once I experienced similar problem with spammer looking for
vulnerabilities
in my feedback form scripts. Of course he used proxies, so denying by IP
would have no sense.
So I hide the script behind a single shtml page, so that no one could ever
know what the real name of any script is. All cgi requests on that site
started to be handled by same shtml file, where conditional SSI
instructions
distributed tasks to different scripts by "watermarks" in query string
(using regexps). So all forms had action="index.shtml".
Spammer started scanning cgi-bin folder looking for scripts named like
mail,
formmail, friendmail, tellyourfriend, etc.. So the feedback script was
renamed to abdbxq.cgi. Still the remaining annoyance was to see the
spammer
flooding my site with requests for nonexisting mail.cgi, formail.pl, and
simmilar combinations and hundreds of hits per day. Servers error log was
filled with "File does not exist". So I added this to my .htaccess:
RewriteEngine on
RewriteRule ^(.*)(mail|library|list|form|tell|friend)(.*) http://localhost
[nc]
Since then my server logs are clean :-)
But that's just security through obscurity. It only gets you so far. I've
seen newer variations on this that don't look for common exploits - they
spider the site (or maybe it's a human crawler; my bet's on a spider) and
look for contact forms, either with common or uncommon names. Once they find
a page with a form on it, they submit like crazy to find vulnerabilities.
I've seen the same behavior on three different servers, so I know it's not
an isolated attack. Often they'll start by submitting the same email address
to all the fields on the form, then move on to injecting mail headers into
the form input, sometimes with a single dot on a line (to fool sendmail into
thinking it's a new message). There's often a common email address in all
the bogus ones, usually an AOL address - I'll assume they're setting up free
accounts, then abandoning them after they're done with an attack. The last
time I saw one of these, they used the same IP until it was blocked, then
moved on to another one. Our ultimate solution was to change the form
scripts to strip out newline characters - it makes submitted comments look
funny, but there's no chance of header injection attacks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
