09, 2008 12:22 PM
*Subject:* RE: [Declude.JunkMail] form spam filter

One thing we did on our domain is to ban "pasting" so that the scripts 
couldn't paste their info into our fields.  Also I just had an idea 
and asked the webmaster if he could program the form to perform a 
different action if the form page was opened for too short of a time 
period.  Like shoot to a second page that would ask for a confirmation 
click or word to be typed in. This assumes that a person would take 
significantly more time to fill a form than a program, even if it is a 
keystroke generator


 

*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of 
*Darin Cox

*Sent:* Wednesday, April 09, 2008 11:54 AM
*To:* declude.junkmail@declude.com
*Subject:* Re: [Declude.JunkMail] form spam filter

 


Matt,

 

I did understand.  What I'm saying is that it doesn't always work.  To 
clarify, in addition to less sophisticated automated form fillers that 
would fill out all fields, there are also more sophisticated ones that 
use keystroke generators to fill out forms.  I just saw one in the 
public domain last month.  CAPTCHA doesn't have this problem, would 
defeat those automated form fillers, and is therefore more reliable 
with similarly very little effort to implement.



Darin.

 

 


- Original Message -

*From:* Matt 

*To:* declude.junkmail@declude.com 

*Sent:* Wednesday, April 09, 2008 11:45 AM

*Subject:* Re: [Declude.JunkMail] form spam filter

 




No, I understood completely.  I've seen forms

Re: [Declude.JunkMail] form spam filter

[Darin Cox]

Hmmm... good idea.  Though the testing/form filler tools I've seen aren't using 
pasting.  They are generating keystrokes and targeting them into the 
appropriate fields.

With the tools I've seen, the ability exists to put pauses in, but that would 
effectively restrict volume submissions for a spammer, and therefore cut down 
significantly on traffic.  The only drawback is for forms that a user accesses 
multiple times and may use previously submitted data.  In those cases, they 
might resubmit the form as-is, thus invalidating the timer.  Also, note that 
the confirmation page is CAPTCHA.

Darin.


- Original Message - 
From: Marc Catuogno 
To: declude.junkmail@declude.com 
Sent: Wednesday, April 09, 2008 12:22 PM
Subject: RE: [Declude.JunkMail] form spam filter


One thing we did on our domain is to ban "pasting" so that the scripts couldn't 
paste their info into our fields.  Also I just had an idea and asked the 
webmaster if he could program the form to perform a different action if the 
form page was opened for too short of a time period.  Like shoot to a second 
page that would ask for a confirmation click or word to be typed in. This 
assumes that a person would take significantly more time to fill a form than a 
program, even if it is a keystroke generator

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent: Wednesday, April 09, 2008 11:54 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] form spam filter

 

Matt,

 

I did understand.  What I'm saying is that it doesn't always work.  To clarify, 
in addition to less sophisticated automated form fillers that would fill out 
all fields, there are also more sophisticated ones that use keystroke 
generators to fill out forms.  I just saw one in the public domain last month.  
CAPTCHA doesn't have this problem, would defeat those automated form fillers, 
and is therefore more reliable with similarly very little effort to implement.


Darin.

 

 

- Original Message - 

From: Matt 

To: declude.junkmail@declude.com 

Sent: Wednesday, April 09, 2008 11:45 AM

Subject: Re: [Declude.JunkMail] form spam filter

 





No, I understood completely.  I've seen forms with fields hidden by DIVs still 
filled out.  Some of the less sophisticated spam form fillers I've seen used 
simply filled out every field.  They were not looking to see what was "visible" 
and what wasn't.

Actually this is the part that you misunderstood.  The DIV's with visibility 
hidden will never be filled out by real people, but they will get filled out by 
form spam sending robots.  So if they get filled out, you pretend the 
submission was successful, but you don't generate the E-mail.

It's a simple trick, and it works.

Matt

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] form spam filter

[Marc Catuogno]

One thing we did on our domain is to ban "pasting" so that the scripts
couldn't paste their info into our fields.  Also I just had an idea and
asked the webmaster if he could program the form to perform a different
action if the form page was opened for too short of a time period.  Like
shoot to a second page that would ask for a confirmation click or word to be
typed in. This assumes that a person would take significantly more time to
fill a form than a program, even if it is a keystroke generator

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
Sent: Wednesday, April 09, 2008 11:54 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] form spam filter

 

Matt,

 

I did understand.  What I'm saying is that it doesn't always work.  To
clarify, in addition to less sophisticated automated form fillers that would
fill out all fields, there are also more sophisticated ones that use
keystroke generators to fill out forms.  I just saw one in the public domain
last month.  CAPTCHA doesn't have this problem, would defeat those automated
form fillers, and is therefore more reliable with similarly very little
effort to implement.


Darin.

 

 

- Original Message - 

From: Matt   

To: declude.junkmail@declude.com 

Sent: Wednesday, April 09, 2008 11:45 AM

Subject: Re: [Declude.JunkMail] form spam filter

 





No, I understood completely.  I've seen forms with fields hidden by DIVs
still filled out.  Some of the less sophisticated spam form fillers I've
seen used simply filled out every field.  They were not looking to see what
was "visible" and what wasn't.

Actually this is the part that you misunderstood.  The DIV's with visibility
hidden will never be filled out by real people, but they will get filled out
by form spam sending robots.  So if they get filled out, you pretend the
submission was successful, but you don't generate the E-mail.

It's a simple trick, and it works.

Matt

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] form spam filter

[Darin Cox]

Matt,

I did understand.  What I'm saying is that it doesn't always work.  To clarify, 
in addition to less sophisticated automated form fillers that would fill out 
all fields, there are also more sophisticated ones that use keystroke 
generators to fill out forms.  I just saw one in the public domain last month.  
CAPTCHA doesn't have this problem, would defeat those automated form fillers, 
and is therefore more reliable with similarly very little effort to implement.

Darin.


- Original Message - 
From: Matt 
To: declude.junkmail@declude.com 
Sent: Wednesday, April 09, 2008 11:45 AM
Subject: Re: [Declude.JunkMail] form spam filter




  No, I understood completely.  I've seen forms with fields hidden by DIVs 
still filled out.  Some of the less sophisticated spam form fillers I've seen 
used simply filled out every field.  They were not looking to see what was 
"visible" and what wasn't.
Actually this is the part that you misunderstood.  The DIV's with visibility 
hidden will never be filled out by real people, but they will get filled out by 
form spam sending robots.  So if they get filled out, you pretend the 
submission was successful, but you don't generate the E-mail.

It's a simple trick, and it works.

