Re: Blocking form spam

This WebDNA talk-list message is from

2006


It keeps the original formatting.
numero = 67926
interpreted = N
texte = Interesting that you point this out Tom. I had guestbook entries getting hammered as you noted, I put in the link catch that you have done, I also used a CAPTCHA that i devised. I also blocked IP addresses that I logged. These have fixed that problem. I have also seen the second problem that you mention but I didn't think that the emails were being generated. I will have to check my logs and see if they are having any success. Tom, thanks for your notes on this subject, I will be investigating this more closely today! Stuart Tremain idfk web developments, sydney, australia On 10 Aug 2006, at 9:18 AM, Tom Duke wrote: > Stuart, > > My problem was determining what characters to grep for and be > confident > that I am catching the attempts to push email through my forms. > > Just to be clear there are two things happening to my forms:- > > > 1. Contact Form Spam / Comment Spam > This is where a spammer is sending loads of links through the form > hoping (I assume) that it may show up on a live web page (like a > blog or > guestbook) and help their google rating. What I have done here is > check > for the string 'http://' in fields where it is not appropriate and > then > block the form from sending if any are present. Where the field may > contain a link (like a comment textarea) then I count the number of > links and block if more than say five links or more are in the field. > > Links : [listwords words=[grep search=[url]http://[/url]&replace= | > ][COMMENT][/grep]&delimiters=|][text]links=[index][/text][/ > listwords][li > nks] > > > 2. Email Injection Spam > This is more worrying and is where a spammer tries to hijack a form > and > use it as an SMTP proxy to send spam. > (http://www.securephpwiki.com/index.php/Email_Injection) They do this > by putting strings like the following into form fields:- > > sender@anonymous.www%0ACc:recipient@someothersite.xxx% > 0ABcc:somebloke@gr > rrr.xxx,someotherbloke@oooops.xxx > > If the data from this field is passed on anywhere within a [sendmail] > context then the third party will get an email. The headers can be > messed around with more to fully hijack the form. After trial and > error > I have found the following grep seems to work: > > [grep search=(%250A|%250D|[cC][cC])&replace=][formfield][/grep] > > It removes linefeeds, carriage returns, and 'Cc' (also effectively > catching 'Bcc') > > > Sorry if I seem to be going on too much about this but I found a > couple > of my forms were exposed and it scared the crap out of me. I haven't > come across anything in the docs or on this list yet which highlights > that variables have to be checked and cleaned before being included > in a > sendmail context. Maybe its obvious that this should be done but I > had > missed it nonetheless. > > - Tom > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to digest@talk.smithmicro.com> > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: Blocking form spam ( Stuart Tremain 2006)
  2. Re: Blocking form spam ( Terry Wilson 2006)
  3. Re: Blocking form spam ( Stuart Tremain 2006)
  4. Re: Blocking form spam ( "Tom Duke" 2006)
  5. Re: Blocking form spam ( Stuart Tremain 2006)
  6. Re: Blocking form spam ( WJ Starck 2006)
  7. Re: Blocking form spam ( Gary Krockover 2006)
  8. Re: Blocking form spam ( Donovan Brooke 2006)
  9. Re: Blocking form spam ( "Brian B. Burton" 2006)
  10. Re: Blocking form spam ( WJ Starck 2006)
  11. Re: Blocking form spam ( Terry Wilson 2006)
  12. Re: Blocking form spam ( Stuart Tremain 2006)
  13. Blocking form spam ( "Tom Duke" 2006)
Interesting that you point this out Tom. I had guestbook entries getting hammered as you noted, I put in the link catch that you have done, I also used a CAPTCHA that i devised. I also blocked IP addresses that I logged. These have fixed that problem. I have also seen the second problem that you mention but I didn't think that the emails were being generated. I will have to check my logs and see if they are having any success. Tom, thanks for your notes on this subject, I will be investigating this more closely today! Stuart Tremain idfk web developments, sydney, australia On 10 Aug 2006, at 9:18 AM, Tom Duke wrote: > Stuart, > > My problem was determining what characters to grep for and be > confident > that I am catching the attempts to push email through my forms. > > Just to be clear there are two things happening to my forms:- > > > 1. Contact Form Spam / Comment Spam > This is where a spammer is sending loads of links through the form > hoping (I assume) that it may show up on a live web page (like a > blog or > guestbook) and help their google rating. What I have done here is > check > for the string 'http://' in fields where it is not appropriate and > then > block the form from sending if any are present. Where the field may > contain a link (like a comment textarea) then I count the number of > links and block if more than say five links or more are in the field. > > Links : [listwords words=[grep search=[url]http://[/url]&replace= | > ][COMMENT][/grep]&delimiters=|][text]links=[index][/text][/ > listwords][li > nks] > > > 2. Email Injection Spam > This is more worrying and is where a spammer tries to hijack a form > and > use it as an SMTP proxy to send spam. > (http://www.securephpwiki.com/index.php/Email_Injection) They do this > by putting strings like the following into form fields:- > > sender@anonymous.www%0ACc:recipient@someothersite.xxx% > 0ABcc:somebloke@gr > rrr.xxx,someotherbloke@oooops.xxx > > If the data from this field is passed on anywhere within a [sendmail] > context then the third party will get an email. The headers can be > messed around with more to fully hijack the form. After trial and > error > I have found the following grep seems to work: > > [grep search=(%250A|%250D|[cC][cC])&replace=][formfield][/grep] > > It removes linefeeds, carriage returns, and 'Cc' (also effectively > catching 'Bcc') > > > Sorry if I seem to be going on too much about this but I found a > couple > of my forms were exposed and it scared the crap out of me. I haven't > come across anything in the docs or on this list yet which highlights > that variables have to be checked and cleaned before being included > in a > sendmail context. Maybe its obvious that this should be done but I > had > missed it nonetheless. > > - Tom > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to digest@talk.smithmicro.com> > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Stuart Tremain

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

WebCat2b15MacPlugin - [protect] (1997) Help! WebCat2 bug (1997) flushdatabases (1997) File Upload (1997) Help! (1996) PCS Frames (1997) Re1000001: Setting up shop (1997) Append problem w/" (1999) Webcat causing crashes left and right! (1997) This list needs a digest: rant, rave... (1997) problems with 2 tags (1997) showcart is slow (1998) How is it done? (1998) 2.0Beta Command Ref (can't find this instruction) (1997) Kaaaaahhhhhhhnnnnnnn! (1997) Upgrading old WebCat Database Files (1997) HELP - NONE STOP DIGESTS. Digest for 4/24/97) (1997) Nested tags count question (1997) read and write you own cookies with webcat (1997) Symantec VIsual Page 1.0.3 (1997)