Spamming attacks of a form - anyone else getting this?

Bouquet · #1 09-16-2006, 12:12 AM

Is anyone else experiencing spamming attacks of a form on your site?
I have a form for visitors to fill in what they would like in the way of web design services, but instead of real visitors, I'm getting dumps of crazy entries from addresses that do NOT resolve to IP addresses, so I can't even ban them in my "IP Deny" in the Cpanel. The URLs they give look like they were made by a scrambling robot. Just gibberish.

I'm using HiQFM2-0 forms right now, and they seemed to be secure until these attacks began at this one form.

Any suggestions?

slapshotw · #2 09-16-2006, 04:18 AM

I would definitely setup an image verification for people to fill out the form-- I'm sure you've seen them before. Search google for "image verification form" or "captcha" to get about a million options for implementing one.

-Matt

Serra · #3 09-16-2006, 02:52 PM

You don't even need real image verification. Just go to a site with some image verification and grab a couple of gifs of the verification numbers and rotate displaying them randomly. As you already know what the numbers for each image are, you can check that against the image you used.

Most hackers aren't going to write a specific code for your website, they will just move on to another site. Most of them are script kiddies anyway, they couldn't modifiy the code if they wanted to.

sford999 · #4 09-16-2006, 08:56 PM

I was having this problem on my site until I created a couple of functions where it checks for words (things like zanax, viagra etc...), I also have image verification too.

If the words was found, then the script will automatically reject the "post" and insert the users IP into a db table.

On each page is 2 lines, one to get the users IP into a variable, and the other is to check the IP against those held in the database.

If their IP is found, then they get redirected to a banned page and cannot access any of the site.

Serra · #5 09-16-2006, 10:04 PM

Honestly, the best way to prevent the attacks is to strip slashes from email and drop all emails with bcc: in them.

cjnoyes · #6 09-21-2006, 11:56 AM

Quote:

Originally Posted by Bouquet

Is anyone else experiencing spamming attacks of a form on your site?
I have a form for visitors to fill in what they would like in the way of web design services, but instead of real visitors, I'm getting dumps of crazy entries from addresses that do NOT resolve to IP addresses, so I can't even ban them in my "IP Deny" in the Cpanel. The URLs they give look like they were made by a scrambling robot. Just gibberish.

I'm using HiQFM2-0 forms right now, and they seemed to be secure until these attacks began at this one form.

Any suggestions?

Unless the message is originating from your server, it is not coming from the form. If you are certain it is coming from the form, one thing you could do is rename the path to the script or rename the script. The same goes for forums and guestbooks or anything that is standardized that a robot could look for.

I use a home written form on one of my sites and absolutely no spam comes through it, and that domain picks up a boatload of spam.

tedsimages · #7 09-21-2006, 03:50 PM

I've recently been experiencing a related problem. I use a form script that I wrote myself. The only thing it should be able to to is send an e-mail to me at an address hard-coded into the script. Someone apparently opened up the HTML page that calls the form, found the name of the script, and tried repeatedly to call it directly from many different IP addresses. Judging by the log entries, the script did exactly what it's supposed to do and only returned an error message to whoever called it.

Even so, I ended up renaming the script and using Javascript obfuscation to (I hope) make it more trouble than it's worth to decode it and find the renamed script. After I did that, the calls from around the world returned 404. The log entries tapered off and now appear to have stopped. But I'm getting an increasing number of "probes" looking for the standard formmail scripts (which I don't have). The spammers must be getting desperate.

Bouquet · #8 09-21-2006, 05:40 PM

Wow! It's been a busy week, and I had to hunt for this thread today to find it again (should'a made a note

But I'm sure glad to see all these suggestions.

I'm definitely going to look into the image verification.

I like your idea too, sford999, but am not sure I can pull that much off. On the other hand, I think the form I'm using allows me to put in some conditions - maybe even of that kind.

Serra, how would I strip slashes out of emails? I don't normally have them in my own... We're talking about email addresses, right? Or do you mean in the body?

cjnoyes, I have changed the names and paths of some of my form scripts, I don't know why it didn't occur to me to do that with this one. I'll give that a try too.