Matt

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] form spam filter

[Matt]

No, I understood completely.  I've seen forms with fields hidden by 
DIVs still filled out.  Some of the less sophisticated spam form 
fillers I've seen used simply filled out every field.  They were not 
looking to see what was "visible" and what wasn't.
Actually this is the part that you misunderstood.  The DIV's with 
visibility hidden will never be filled out by real people, but they will 
get filled out by form spam sending robots.  So if they get filled out, 
you pretend the submission was successful, but you don't generate the 
E-mail.


It's a simple trick, and it works.

Matt


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Need strategy to up score.

[Robert Grosshandler]

The PCRE for yahoo.co.uk might just be the ticket.


Thanks!

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott
Fisher
Sent: Wednesday, April 09, 2008 8:58 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Need strategy to up score.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] form spam filter

[Darin Cox]

Hi Markus,

Good points.  However, we haven't had much trouble filtering outside spam from 
web forms, so I wasn't thinking of it from that perspective.

The main trouble we've had is filtering spammy form submissions to customers 
from their own websites.  Those sites are using our internal servers, so they 
deliver directly, bypassing our filtering.  For this CAPTCHA has been the 
answer, though checking the referring URL has been a 2-second fix that has been 
good enough in some cases where customers didn't want CAPTCHA or didn't want to 
pay us the minimal fee to implement it.

Darin.


- Original Message - 
From: Gufler Markus | Limitis 
To: declude.junkmail@declude.com 
Sent: Wednesday, April 09, 2008 10:53 AM
Subject: RE: [Declude.JunkMail] form spam filter


Matt, Darin

would it possible that you both forget, that 99,9+% of all incomming formmail 
spam is send from millions of webservers all around the world and you have no 
control of it.

Darin: 
It wouldn't be virtual impossible to keep a list af all this webservers. Some 
IP-Blacklists try to do this for years now.
Also don't forget that great part of websites are hosted on shared web hosting 
servers and also if you would catch some spamy messages by flagging some IP you 
could never be sure that some legit message from the same server isntt catched 
as FP

Markus






--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
  Sent: Wednesday, April 09, 2008 4:24 PM
  To: declude.junkmail@declude.com
  Subject: Re: [Declude.JunkMail] form spam filter


  Darin,

  I think you missed what I was saying exactly.  If the form spammer fills out 
the fields that are hidden by DIV's, the E-mail wouldn't be sent by the mailer 
script and it would pretend to have been successful.

  Spammers use programs to do this stuff, and although they are intelligent 
programs, they almost definitely will target fields named "Name" and "E-mail", 
and if on their first try they fill these fields in and they get a positive 
response from the script, their program will stop trying to fix issues.

  I won't claim that this method is 100% effective, but I have used it in some 
cases and no one ever said that it didn't do the trick for them.  If they got 
through that trick, I would ban URL's with a JavaScript alert and then silently 
with the mailer script (figuring that no real people would get a URL to the 
mailer script).

  This is the easiest of all methods to implement.  It takes 5 to 10 minutes to 
fix a form and you don't hinder your visitors with CAPTCHAs.  It's not like 
there isn't code being used by spammers elsewhere that read CAPTCHA's anyway, 
though I suspect that the current form spammers are not doing that right now.

  Matt



  Darin Cox wrote: 
Hi Matt,

Some do, some don't.  I've seen both methods used on some customer sites.

Setting session variables on the form page definitely wouldn't work, as a 
spammer that hits the form would receive the same session information anyone 
else would.

Certainly checking data against constraints is _always_ important, whether 
to prevent hacking, avoid data exceptions, enforce business rules, etc.

The method you outline seems like it would only work if the spammer doesn't 
submit to all fields.  Some of the attempts we've seen populated all fields, so 
this wouldn't work on those.

I'd stick with CAPTCHA as the best and most foolproof method to avoid these 
problems.  It's fairly easy to implement (there are a number of free examples 
in public domain), is familiar to most people filling out the forms, and works 
well.

Darin.


- Original Message - 
From: Matt 
To: declude.junkmail@declude.com 
Sent: Wednesday, April 09, 2008 8:55 AM
Subject: Re: [Declude.JunkMail] form spam filter


The form spammers are smarter than to go directly to the mail script.  They 
will hit for the form submission page with what appears to be IE and submit the 
form.  They even handle cookies correctly.

The trick for form spam is to take fields like your Name and E-mail and 
rename the variables to something like "ignore-old-data1" and 
"ignore-old-data2" and adjust your mailer script for the new names.  Then you 
insert new form fields in the form page that are hidden with a DIV and call 
them Name and E-mail.  Your mailer script should pretend that the E-mail was 
successful if these fields have data in them, but you should simply 86 the 
actual message.  This will trick their testing software into thinking that they 
were successful, and the DIV's with visibility hidden will not be seen by 
normal visitors.  You might also want to put some javascript in the form 
submission page that looks for a URL in the form and warn the submitter that 
they can't send URL's, and then also have the mailer script silently reject a 
submission that has a URL in it.  RegEx would b

RE: [Declude.JunkMail] form spam filter

[Gufler Markus | Limitis]

Matt, Darin
 
would it possible that you both forget, that 99,9+% of all incomming
formmail spam is send from millions of webservers all around the world and
you have no control of it.
 
Darin: 
It wouldn't be virtual impossible to keep a list af all this webservers.
Some IP-Blacklists try to do this for years now.
Also don't forget that great part of websites are hosted on shared web
hosting servers and also if you would catch some spamy messages by flagging
some IP you could never be sure that some legit message from the same server
isntt catched as FP
 
Markus
 
 
 


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: Wednesday, April 09, 2008 4:24 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] form spam filter


Darin,

I think you missed what I was saying exactly.  If the form spammer fills out
the fields that are hidden by DIV's, the E-mail wouldn't be sent by the
mailer script and it would pretend to have been successful.

Spammers use programs to do this stuff, and although they are intelligent
programs, they almost definitely will target fields named "Name" and
"E-mail", and if on their first try they fill these fields in and they get a
positive response from the script, their program will stop trying to fix
issues.

I won't claim that this method is 100% effective, but I have used it in some
cases and no one ever said that it didn't do the trick for them.  If they
got through that trick, I would ban URL's with a JavaScript alert and then
silently with the mailer script (figuring that no real people would get a
URL to the mailer script).

This is the easiest of all methods to implement.  It takes 5 to 10 minutes
to fix a form and you don't hinder your visitors with CAPTCHAs.  It's not
like there isn't code being used by spammers elsewhere that read CAPTCHA's
anyway, though I suspect that the current form spammers are not doing that
right now.

