On Fri, Sep 09, 2005 at 01:58:56PM -0400, Chris Gauch wrote:
> > because chances are they'll contain probe addresses that might
> > be helpful for tracking down the spammers.
>
> Yes, we are certainly doing that. We log the REFERER information including
> remote IP addresses to a database and che
David Skoll wrote:
> Chris Gauch wrote:
>
> [Add fake fields to forms and reject if they're not blank.]
>
> Now THAT is clever. I like it!
>
> In fact, you might want to log the contents of the fields somewhere,
> because chances are they'll contain probe addresses that might
> be helpful for
Chris Gauch wrote:
[Add fake fields to forms and reject if they're not blank.]
Now THAT is clever. I like it!
In fact, you might want to log the contents of the fields somewhere,
because chances are they'll contain probe addresses that might
be helpful for tracking down the spammers.
Regards,
Matthew.van.Eerde wrote:
>
> Kelson wrote:
> > James Ebright wrote:
> >> Check the URI referrer and only allow the web form to be hit FROM
> >> the URLS that it should be linked to otherwise simply return an
> >> error similar to unauthorized access attempt
> >
> > Not sufficient. These are
Kelson wrote:
> James Ebright wrote:
>> Check the URI referrer and only allow the web form to be hit FROM
>> the URLS that it should be linked to otherwise simply return an
>> error similar to unauthorized access attempt
>
> Not sufficient. These are being done using direct hits to port 80,
>
Jan Pieter Cornet wrote:
The best protection is to look for embedded CR or LF characters in
a field that should not contain such characters, like the Subject,
To, From or any other field that would end up in a header. If there
are any, just reject with an error.
You might want to ignore newlines
James Ebright wrote:
Check the URI referrer and only allow the web form to be hit FROM the URLS
that it should be linked to otherwise simply return an error similar to
unauthorized access attempt
Not sufficient. These are being done using direct hits to port 80, not
actual web browsers, s
James Ebright wrote:
> Nothing is 100% but you can make it difficult enough or unlikely
> enough that they will go look for easier targets... Our experience
> was that simply checking the webserver env URI referrer variable was
> often good enough in this scenario.
True; I *was* a little harsh, a
Well, it has been quite some time since I have done any serious web
development (and the platform back then was netscapes enterprise server on
solaris 2.52), but...
Pull the referrer from the web server environment, not javascript or anything
else client side, in fact, if you are that paranoid it
James Ebright wrote:
> Check the URI referrer and only allow the web form to be hit FROM the URLS
> that it should be linked to otherwise simply return an error similar to
> unauthorized access attempt
Referrer can be faked. You can't trust any data supplied by the client.
Also, people who
Check the URI referrer and only allow the web form to be hit FROM the URLS
that it should be linked to otherwise simply return an error similar to
unauthorized access attempt
This prevents these types of script interaction with a webform quite
effectively typically as it outright prevents dire
On Wed, Sep 07, 2005 at 09:58:35AM -0400, [EMAIL PROTECTED] wrote:
> > Our largest issue with these web form mail exploits is not really
> > spam-related (in terms of scripts causing our web servers to become spam
> > relays); our clients are receiving these fake forms (obviously generated
> by
>
> [EMAIL PROTECTED] wrote:
>
> > Isn't that called input validation and something that should be done
> > anyways?
>
> True. But some input validation is a bit aggressive. How many broken
> Web forms out there don't permit "+" in an e-mail address? And my
> colleague, Dave O'Neill, can tell lo
[EMAIL PROTECTED] wrote:
> Isn't that called input validation and something that should be done
> anyways?
True. But some input validation is a bit aggressive. How many broken
Web forms out there don't permit "+" in an e-mail address? And my
colleague, Dave O'Neill, can tell lots of horror st
[EMAIL PROTECTED] wrote on 09/07/2005 09:47:30
AM:
> Ironic, isn't it? We'll probably have to filter OUT things that "look
like"
> e-mail addresses in non-email fields.
Isn't that called input validation and something that should be done
anyways?
_
[EMAIL PROTECTED] wrote on 09/07/2005 09:36:54
AM:
> Our largest issue with these web form mail exploits is not really
> spam-related (in terms of scripts causing our web servers to become spam
> relays); our clients are receiving these fake forms (obviously generated
by
> a kiddie script) const
Chris Gauch wrote:
> City: [EMAIL PROTECTED]
> Fax: [EMAIL PROTECTED]
... etc ...
> So, the question is how can we really stop someone from using an
> HTML form (and the NUMBER verification technique is not an
> acceptable solution for our clients)?
