Re: Blocking form spam

This WebDNA talk-list message is from

2006


It keeps the original formatting.
numero = 67925
interpreted = N
texte = Stuart, My problem was determining what characters to grep for and be confident that I am catching the attempts to push email through my forms. Just to be clear there are two things happening to my forms:- 1. Contact Form Spam / Comment Spam This is where a spammer is sending loads of links through the form hoping (I assume) that it may show up on a live web page (like a blog or guestbook) and help their google rating. What I have done here is check for the string 'http://' in fields where it is not appropriate and then block the form from sending if any are present. Where the field may contain a link (like a comment textarea) then I count the number of links and block if more than say five links or more are in the field. Links : [listwords words=3D[grep search=3D[url]http://[/url]&replace=3D = | ][COMMENT][/grep]&delimiters=3D|][text]links=3D[index][/text][/listwords]= [li nks] 2. Email Injection Spam This is more worrying and is where a spammer tries to hijack a form and use it as an SMTP proxy to send spam. (http://www.securephpwiki.com/index.php/Email_Injection) They do this by putting strings like the following into form fields:- sender@anonymous.www%0ACc:recipient@someothersite.xxx%0ABcc:somebloke@gr rrr.xxx,someotherbloke@oooops.xxx If the data from this field is passed on anywhere within a [sendmail] context then the third party will get an email. The headers can be messed around with more to fully hijack the form. After trial and error I have found the following grep seems to work: [grep search=3D(%250A|%250D|[cC][cC])&replace=3D][formfield][/grep] It removes linefeeds, carriage returns, and 'Cc' (also effectively catching 'Bcc') Sorry if I seem to be going on too much about this but I found a couple of my forms were exposed and it scared the crap out of me. I haven't come across anything in the docs or on this list yet which highlights that variables have to be checked and cleaned before being included in a sendmail context. Maybe its obvious that this should be done but I had missed it nonetheless. - Tom ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: Blocking form spam ( Stuart Tremain 2006)
  2. Re: Blocking form spam ( Terry Wilson 2006)
  3. Re: Blocking form spam ( Stuart Tremain 2006)
  4. Re: Blocking form spam ( "Tom Duke" 2006)
  5. Re: Blocking form spam ( Stuart Tremain 2006)
  6. Re: Blocking form spam ( WJ Starck 2006)
  7. Re: Blocking form spam ( Gary Krockover 2006)
  8. Re: Blocking form spam ( Donovan Brooke 2006)
  9. Re: Blocking form spam ( "Brian B. Burton" 2006)
  10. Re: Blocking form spam ( WJ Starck 2006)
  11. Re: Blocking form spam ( Terry Wilson 2006)
  12. Re: Blocking form spam ( Stuart Tremain 2006)
  13. Blocking form spam ( "Tom Duke" 2006)
Stuart, My problem was determining what characters to grep for and be confident that I am catching the attempts to push email through my forms. Just to be clear there are two things happening to my forms:- 1. Contact Form Spam / Comment Spam This is where a spammer is sending loads of links through the form hoping (I assume) that it may show up on a live web page (like a blog or guestbook) and help their google rating. What I have done here is check for the string 'http://' in fields where it is not appropriate and then block the form from sending if any are present. Where the field may contain a link (like a comment textarea) then I count the number of links and block if more than say five links or more are in the field. Links : [listwords words=3D[grep search=3D[url]http://[/url]&replace=3D = | ][COMMENT][/grep]&delimiters=3D|][text]links=3D[index][/text][/listwords]= [li nks] 2. Email Injection Spam This is more worrying and is where a spammer tries to hijack a form and use it as an SMTP proxy to send spam. (http://www.securephpwiki.com/index.php/Email_Injection) They do this by putting strings like the following into form fields:- sender@anonymous.www%0ACc:recipient@someothersite.xxx%0ABcc:somebloke@gr rrr.xxx,someotherbloke@oooops.xxx If the data from this field is passed on anywhere within a [sendmail] context then the third party will get an email. The headers can be messed around with more to fully hijack the form. After trial and error I have found the following grep seems to work: [grep search=3D(%250A|%250D|[cC][cC])&replace=3D][formfield][/grep] It removes linefeeds, carriage returns, and 'Cc' (also effectively catching 'Bcc') Sorry if I seem to be going on too much about this but I found a couple of my forms were exposed and it scared the crap out of me. I haven't come across anything in the docs or on this list yet which highlights that variables have to be checked and cleaned before being included in a sendmail context. Maybe its obvious that this should be done but I had missed it nonetheless. - Tom ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ "Tom Duke"

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Paths, relative paths, webstar server setup and security (Mac) (1997) Setting up shop (1997) creator code (1997) The IBC root beer has arrived! (1997) HELP WITH DATES (1997) WebCatalog 4.0.1 has been released! (2000) wrong authentication (1998) Re:Merging databases (1997) unclear on a simple [cart] ? (1998) Upgrade to WebCat2 from Commerce Lite (1997) Possible Bug in 2.0b15.acgi (1997) [format 40s]text[/format] doesn't work (1997) CloseDataBase vs CommitDataBase (2007) Getting total number of items ordered (1997) Calculating Age from DB fields (2003) system crashes, event log (1997) Press Release hit the NewsWire!!! (1997) Thanks and Big News!!! (1997) Out of the woodwork (2007) Attn: Bug in GeneralStore example b15 (1997)