Matt



Darin Cox wrote: 

Hi Matt,
 
Some do, some don't.  I've seen both methods used on some customer sites.
 
Setting session variables on the form page definitely wouldn't work, as a
spammer that hits the form would receive the same session information anyone
else would.
 
Certainly checking data against constraints is _always_ important, whether
to prevent hacking, avoid data exceptions, enforce business rules, etc.
 
The method you outline seems like it would only work if the spammer doesn't
submit to all fields.  Some of the attempts we've seen populated all fields,
so this wouldn't work on those.
 
I'd stick with CAPTCHA as the best and most foolproof method to avoid these
problems.  It's fairly easy to implement (there are a number of free
examples in public domain), is familiar to most people filling out the
forms, and works well.

Darin.
 
 
- Original Message - 
From: Matt   
To: declude.junkmail@declude.com 
Sent: Wednesday, April 09, 2008 8:55 AM
Subject: Re: [Declude.JunkMail] form spam filter

The form spammers are smarter than to go directly to the mail script.  They
will hit for the form submission page with what appears to be IE and submit
the form.  They even handle cookies correctly.

The trick for form spam is to take fields like your Name and E-mail and
rename the variables to something like "ignore-old-data1" and
"ignore-old-data2" and adjust your mailer script for the new names.  Then
you insert new form fields in the form page that are hidden with a DIV and
call them Name and E-mail.  Your mailer script should pretend that the
E-mail was successful if these fields have data in them, but you should
simply 86 the actual message.  This will trick their testing software into
thinking that they were successful, and the DIV's with visibility hidden
will not be seen by normal visitors.  You might also want to put some
javascript in the form submission page that looks for a URL in the form and
warn the submitter that they can't send URL's, and then also have the mailer
script silently reject a submission that has a URL in it.  RegEx would be
required in both JavaScript and the ASP or whatever code to do the URL
checking.

As far as I know, this seems to work perfectly, but setting session
variables on the form page doesn't do a damn thing.

Matt



Darin Cox wrote: 

Since forms all use different emailers, and the form content is different as
well, your only hope is content filtering based on what the spammer
submitted... like SURBL filtering or REGEX on the spammer submission.
 
These days, web-based form processing pages should minimally check that the
referring page is what it is supposed to be (i.e. the form page submit
button was clicked as opposed to a spammer submitting directly to the form
action URL), and better yet implement CAPTCHA, require a login, or some
other similar security measure.

Darin.
 
 
- Original Message - 
From: Craig Edmonds   
To: declude.junkmail@declude.com 
Sent: Wednesday, April 09, 200

Re[2]: [Declude.JunkMail] form spam filter

[Pete McNeil]

On Wednesday, April 9, 2008, 10:01:56 AM, Craig wrote:




>


Hi Darin,
 
I guess what I am looking for from Declude (or a third party) is to provide me a filter that will phrase filter the incoming form mail and determine if its a spammy one or not.





We may be able to help you.

Please send some samples (zipped) off list -- [EMAIL PROTECTED]

_M

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 




---This E-mail came from the Declude.JunkMail mailing list.  Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail".  The archives can be foundat http://www.mail-archive.com.

Re: [Declude.JunkMail] form spam filter

[Darin Cox]

Hi Matt,

No, I understood completely.  I've seen forms with fields hidden by DIVs still 
filled out.  Some of the less sophisticated spam form fillers I've seen used 
simply filled out every field.  They were not looking to see what was "visible" 
and what wasn't.

CAPTCHA is easy as well... takes similarly just a few minutes to add since 
there is so much code in the public domain... and it is much more difficult to 
bypass than a hidden DIV is.  I'm not saying it's perfect since it is possible 
that OCR could be developed to be smart enough to bypass CAPTCHA (though it has 
not to date), and it does require an extra step by the website visitor, but it 
certainly appears to be the best method currently, and no more difficult to 
implement than others that I've seen.

Darin.


- Original Message - 
From: Matt 
To: declude.junkmail@declude.com 
Sent: Wednesday, April 09, 2008 10:24 AM
Subject: Re: [Declude.JunkMail] form spam filter


Darin,

I think you missed what I was saying exactly.  If the form spammer fills out 
the fields that are hidden by DIV's, the E-mail wouldn't be sent by the mailer 
script and it would pretend to have been successful.

Spammers use programs to do this stuff, and although they are intelligent 
programs, they almost definitely will target fields named "Name" and "E-mail", 
and if on their first try they fill these fields in and they get a positive 
response from the script, their program will stop trying to fix issues.

I won't claim that this method is 100% effective, but I have used it in some 
cases and no one ever said that it didn't do the trick for them.  If they got 
through that trick, I would ban URL's with a JavaScript alert and then silently 
with the mailer script (figuring that no real people would get a URL to the 
mailer script).

This is the easiest of all methods to implement.  It takes 5 to 10 minutes to 
fix a form and you don't hinder your visitors with CAPTCHAs.  It's not like 
there isn't code being used by spammers elsewhere that read CAPTCHA's anyway, 
though I suspect that the current form spammers are not doing that right now.

Matt



Darin Cox wrote: 
  Hi Matt,

  Some do, some don't.  I've seen both methods used on some customer sites.

  Setting session variables on the form page definitely wouldn't work, as a 
spammer that hits the form would receive the same session information anyone 
else would.

  Certainly checking data against constraints is _always_ important, whether to 
prevent hacking, avoid data exceptions, enforce business rules, etc.

  The method you outline seems like it would only work if the spammer doesn't 
submit to all fields.  Some of the attempts we've seen populated all fields, so 
this wouldn't work on those.

  I'd stick with CAPTCHA as the best and most foolproof method to avoid these 
problems.  It's fairly easy to implement (there are a number of free examples 
in public domain), is familiar to most people filling out the forms, and works 
well.

  Darin.


  - Original Message - 
  From: Matt 
  To: declude.junkmail@declude.com 
  Sent: Wednesday, April 09, 2008 8:55 AM
  Subject: Re: [Declude.JunkMail] form spam filter


  The form spammers are smarter than to go directly to the mail script.  They 
will hit for the form submission page with what appears to be IE and submit the 
form.  They even handle cookies correctly.

  The trick for form spam is to take fields like your Name and E-mail and 
rename the variables to something like "ignore-old-data1" and 
"ignore-old-data2" and adjust your mailer script for the new names.  Then you 
insert new form fields in the form page that are hidden with a DIV and call 
them Name and E-mail.  Your mailer script should pretend that the E-mail was 
successful if these fields have data in them, but you should simply 86 the 
actual message.  This will trick their testing software into thinking that they 
were successful, and the DIV's with visibility hidden will not be seen by 
normal visitors.  You might also want to put some javascript in the form 
submission page that looks for a URL in the form and warn the submitter that 
they can't send URL's, and then also have the mailer script silently reject a 
submission that has a URL in it.  RegEx would be required in both JavaScript 
and the ASP or whatever code to do the URL checking.