Thanks so much, everyone, for this smorg of answers. At least now I have some steps to take, and things to look into!

sford999 · #9 09-21-2006, 09:22 PM

Basically I use this:

The form passes the variable

PHP Code:


			
$entry = $_POST['entry'];

to the form processor, this then has the post made safe by doing:

PHP Code:


			
$entry2 =  addslashes(mysql_real_escape_string($entry));

I then pass the $entry2 variable through the spam check

PHP Code:


			
if (flag_spam($entry))
{
    make_header($head_title = 'Spam');
    include('inc/spam.php');
    make_footer();

    db_connect();
    $sql = "INSERT INTO banned_ips (ip_addr, date) VALUES ('$ip', '$date')";
    mysql_query($sql);
    die();
}

if the $entry2 variable is found to be spam, then it will stop processing the script and show an error.

So the processor would look like:

PHP Code:


			
<?php

include("functions.php");

// Get the users IP and check to see if they`re banned or not
$ip = $_SERVER['REMOTE_ADDR'];
check_ip($ip_addr = "$ip");

$date        =    date('jS F Y, g.sa');
$entry         =    $_POST['entry'];
$entry2     =    addslashes(mysql_real_escape_string($entry));

// Check to see if $entry2 contains banned words
if (flag_spam($entry))
{
    make_header($head_title = 'Spam');
    include('inc/spam.php');
    make_footer();

    db_connect();
    $sql = "INSERT INTO banned_ips (ip_addr, date) VALUES ('$ip', '$date')";
    mysql_query($sql);
    die();
}

// No bad words found, so continue

// Rest of the form processor here

?>

The 2 functions are:

PHP Code:


			
function flag_spam($text)
{
    $total_matches = 3;
    $trash = array();

    // Count the regular links
    $regex = "/<\\s*a\\s+href\\s*=\\s*/i";
    $total_matches += preg_match_all($regex, $text, $trash);

    // Count the PHPBB links
    $regex = "/[\\s*/\\s*url\\s*]/i";
    $total_matches += 5 * @preg_match_all($regex, $text, $trash);

    // Check for common spam words - can add more as and when needed
    $words = array('phentermine', 'viagra', 'cialis', 'vioxx', 'oxycontin', 'levitra', 'ambien', 'xanax', 'paxil', 'casino', 'slot-machine', 'texas-holdem',  'carisoprodol', 'viagra', 'information-loss-weight', 'loss-weight', 'installer-microsoft-windows', 'windows-xp', 'zyrtec', 'ultram', 'tramadol', 'tadalafil', 'vicodin', 'propecia', 'soma', 'xenical', 'paxil', 'meridia', 'roulette', 'ionamin', 'ephedra', 'fioricet', 'lipitor', 'adobe-acrobat', 'microsoft-office" ', 'hangover-pill" ', 'fight', 'drug', 'pill', 'hormone', 'wellbutrin', 'Lorazepam', 'Ativan', 'thyroid', 'prozac', 'zanax');

    foreach ($words as $word)
    {
        $word_matches = preg_match_all('/' . $word . '/i', $text, $trash);
        $total_matches += 5 * $word_matches;
    }

    if ($total_matches > 3)
    {
        return TRUE;
    }
    return FALSE;
}

PHP Code:


			
function check_ip($ip_addr = '')
{
    db_connect();
    $sql = "SELECT * FROM banned_ips WHERE ip_addr = '$ip_addr'";
    $result = mysql_query($sql);

    $banned_ip = mysql_num_rows($result);

    if($banned_ip >= "1")
    {
        make_header($head_title = "Your IP ($ip_addr) is banned");
        include("inc/banned.php");
        make_footer();
        die();
    }
}

I also use captcha on my forms and the script I use for that can be found here: http://www.ejeliot.com/pages/2

Bouquet · #10 10-11-2006, 04:21 PM

Thanks, sford999!
I've taught myself enough web design to be astonished at all there is to learn yet. Your instructions ring like truth to me, but I'm going to have a learning curve here until I figure out how to apply this. Is it going to be a bother if I come back here to ask questions?