You can't stop someone from using the form,
Our largest issue with these web form mail exploits is not really
spam-related (in terms of scripts causing our web servers to become spam
relays); our clients are receiving these fake forms (obviously generated by
a kiddie script) constantly throughout the day, and the script writer isn't
accompli
On Jan 27, 4:00am, John wrote:
} At 08:42 AM 9/6/2005, you wrote:
} >On Tue, 2005-09-06 at 07:45, John wrote:
} > > >
} > > > Contacted them for what purpose? To tell them that you're a lousy
} > > >programmer? Or perhaps to tell them that you stick random unverified
} > > >code on your sys
On Jan 27, 1:21am, John wrote:
} At 11:23 PM 9/5/2005, you wrote:
} >On Jan 26, 5:16pm, John wrote:
} >}
} >} I am a System Administrator in Billings, MT. I am having the same issue,
} >} however I do not feel this is to be taken lightly. Mine started with IP's
} >} in Egypt & Iran. I have att
Kenneth Porter wrote:
>> http://www.rhyolite.com/anti-spam/freemail-adb
> Nice list. Anyone have a SpamAssassin plugin to use it like a SURBL?
It's not really appropriate for that; I don't think most people can
afford to reject (or even score) mail from hotmail.com, gmail.com,
etc.
However, we h
--On Monday, September 05, 2005 10:59 PM -0400 "David F. Skoll"
<[EMAIL PROTECTED]> wrote:
Also, our Web forms reject anyone who puts in an e-mail address in
Vernon Schruyver's free email domain list at
http://www.rhyolite.com/anti-spam/freemail-adb
Nice list. Anyone have a SpamAssassin plugi
Chris Gauch wrote:
Just wanted to hear how others are being hit by this latest scam. As an ISP
that hosts hundreds of websites that use Email web forms, we have had lots
of forms come through with fake email addresses throughout the form (see the
article below for more info):
I've seen several
On Tue, 2005-09-06 at 10:25, John wrote:
> >
> >What would you like them to do?
>
> Be aware. None of us have an overall picture of the security issues of our
> Nation. Only selected groups have that knowledge. I am just going to feed
> them some data. What they do with it is up to them. Th
At 08:42 AM 9/6/2005, you wrote:
On Tue, 2005-09-06 at 07:45, John wrote:
> >
> > Contacted them for what purpose? To tell them that you're a lousy
> >programmer? Or perhaps to tell them that you stick random unverified
> >code on your system (i.e. you're a lousy sysadmin)?
>
> We also, ar
On Tue, 2005-09-06 at 07:45, John wrote:
> >
> > Contacted them for what purpose? To tell them that you're a lousy
> >programmer? Or perhaps to tell them that you stick random unverified
> >code on your system (i.e. you're a lousy sysadmin)?
>
> We also, are an ISP. We, as a company, do no
At 11:23 PM 9/5/2005, you wrote:
On Jan 26, 5:16pm, John wrote:
}
} I am a System Administrator in Billings, MT. I am having the same issue,
} however I do not feel this is to be taken lightly. Mine started with IP's
} in Egypt & Iran. I have attempted to contact the FBI & Dept. of Homeland
}
I have similar online scripts I wrote but included timed posting limits... i.e.
No more than 5 per IP per 24hr period...
You may want to consider implementing similar safeguards..
--Ben
--
Ben Kamen - www.benjammin.net
___
Visit http://www.mimede
I have similar online scripts I wrote but included timed posting limits... i.e.
No more than 5 per IP per 24hr period...
You may want to consider implementing similar safeguards..
--Ben
--
Ben Kamen - www.benjammin.net
___
Visit http://www.mimede
On Jan 26, 5:16pm, John wrote:
}
} I am a System Administrator in Billings, MT. I am having the same issue,
} however I do not feel this is to be taken lightly. Mine started with IP's
} in Egypt & Iran. I have attempted to contact the FBI & Dept. of Homeland
} Security. Also have alerted AO
I am a System Administrator in Billings, MT. I am having the same issue,
however I do not feel this is to be taken lightly. Mine started with IP's
in Egypt & Iran. I have attempted to contact the FBI & Dept. of Homeland
Security. Also have alerted AOL's Fraud Dept. as that's where the test
Chris Gauch wrote:
> Just wanted to hear how others are being hit by this latest scam. As an ISP
> that hosts hundreds of websites that use Email web forms, we have had lots
> of forms come through with fake email addresses throughout the form (see the
> article below for more info):
We haven't
32 matches
Mail list logo