  As far as I know, this seems to work perfectly, but setting session variables 
on the form page doesn't do a damn thing.

  Matt



  Darin Cox wrote: 
Since forms all use different emailers, and the form content is different 
as well, your only hope is content filtering based on what the spammer 
submitted... like SURBL filtering or REGEX on the spammer submission.

These days, web-based form processing pages should minimally check that the 
referring page is what it is supposed to be (i.e. the form page submit button 
was clicked as opposed to a spammer submitting directly to the form action 
URL), and better yet implement 

Re: [Declude.JunkMail] form spam filter

[Matt]

Darin,

I think you missed what I was saying exactly.  If the form spammer fills 
out the fields that are hidden by DIV's, the E-mail wouldn't be sent by 
the mailer script and it would pretend to have been successful.


Spammers use programs to do this stuff, and although they are 
intelligent programs, they almost definitely will target fields named 
"Name" and "E-mail", and if on their first try they fill these fields in 
and they get a positive response from the script, their program will 
stop trying to fix issues.


I won't claim that this method is 100% effective, but I have used it in 
some cases and no one ever said that it didn't do the trick for them.  
If they got through that trick, I would ban URL's with a JavaScript 
alert and then silently with the mailer script (figuring that no real 
people would get a URL to the mailer script).


This is the easiest of all methods to implement.  It takes 5 to 10 
minutes to fix a form and you don't hinder your visitors with CAPTCHAs.  
It's not like there isn't code being used by spammers elsewhere that 
read CAPTCHA's anyway, though I suspect that the current form spammers 
are not doing that right now.


Matt



Darin Cox wrote:

Hi Matt,
 
Some do, some don't.  I've seen both methods used on some customer sites.
 
Setting session variables on the form page definitely wouldn't work, 
as a spammer that hits the form would receive the same session 
information anyone else would.
 
Certainly checking data against constraints is _always_ important, 
whether to prevent hacking, avoid data exceptions, enforce business 
rules, etc.
 
The method you outline seems like it would only work if the spammer 
doesn't submit to all fields.  Some of the attempts we've seen 
populated all fields, so this wouldn't work on those.
 
I'd stick with CAPTCHA as the best and most foolproof method to avoid 
these problems.  It's fairly easy to implement (there are a number of 
free examples in public domain), is familiar to most people filling 
out the forms, and works well.


Darin.
 
 
- Original Message -

*From:* Matt 
*To:* declude.junkmail@declude.com 
*Sent:* Wednesday, April 09, 2008 8:55 AM
*Subject:* Re: [Declude.JunkMail] form spam filter

The form spammers are smarter than to go directly to the mail script.  
They will hit for the form submission page with what appears to be IE 
and submit the form.  They even handle cookies correctly.


The trick for form spam is to take fields like your Name and E-mail 
and rename the variables to something like "ignore-old-data1" and 
"ignore-old-data2" and adjust your mailer script for the new names.  
Then you insert new form fields in the form page that are hidden with 
a DIV and call them Name and E-mail.  Your mailer script should 
pretend that the E-mail was successful if these fields have data in 
them, but you should simply 86 the actual message.  This will trick 
their testing software into thinking that they were successful, and 
the DIV's with visibility hidden will not be seen by normal visitors.  
You might also want to put some javascript in the form submission page 
that looks for a URL in the form and warn the submitter that they 
can't send URL's, and then also have the mailer script silently reject 
a submission that has a URL in it.  RegEx would be required in both 
JavaScript and the ASP or whatever code to do the URL checking.


As far as I know, this seems to work perfectly, but setting session 
variables on the form page doesn't do a damn thing.


Matt



Darin Cox wrote:
Since forms all use different emailers, and the form content is 
different as well, your only hope is content filtering based on what 
the spammer submitted... like SURBL filtering or REGEX on the spammer 
submission.
 
These days, web-based form processing pages should minimally check 
that the referring page is what it is supposed to be (i.e. the form 
page submit button was clicked as opposed to a spammer submitting 
directly to the form action URL), and better yet implement CAPTCHA, 
require a login, or some other similar security measure.


Darin.
 
 
- Original Message -

*From:* Craig Edmonds 
*To:* declude.junkmail@declude.com 
*Sent:* Wednesday, April 09, 2008 3:16 AM
*Subject:* [Declude.JunkMail] form spam filter

Hi All,

Is there a filter for form spam?

Some clients complain that they get form spammers sending in junk via 
their web forms.


Some clients have captchas on their forms some don't, but I would 
like to be able to filter out the junk at declude level.


Any ideas?

Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com 
E : [EMAIL PROTECTED] 

LEGAL DISCLAIMER - This message may contain confidential, proprietary 
or legally privileged information and is intended only for the use of 
the addressee named

RE: [Declude.JunkMail] form spam filter

[Craig Edmonds]

Hi Darin,

 

I guess what I am looking for from Declude (or a third party) is to provide
me a filter that will phrase filter the incoming form mail and determine if
its a spammy one or not.

I am not really great at creating filters myself but this is how I would
imagine there would be some regex involved.

 

1) message comes in from the web server/domain

2) the ip address of the web server is checked, if its from a known web
server that we know has forms on it then it gets run through the filter

3) the body of the message is checked with REGEX filtering

4) weight is added to the email dependant on the results

This process would mean that if a client suddenly starts seeing his form
being spammed, he lets us know and we add their domain to the filter and any
further forms that comes in, will get checked.

I am no declude/regex genius but this theory sounds pretty solid to me.

 

The problem we have here, is that clients suddenly complain about form spam
(from forms we have designed without captchas or ones others have designed)
and when we say , "well you need a captcha and its going to cost you
$50-$100 for us to install one of them", I get the feeling they kind of view
it like some kind of scam. (I mean if I did not understand about this kind
of stuff, I would think the same).

The other methods ie with div tags and captchas are great but it involves
someone's time to programme the pages etc but it would be nice to have some
control over the incoming spams at the mail server level too.

I anyone thinks they can make a filter for this, then let me know. I can
spend a couple of hundred bucks on this.



Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com
E : [EMAIL PROTECTED]

 

LEGAL DISCLAIMER - This message may contain confidential, proprietary or
legally privileged information and is intended only for the use of the
addressee named above. If you are not the intended recipient of this message
you are hereby informed that you must not use, disseminate, copy it in any
form or take any action in reliance on it. If you have received this message
in error please delete it and any copies of it and notify it to the sender. 

