Re: OT Spam sources
From: "Christopher X. Candreva" <[EMAIL PROTECTED]>
On Wed, 14 Sep 2005, DAve wrote:
Just curious if anyone else was seeing this besides me. I suspect the
spammers
are making a new attempt to find web forms they can abuse and possibly
the
robots are just not smart enough to know that our forms don't work the
way
they suspect.
Seeing it too, others have described it in detail.
At this point it's just anoying, with users receiving many forms with this
garbage. Since the requests seem to come in rapid succession, I've thought
about an IP cache, and limiting the number of times an IP can submit the
form per unit time. It hasn't gone past the idea stage.
Has anybody observed the odd things you must go through to establish
or edit accounts with many larger forms based servers like e-bay or
yahoo? The "read the text from an image and type it in" forms are
about the only thing that slow down the spammers.
Although there is something to be said for requiring a user ID and a
password that cannot be automatically signed up for when using forms
that can send to addresses other than one that is hard wired in and
immutable. (If that is possible in all possible cases.)
{^_^}
Re: OT Spam sources
From: "DAve" <[EMAIL PROTECTED]>
Michael Monnerie wrote:
On Mittwoch, 14. September 2005 16:03 DAve wrote:
the robots are just not smart enough to know that our forms
don't work the way they suspect.
Maybe rename the script? Could be there's a script of that name which is
vulnerable...
mfg zmi
All our forms have odd names, we did that when the first Formmail.pl
attacks showed up years ago.
I could come up with a rule or two to stop the message from being
delivered, but I much prefer the image verification test in the form so
the message never gets sent.
All one mail at a time does is slow them down. How many parallel
connections can they make at any one time?
{^_^}
Re: OT Spam sources
On Wed, 14 Sep 2005, DAve wrote: > Just curious if anyone else was seeing this besides me. I suspect the spammers > are making a new attempt to find web forms they can abuse and possibly the > robots are just not smart enough to know that our forms don't work the way > they suspect. Seeing it too, others have described it in detail. At this point it's just anoying, with users receiving many forms with this garbage. Since the requests seem to come in rapid succession, I've thought about an IP cache, and limiting the number of times an IP can submit the form per unit time. It hasn't gone past the idea stage. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Re: OT Spam sources
the robots are just not smart enough to know that our forms don't work the way they suspect. Maybe rename the script? Could be there's a script of that name which is vulnerable... All our forms have odd names, we did that when the first Formmail.pl attacks showed up years ago. This sounds a lot like the spamming attempts I've been seeing. They seem to go something like this: * Attacker finds a form. I'm not sure if they use either a search engine or just random crawls of some sort. I'm thinking the latter; when I first saw it, it was on the servers at work (I'm the admin for a small web development/hosting firm) and the attempts came on sites on the same IP address (consecutive IPs at that, on two different servers; other sites on other IPs in another subnet were unaffected). Later, I saw a similar attempt on my personal site, hosted on my own server somewhere else entirely. I should note than not all of these forms had common mail form names; the one on my personal site was feedback.php, which could've just as easily submitted to the recipient via some other method, not just email. When I looked at the Apache logs for how they got to feedback form, they hit the index of the site first and followed a path almost directly to the feedback form, leading me to think they're crawling and looking for a wider variety of form name possibilities than you might think. * Attacker submits the form with all the fields filled in with random addresses (gibberish usernames followed by the domain of the site), and some fields (that seem to indicate they'd be inserted into From:, To:, or Subject: lines) with additional header lines and MIME message separators. They don't seem to do much with this at first; from what I saw, they supply a drop account email somewhere in there to test if it worked... * If the attacker received one of the messages to the drop account, they start using the form in a more direct spam-like way, supplying Bcc: addresses in the headers that do go to legitimate addresses. The messages still look like crap, depending on the original form and what it does. That's as far as it escalated when I observed it. It was at that point that we caught the vulnerability in the form script used on the sites at work and plugged the holes. (I didn't write it, BTW; the one on my personal site only got a message to me.) Here's a couple things I did from the server side as a first line of defense to stop this: * All the attempts came from proxy servers. Well, I'll assume they were proxy servers and not individuals all around the world collaborating on the attacks! I installed an Apache module that would do RBL lookups (configurable, I use opn.blitzed.org) and deny based on a positive match. I'm sure the attacker's (or attackers') proxy list is fresher than the RBLs, but I just wanted to add enough stumbling blocks to deter the current and future attackers. * All the attempts came in with blank user agent strings. This is more of a stretch (as I discovered), but I started denying requests with blank user agents. PHP's functions that open URLs as files don't send user agent strings either, so be careful with this one if anything on your server will be accessed that way. Attackers could just as easily extend their tools to use random user agent strings. Hope this helps. I'd really love to track down the tool these attackers are using, but my hat isn't black enough for that.
Re: OT Spam sources
Michael Monnerie wrote: On Mittwoch, 14. September 2005 16:03 DAve wrote: the robots are just not smart enough to know that our forms don't work the way they suspect. Maybe rename the script? Could be there's a script of that name which is vulnerable... mfg zmi All our forms have odd names, we did that when the first Formmail.pl attacks showed up years ago. I could come up with a rule or two to stop the message from being delivered, but I much prefer the image verification test in the form so the message never gets sent. Thanks, DAve
Re: OT Spam sources
On Mittwoch, 14. September 2005 16:03 DAve wrote: > the robots are just not smart enough to know that our forms > don't work the way they suspect. Maybe rename the script? Could be there's a script of that name which is vulnerable... mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: "lynx -source http://zmi.at/zmi2.asc | gpg --import" // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpKFelgLxme3.pgp Description: PGP signature
OT Spam sources
Pardon the off topic post. I have noticed a sudden rash of robots hitting our users web forms and sending spam. Now, we replaced the normal web forms a long time ago and now have a home grown solution that cannot be used to send spam to third parties. This is what makes the current situation so strange. The spam can only go to the one recipient, yet the robots keep coming back. Are these people stupid? We are working up a solution, the usual image verification trick like most whois lookups. We will roll it into our standard web form processor. Just curious if anyone else was seeing this besides me. I suspect the spammers are making a new attempt to find web forms they can abuse and possibly the robots are just not smart enough to know that our forms don't work the way they suspect. DAve