I should mention that I did try out some image authentication scripts, but found it discouraging. Two of them didn't have complete enough instructions so I could understand and use them. One that called for simple addition problems to be solved as the CAPTCHA script installed okay, but the supplied graphics would not show up.

So I resigned myself to re-naming the form script I've been using and re-doing my form pages that way. I'm not done yet, and the spam appears to be increasing! (Mind you, I've just installed SUSE 10.1, up from 9.3, and all my filters need to be done over again. Perhaps that's why I SEE more of it).

I've just read the ejeliot.com link you recommended and his SitePoint article. Again, I need to study this, and maybe learn more php before I can pull it off, but today you've given me hope again. I thank you for that!

Blessings & Thanks,
Bouquet

Bouquet · #11 10-16-2006, 04:06 PM

Hi sford999,
Last week I read a course online in php, and now I understand more of the terminology and the general principles. But just now I tryed renaming the three key files from the HiQFM2.0 script that I'm using, so I could insert and test your codes without damaging the originals. Guess I haven't got it right yet because I'm getting error messages.

May I check to see if I've understood you right?

This part:
$entry = $_POST['entry'];

should go into my form on the html page, but with the usual
<?php opening and ?> closing, right? It doesn't matter where in the form?

The following is all just part of the main processor MyTry.php
file, right? Or should it stand alone?

<?php

include("functions.php");

// Get the users IP and check to see if they`re banned or not
$ip = $_SERVER['REMOTE_ADDR'];
check_ip($ip_addr = "$ip");

$date = date('jS F Y, g.sa');
$entry = $_POST['entry'];
$entry2 = addslashes(mysql_real_escape_string($entry));

// Check to see if $entry2 contains banned words
if (flag_spam($entry))
{
make_header($head_title = 'Spam');
include('inc/spam.php');
make_footer();

db_connect();
$sql = "INSERT INTO banned_ips (ip_addr, date) VALUES ('$ip', '$date')";
mysql_query($sql);
die();
}

// No bad words found, so continue

// Rest of the form processor here

?>

The last two code snips might stand alone as function.php files, but in the script I'm using they are all put into one called, class.MyTryConfg.php

It's probably not so wise mixing these two, is it?

On the other, studying these php files more closely, I see that the author has already written in code for banning bad email addresses. He doesn't call for a a mySQL database, but just a list in the main adjustable confg.conf file. Since those spammers change email addresses like disposable tissues, maybe if that could be re-written to include IP addresses, which I already have my form collecting as an environmental requirement, then this form could accomplish the same trick. Do you think?

I should mention that you can get this form from; http://hiqformmail.com.

On last question for today. To use your idea I should really set up a specific MySQL database to collect the bad IPs, right?
I take it I need to do that in advance.

Thanks so much for your patience and help!!

Blessings,
Bouquet

Bouquet · #12 11-30-2006, 11:37 AM

Hi folks.
Just thought it would be fair to report how this turned out for me.
I've spent the last couple of months trying out various scripts for forms, including CAPTCHA, and none would really work for me.

Then I read in one forum post here on HostGator, that the most secure place for recipient emails was in the level above the public_html.

Ah-ha! I recalled that when I used a cgi script from NMS it had done that. It worked fine for me, but my previous host had no support when the scripts broke in the move. I decided to go back to see if they had newer versions of the script that would make it more secure. They did!

So now I've switched all three of my sites, and some of those I look after over to this, and I've also changed the emails I use for the forms, and deleted the old ones.

Aside from a few spammers who are still coming to my business site and pasting spam into the forms, I think I have the problem licked. Those that do, I get their IP address and emails and stick them into Spam Assassin.

I've learned a lot in searching for these answers and know I need to stay on top of this matter as things do change. But I was relieved to find there ARE answers!

Thanks everyone, and Blessings,
Bouquet