 

AVISO LEGAL - Este mensaje puede contener informacion confidencial, en
propiedad o legalmente protegida y esta dirigida unicamente para el uso de
la persona destinataria. Si usted no es la persona destinataria de este
mensaje, por la presente se le comunica que no debe usar, difundir, copiar
de ninguna forma, ni emprender ninguna accion en relacion con ella.

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
Sent: 09 April 2008 15:34
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] form spam filter

 

Hi Craig,

 

There's really nothing Declude can currently do with this.  The headers will
all be different, and the format and content of the messages are all
different, based on what the web form handler does.

 

That only leaves the actually values in the form fields for filtering
purposes.  To filter that, you need to use SURBL and REGEX phrase filtering.
These are not Declude's purview.  Declude is an enabler for you to script
your own filters, or use those from third parties like SURBL lookups or
content filtering engines.

 

It sounds like what you're asking for is for Declude to get into the
business of providing an SURBL lookup function, keeping an SURBL database
updated, and implementing something like Message Sniffer's content filtering
engine.  Is that correct?


Darin.

 

 

- Original Message - 

From: Craig Edmonds   

To: declude.junkmail@declude.com 

Sent: Wednesday, April 09, 2008 9:22 AM

Subject: RE: [Declude.JunkMail] form spam filter

 

Thanks people for the comments.

 

I will stick with captchas for now but it would be great if declude could
figure a nice filter to deal with it, at the end of the day its still
incoming spam.

 

Kindest Regards
Craig Edmonds
123 Marbella Web Design in Spain
W: www.123marbella.net

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
Sent: 09 April 2008 15:09
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] form spam filter

 

Hi Matt,

 

Some do, some don't.  I've seen both methods used on some customer sites.

 

Setting session variables on the form page definitely wouldn't work, as a
spammer that hits the form would receive the same session information anyone
else would.

 

Certainly checking data against constraints is _always_ important, whether
to prevent hacking, avoid data exceptions, enforce business rules, etc.

 

The method you outline seems like it would only work if the spammer doesn't
submit to all fields.  Some of the attempts we've seen populated all fields,
so this wouldn't work on those.

 

I'd stick with CAPTCHA as the best and most foolproof method to avoid these
problems.  It's fairly easy to implement (there are a number of free
examples in public domain), is 

RE: [Declude.JunkMail] Need strategy to up score.

[Scott Fisher]

Here's a filter I use:
# attack Yahoo spammers
SKIPIFWEIGHT315
MAXWEIGHT   150
#

#  exclude the big emails and those with good attachments
TESTSFAILED END CONTAINSMPPT-SIZE-L
TESTSFAILED END CONTAINSMPPT-SIZE-XL
TESTSFAILED END CONTAINSMPPT-SIZE-XXL
TESTSFAILED END CONTAINSATTACHMENT-GOOD
#
MAILFROMEND NOTCONTAINS @YAHOO.
REVDNS  END NOTCONTAINS .YAHOO.

# Reverse Good tests
TESTSFAILED 15  CONTAINSMXRATE-WHITE-LAST
TESTSFAILED 30  CONTAINSBONDEDSENDER-DYNA
TESTSFAILED 15  CONTAINSMPPT-SIZE-L
TESTSFAILED 15  CONTAINSBODY-STATE-WL
TESTSFAILED 10  CONTAINSDNSWL-ISP-LOW
TESTSFAILED 20  CONTAINSDNSWL-ISP-MEDIUM
TESTSFAILED 40  CONTAINSDNSWL-ISP-HIGH
TESTSFAILED 10  CONTAINSDNSWL-NEWSLETTERS-LOW
TESTSFAILED 20  CONTAINSDNSWL-NEWSLETTERS-MEDIUM
TESTSFAILED 40  CONTAINSDNSWL-NEWSLETTERS-HIGH

# Common spam items
TESTSFAILED 50  CONTAINSBODY-BLOGS
TESTSFAILED 50  CONTAINSBODY-FREEHOSTS
TESTSFAILED 50  CONTAINSBODY-URL-SHORTENER
TESTSFAILED 50  CONTAINSLANGUAGE-CYRILLIC
TESTSFAILED 50  CONTAINSLANGUAGE-EASTERNEUROPEAN

# Punish these tests more
TESTSFAILED 25  CONTAINSSNIFFER-SNAKEOIL
TESTSFAILED 25  CONTAINSSNIFFER-PORN

SUBJECT 25  CONTAINSerotic
SUBJECT 25  CONTAINSnaughty
SUBJECT 25  CONTAINSpretty
SUBJECT 25  CONTAINSwhore
SUBJECT 25  CONTAINSgirlfriend
SUBJECT 25  CONTAINSschoolgirl
SUBJECT 25  CONTAINSsexual
SUBJECT 25  CONTAINScuties
SUBJECT 25  CONTAINSvirgin
SUBJECT 25  CONTAINSbitch
SUBJECT 25  CONTAINSdrugstore
SUBJECT 50  CONTAINSM e d
SUBJECT 25  CONTAINSPian
SUBJECT 50  CONTAINSP I A N
SUBJECT 25  CONTAINSViagra
SUBJECT 25  CONTAINSYahoo! Groups: You're invited!
SUBJECT 25  IS  hey
SUBJECT 25  CONTAINSporn

MAILFROM25  PCRE
(?i:[a-z]{5,[EMAIL PROTECTED])
MAILFROM25  PCRE
(?i:[a-z]{5,[EMAIL PROTECTED])

BODY25  CONTAINSGirlfriend
BODY25  CONTAINSSchoolgirl
BODY25  CONTAINSwhore
BODY25  CONTAINSPorn
BODY50  CONTAINS . c o m
BODY75  PCRE(www\.[a-z]{8,20}\.cn)
BODY100 PCRE(www\.[A-Za-z]+ dot com)
BODY100 PCRE(www\.[A-Za-z]+ dot  com)
BODY50  CONTAINSdot com
BODY25  CONTAINSw
BODY25  CONTAINSw
BODY25  CONTAINSw
BODY25  CONTAINSw



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert
Grosshandler
Sent: Tuesday, April 08, 2008 11:27 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Need strategy to up score.


Hi

We're getting spam that comes via Yahoo, looks good (but it isn't).  We'd
like to up the score it receives, so it won't get passed through.  We use
Sniffer/Declude/Inviurbl.

We're almost always Bcc'd.
Sometimes fails Sniffer, sometimes not (we've got a query into them, too.)
Doesn't always fail zerohour.
Always seems to be complete gobbledygook, plus a URL that looks like it is
well formed (and doesn't fail inviurbl test.)
Always seem to come via mud.yahoo.com (but so does legit email.)

Headers follow, thanks for any advice.



Received: from n26.bullet.mail.mud.yahoo.com [68.142.206.221] by
smtp.igive.com
  (SMTPD-9.23) id AD5302B4; Mon, 07 Apr 2008 19:33:23 -0500
Received: from [68.142.200.227] by n26.bullet.mail.mud.yahoo.com with NNFMP;
08 Apr 2008 00:33:22 -
Received: from [68.142.201.245] by t8.bullet.mud.yahoo.com with NNFMP; 08
Apr 2008 00:33:23 -
Received: from [127.0.0.1] by omp406.mail.mud.yahoo.com with NNFMP; 08 Apr
2008 00:33:23 -
X-Yahoo-Newman-Id: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
Received: (qmail 56970 invoked from network); 8 Apr 2008 00:33:22 -
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.co.uk;
 
h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:From:To:Reply-To:Subject:Date
:MIME-Version:Content-type:Content-transfer-encoding;
 
b=56tfwh/ZgrQDDqdn753U/L6m1fWJcABbNVM/kWWVUnmtRb34zE7SUdPbuBl5pBR+vKu5gWQj0Y
4ZtqBDqA8eMMjB4wpIbGBcQLmMo2hvNECaSWG09steODkIiCbItU7nHLtbutkTV2FATYUQ/g6lib
rf/QtD3tsRFNT+zLMDRKw=  ;
Received: from unknown (HELO www.microsoft.com) ([EMAIL PROTECTED]
with login)
  by smtp123.plus.mail.

Re: [Declude.JunkMail] form spam filter

[Darin Cox]

Hi Craig,

There's really nothing Declude can currently do with this.  The headers will 
all be different, and the format and content of the messages are all different, 
based on what the web form handler does.

That only leaves the actually values in the form fields for filtering purposes. 
 To filter that, you need to use SURBL and REGEX phrase filtering.  These are 
not Declude's purview.  Declude is an enabler for you to script your own 
filters, or use those from third parties like SURBL lookups or content 
filtering engines.

It sounds like what you're asking for is for Declude to get into the business 
of providing an SURBL lookup function, keeping an SURBL database updated, and 
implementing something like Message Sniffer's content filtering engine.  Is 
that correct?

Darin.


- Original Message - 
From: Craig Edmonds 
To: declude.junkmail@declude.com 
Sent: Wednesday, April 09, 2008 9:22 AM
Subject: RE: [Declude.JunkMail] form spam filter


Thanks people for the comments.

 

I will stick with captchas for now but it would be great if declude could 
figure a nice filter to deal with it, at the end of the day its still incoming 
spam.

 

Kindest Regards
Craig Edmonds
123 Marbella Web Design in Spain
W: www.123marbella.net



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox
Sent: 09 April 2008 15:09
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] form spam filter

 

Hi Matt,

 

Some do, some don't.  I've seen both methods used on some customer sites.

 

Setting session variables on the form page definitely wouldn't work, as a 
spammer that hits the form would receive the same session information anyone 
else would.

 

Certainly checking data against constraints is _always_ important, whether to 
prevent hacking, avoid data exceptions, enforce business rules, etc.

 

The method you outline seems like it would only work if the spammer doesn't 
submit to all fields.  Some of the attempts we've seen populated all fields, so 
this wouldn't work on those.

 

I'd stick with CAPTCHA as the best and most foolproof method to avoid these 
problems.  It's fairly easy to implement (there are a number of free examples 
in public domain), is familiar to most people filling out the forms, and works 
well.


Darin.

 

 

- Original Message - 

From: Matt 

To: declude.junkmail@declude.com 

Sent: Wednesday, April 09, 2008 8:55 AM

Subject: Re: [Declude.JunkMail] form spam filter

 

The form spammers are smarter than to go directly to the mail script.  They 
will hit for the form submission page with what appears to be IE and submit the 
form.  They even handle cookies correctly.

The trick for form spam is to take fields like your Name and E-mail and rename 
the variables to something like "ignore-old-data1" and "ignore-old-data2" and 
adjust your mailer script for the new names.  Then you insert new form fields 
in the form page that are hidden with a DIV and call them Name and E-mail.  
Your mailer script should pretend that the E-mail was successful if these 
fields have data in them, but you should simply 86 the actual message.  This 
will trick their testing software into thinking that they were successful, and 
the DIV's with visibility hidden will not be seen by normal visitors.  You 
might also want to put some javascript in the form submission page that looks 
for a URL in the form and warn the submitter that they can't send URL's, and 
then also have the mailer script silently reject a submission that has a URL in 
it.  RegEx would be required in both JavaScript and the ASP or whatever code to 
do the URL checking.

As far as I know, this seems to work perfectly, but setting session variables 
on the form page doesn't do a damn thing.

Matt



Darin Cox wrote: 

Since forms all use different emailers, and the form content is different as 
well, your only hope is content filtering based on what the spammer 
submitted... like SURBL filtering or REGEX on the spammer submission.

 

These days, web-based form processing pages should minimally check that the 
referring page is what it is supposed to be (i.e. the form page submit button 
was clicked as opposed to a spammer submitting directly to the form action 
URL), and better yet implement CAPTCHA, require a login, or some other similar 
security measure.


Darin.

 

 

- Original Message - 

From: Craig Edmonds 

To: declude.junkmail@declude.com 

Sent: Wednesday, April 09, 2008 3:16 AM

Subject: [Declude.JunkMail] form spam filter

 

Hi All,

Is there a filter for form spam?

Some clients complain that they get form spammers sending in junk via their web 
forms.

Some clients have captchas on their forms some don't, but I would like to be 
able to filter out the junk at declude level.

Any ideas?

Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com
E : [EMAIL PROTECTED]

LEGAL DISCLAIMER - This message may contain confidential, proprietary or 
legally privile

RE: [Declude.JunkMail] form spam filter

[Craig Edmonds]

Thanks people for the comments.

 

I will stick with captchas for now but it would be great if declude could
figure a nice filter to deal with it, at the end of the day its still
incoming spam.

 

Kindest Regards
Craig Edmonds
123 Marbella Web Design in Spain
W: www.123marbella.net



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin
Cox
Sent: 09 April 2008 15:09
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] form spam filter

 

Hi Matt,

 

Some do, some don't.  I've seen both methods used on some customer sites.

 

Setting session variables on the form page definitely wouldn't work, as a
spammer that hits the form would receive the same session information anyone
else would.

 

Certainly checking data against constraints is _always_ important, whether
to prevent hacking, avoid data exceptions, enforce business rules, etc.

 

The method you outline seems like it would only work if the spammer doesn't
submit to all fields.  Some of the attempts we've seen populated all fields,
so this wouldn't work on those.

 

I'd stick with CAPTCHA as the best and most foolproof method to avoid these
problems.  It's fairly easy to implement (there are a number of free
examples in public domain), is familiar to most people filling out the
forms, and works well.


Darin.

 

 

- Original Message - 

From: Matt   

To: declude.junkmail@declude.com 

Sent: Wednesday, April 09, 2008 8:55 AM

Subject: Re: [Declude.JunkMail] form spam filter

 

The form spammers are smarter than to go directly to the mail script.  They
will hit for the form submission page with what appears to be IE and submit
the form.  They even handle cookies correctly.

The trick for form spam is to take fields like your Name and E-mail and
rename the variables to something like "ignore-old-data1" and
"ignore-old-data2" and adjust your mailer script for the new names.  Then
you insert new form fields in the form page that are hidden with a DIV and
call them Name and E-mail.  Your mailer script should pretend that the
E-mail was successful if these fields have data in them, but you should
simply 86 the actual message.  This will trick their testing software into
thinking that they were successful, and the DIV's with visibility hidden
will not be seen by normal visitors.  You might also want to put some
javascript in the form submission page that looks for a URL in the form and
warn the submitter that they can't send URL's, and then also have the mailer
script silently reject a submission that has a URL in it.  RegEx would be
required in both JavaScript and the ASP or whatever code to do the URL
checking.

As far as I know, this seems to work perfectly, but setting session
variables on the form page doesn't do a damn thing.

Matt



Darin Cox wrote: 

Since forms all use different emailers, and the form content is different as
well, your only hope is content filtering based on what the spammer
submitted... like SURBL filtering or REGEX on the spammer submission.

 

These days, web-based form processing pages should minimally check that the
referring page is what it is supposed to be (i.e. the form page submit
button was clicked as opposed to a spammer submitting directly to the form
action URL), and better yet implement CAPTCHA, require a login, or some
other similar security measure.


Darin.

 

 

- Original Message - 

From: Craig Edmonds   

To: declude.junkmail@declude.com 

Sent: Wednesday, April 09, 2008 3:16 AM

Subject: [Declude.JunkMail] form spam filter

 

Hi All,

Is there a filter for form spam?

Some clients complain that they get form spammers sending in junk via their
web forms.

Some clients have captchas on their forms some don't, but I would like to be
able to filter out the junk at declude level.

Any ideas?

Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com
E : [EMAIL PROTECTED]

LEGAL DISCLAIMER - This message may contain confidential, proprietary or
legally privileged information and is intended only for the use of the
addressee named above. If you are not the intended recipient of this message
you are hereby informed that you must not use, disseminate, copy it in any
form or take any action in reliance on it. If you have received this message
in error please delete it and any copies of it and notify it to the sender. 

AVISO LEGAL - Este mensaje puede contener informacion confidencial, en
propiedad o legalmente protegida y esta dirigida unicamente para el uso de
la persona destinataria. Si usted no es la persona destinataria de este
mensaje, por la presente se le comunica que no debe usar, difundir, copiar
de ninguna forma, ni emprender ninguna accion en relacion con ella.


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
Th

Re: [Declude.JunkMail] form spam filter

[Darin Cox]

Hi Matt,

Some do, some don't.  I've seen both methods used on some customer sites.

Setting session variables on the form page definitely wouldn't work, as a 
spammer that hits the form would receive the same session information anyone 
else would.

Certainly checking data against constraints is _always_ important, whether to 
prevent hacking, avoid data exceptions, enforce business rules, etc.

The method you outline seems like it would only work if the spammer doesn't 
submit to all fields.  Some of the attempts we've seen populated all fields, so 
this wouldn't work on those.

I'd stick with CAPTCHA as the best and most foolproof method to avoid these 
problems.  It's fairly easy to implement (there are a number of free examples 
in public domain), is familiar to most people filling out the forms, and works 
well.

Darin.


- Original Message - 
From: Matt 
To: declude.junkmail@declude.com 
Sent: Wednesday, April 09, 2008 8:55 AM
Subject: Re: [Declude.JunkMail] form spam filter


The form spammers are smarter than to go directly to the mail script.  They 
will hit for the form submission page with what appears to be IE and submit the 
form.  They even handle cookies correctly.

The trick for form spam is to take fields like your Name and E-mail and rename 
the variables to something like "ignore-old-data1" and "ignore-old-data2" and 
adjust your mailer script for the new names.  Then you insert new form fields 
in the form page that are hidden with a DIV and call them Name and E-mail.  
Your mailer script should pretend that the E-mail was successful if these 
fields have data in them, but you should simply 86 the actual message.  This 
will trick their testing software into thinking that they were successful, and 
the DIV's with visibility hidden will not be seen by normal visitors.  You 
might also want to put some javascript in the form submission page that looks 
for a URL in the form and warn the submitter that they can't send URL's, and 
then also have the mailer script silently reject a submission that has a URL in 
it.  RegEx would be required in both JavaScript and the ASP or whatever code to 
do the URL checking.

As far as I know, this seems to work perfectly, but setting session variables 
on the form page doesn't do a damn thing.

Matt



Darin Cox wrote: 
  Since forms all use different emailers, and the form content is different as 
well, your only hope is content filtering based on what the spammer 
submitted... like SURBL filtering or REGEX on the spammer submission.

  These days, web-based form processing pages should minimally check that the 
referring page is what it is supposed to be (i.e. the form page submit button 
was clicked as opposed to a spammer submitting directly to the form action 
URL), and better yet implement CAPTCHA, require a login, or some other similar 
security measure.

  Darin.


  - Original Message - 
  From: Craig Edmonds 
  To: declude.junkmail@declude.com 
  Sent: Wednesday, April 09, 2008 3:16 AM
  Subject: [Declude.JunkMail] form spam filter


  Hi All,



  Is there a filter for form spam?



  Some clients complain that they get form spammers sending in junk via their 
web forms.

  Some clients have captchas on their forms some don't, but I would like to be 
able to filter out the junk at declude level.



  Any ideas?



  Kindest Regards
  Craig Edmonds
  123 Marbella Internet
  W: www.123marbella.com
  E : [EMAIL PROTECTED]



  LEGAL DISCLAIMER - This message may contain confidential, proprietary or 
legally privileged information and is intended only for the use of the 
addressee named above. If you are not the intended recipient of this message 
you are hereby informed that you must not use, disseminate, copy it in any form 
or take any action in reliance on it. If you have received this message in 
error please delete it and any copies of it and notify it to the sender. 



  AVISO LEGAL - Este mensaje puede contener informacion confidencial, en 
propiedad o legalmente protegida y esta dirigida unicamente para el uso de la 
persona destinataria. Si usted no es la persona destinataria de este mensaje, 
por la presente se le comunica que no debe usar, difundir, copiar de ninguna 
forma, ni emprender ninguna accion en relacion con ella.




  ---
  This E-mail came from the Declude.JunkMail mailing list. To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type "unsubscribe Declude.JunkMail". The archives can be found
  at http://www.mail-archive.com. 
  ---
  This E-mail came from the Declude.JunkMail mailing list. To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type "unsubscribe Declude.JunkMail". The archives can be found
  at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from

Re: [Declude.JunkMail] form spam filter

[Matt]

The form spammers are smarter than to go directly to the mail script.  
They will hit for the form submission page with what appears to be IE 
and submit the form.  They even handle cookies correctly.


The trick for form spam is to take fields like your Name and E-mail and 
rename the variables to something like "ignore-old-data1" and 
"ignore-old-data2" and adjust your mailer script for the new names.  
Then you insert new form fields in the form page that are hidden with a 
DIV and call them Name and E-mail.  Your mailer script should pretend 
that the E-mail was successful if these fields have data in them, but 
you should simply 86 the actual message.  This will trick their testing 
software into thinking that they were successful, and the DIV's with 
visibility hidden will not be seen by normal visitors.  You might also 
want to put some javascript in the form submission page that looks for a 
URL in the form and warn the submitter that they can't send URL's, and 
then also have the mailer script silently reject a submission that has a 
URL in it.  RegEx would be required in both JavaScript and the ASP or 
whatever code to do the URL checking.


As far as I know, this seems to work perfectly, but setting session 
variables on the form page doesn't do a damn thing.


Matt



Darin Cox wrote:
Since forms all use different emailers, and the form content is 
different as well, your only hope is content filtering based on what 
the spammer submitted... like SURBL filtering or REGEX on the spammer 
submission.
 
These days, web-based form processing pages should minimally check 
that the referring page is what it is supposed to be (i.e. the form 
page submit button was clicked as opposed to a spammer submitting 
directly to the form action URL), and better yet implement CAPTCHA, 
require a login, or some other similar security measure.


Darin.
 
 
- Original Message -

*From:* Craig Edmonds 
*To:* declude.junkmail@declude.com 
*Sent:* Wednesday, April 09, 2008 3:16 AM
*Subject:* [Declude.JunkMail] form spam filter

Hi All,

 


Is there a filter for form spam?

 

Some clients complain that they get form spammers sending in junk via 
their web forms.


Some clients have captchas on their forms some don't, but I would like 
to be able to filter out the junk at declude level.


 


Any ideas?

 


Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com 
E : [EMAIL PROTECTED] 

 

LEGAL DISCLAIMER - This message may contain confidential, proprietary 
or legally privileged information and is intended only for the use of 
the addressee named above. If you are not the intended recipient of 
this message you are hereby informed that you must not use, 
disseminate, copy it in any form or take any action in reliance on it. 
If you have received this message in error please delete it and any 
copies of it and notify it to the sender.


 

AVISO LEGAL - Este mensaje puede contener informacion confidencial, en 
propiedad o legalmente protegida y esta dirigida unicamente para el 
uso de la persona destinataria. Si usted no es la persona destinataria 
de este mensaje, por la presente se le comunica que no debe usar, 
difundir, copiar de ninguna forma, ni emprender ninguna accion en 
relacion con ella.


 



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] form spam filter

[Darin Cox]

Since forms all use different emailers, and the form content is different as 
well, your only hope is content filtering based on what the spammer 
submitted... like SURBL filtering or REGEX on the spammer submission.

These days, web-based form processing pages should minimally check that the 
referring page is what it is supposed to be (i.e. the form page submit button 
was clicked as opposed to a spammer submitting directly to the form action 
URL), and better yet implement CAPTCHA, require a login, or some other similar 
security measure.

Darin.


- Original Message - 
From: Craig Edmonds 
To: declude.junkmail@declude.com 
Sent: Wednesday, April 09, 2008 3:16 AM
Subject: [Declude.JunkMail] form spam filter


Hi All,

 

Is there a filter for form spam?

 

Some clients complain that they get form spammers sending in junk via their web 
forms.

Some clients have captchas on their forms some don't, but I would like to be 
able to filter out the junk at declude level.

 

Any ideas?

 

Kindest Regards
Craig Edmonds
123 Marbella Internet
W: www.123marbella.com
E : [EMAIL PROTECTED]

 

LEGAL DISCLAIMER - This message may contain confidential, proprietary or 
legally privileged information and is intended only for the use of the 
addressee named above. If you are not the intended recipient of this message 
you are hereby informed that you must not use, disseminate, copy it in any form 
or take any action in reliance on it. If you have received this message in 
error please delete it and any copies of it and notify it to the sender. 

 

AVISO LEGAL - Este mensaje puede contener informacion confidencial, en 
propiedad o legalmente protegida y esta dirigida unicamente para el uso de la 
persona destinataria. Si usted no es la persona destinataria de este mensaje, 
por la presente se le comunica que no debe usar, difundir, copiar de ninguna 
forma, ni emprender ninguna accion en relacion con ella.

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

[Declude.JunkMail] form spam filter

[Craig Edmonds]

Hi All,

 

Is there a filter for form spam?

 

Some clients complain that they get form spammers sending in junk via their
web forms.

Some clients have captchas on their forms some don't, but I would like to be
able to filter out the junk at declude level.

 

Any ideas?

 

Kindest Regards
Craig Edmonds
123 Marbella Internet
W:   www.123marbella.com
E :   [EMAIL PROTECTED]

 

LEGAL DISCLAIMER - This message may contain confidential, proprietary or
legally privileged information and is intended only for the use of the
addressee named above. If you are not the intended recipient of this message
you are hereby informed that you must not use, disseminate, copy it in any
form or take any action in reliance on it. If you have received this message
in error please delete it and any copies of it and notify it to the sender. 

 

AVISO LEGAL - Este mensaje puede contener informacion confidencial, en
propiedad o legalmente protegida y esta dirigida unicamente para el uso de
la persona destinataria. Si usted no es la persona destinataria de este
mensaje, por la presente se le comunica que no debe usar, difundir, copiar
de ninguna forma, ni emprender ninguna accion en relacion con ella.

 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.