Selected accounts are seeing 40+ spams per day from insecure web Kontact
forms. This does not count the resolved address names which for various
reasons are blocked (no resolved name , generic resolved names, etc).

Most all of these bad forms are in Europe or Asia, with only a few in
either North or South America. Most are old php forms from Matt's Script
Archive. Thanks, Matt.

There are three distinct "styles" of spam, each having separate "bcc:"
lists containing from 90 to 800 addresses each. One style hawks HTH,
Hoodia, Fake Diplomas, Green Tea and some magic cholestrol eraser. Another
is pushing mortgages, low cost"loans" and work-at-home. The third
advertises watches and jewlery, some of which is claimed to be stolen from
wealthy deposed rulers (like 419's a little?). One spammer repeats his
message several times probably because he thinks it foils greylists.

There are automated programs going around which reputedly can find and
exploit these forms automatically. With only few zombies, a spammer can
leverage rather m***ive amounts of spew with little effort and no gateway
blocking.

Of course, content filters dump almost all of this in spam boxes, never to
be seen by the intended recipients. This is because spamboys haven't
figured out how to get viewable images in most of the web forms yet and
content is pretty easy for filters even as simple as spam******in.

It is a shame that ordb.org and maybe spews.org are going out of business,
because finding and alterting the owners of insecure web forms could have
been very good charter for them.

I Hate Form Spams wrote:
Subject: Cracked Form Mail Now Becoming Popular and Almost Unblockable

Block the IP that your mail server sees as the source of abuse,
and move on.

> It is a shame that ordb.org and maybe spews.org are going out
> of business, because finding and alterting the owners of
> insecure web forms could have been very good charter for them.

web.dnsbl.sorbs.net
List of web (WWW) servers which have spammer abusable
vulnerabilities e.g. FormMail scripts & other (non-webserver)
abusable vulnerabilities.

--
E-Mail Sent to this address <EMAIL REMOVED>
will be added to the BlackLists.

"I Hate Form Spams" <EMAIL REMOVED> wrote in message
news:EMAIL REMOVED...
> Selected accounts are seeing 40+ spams per day from insecure web Kontact
> forms. This does not count the resolved address names which for various
> reasons are blocked (no resolved name , generic resolved names, etc).
>
> Most all of these bad forms are in Europe or Asia, with only a few in
> either North or South America. Most are old php forms from Matt's Script
> Archive. Thanks, Matt.
>
> There are three distinct "styles" of spam, each having separate "bcc:"
> lists containing from 90 to 800 addresses each. One style hawks HTH,
> Hoodia, Fake Diplomas, Green Tea and some magic cholestrol eraser. Another
> is pushing mortgages, low cost"loans" and work-at-home. The third
> advertises watches and jewlery, some of which is claimed to be stolen from
> wealthy deposed rulers (like 419's a little?). One spammer repeats his
> message several times probably because he thinks it foils greylists.
>
> There are automated programs going around which reputedly can find and
> exploit these forms automatically. With only few zombies, a spammer can
> leverage rather m***ive amounts of spew with little effort and no gateway
> blocking.
>
> Of course, content filters dump almost all of this in spam boxes, never to
> be seen by the intended recipients. This is because spamboys haven't
> figured out how to get viewable images in most of the web forms yet and
> content is pretty easy for filters even as simple as spam******in.
>
> It is a shame that ordb.org and maybe spews.org are going out of business,
> because finding and alterting the owners of insecure web forms could have
> been very good charter for them.
>
Few months ago, Our website was an relay station of tons of spam mails.
Althought the technical support keep on blocking the source ip, but they
keep on changing their ip.
So finally we have to 'break' the link between the webserver and the mail
server and it stop the spam.

You might not believe it, our website was developed by a private company and
they use the simple PHP mail() function to send mail.
and that is the big hole for the spam mail to get through. Call/email that
private company and they refuse to reply our call for fixing the problem.

Now we have to do it our self by downloading phpmailer and install it into
our webserver,
our contact-us page is working now and no more spam can get through.

In article <EMAIL REMOVED>,
"Thanks" <EMAIL REMOVED> writes:
[snip]
>
> You might not believe it, our website was developed by a private company

That means nothing.

> and
> they use the simple PHP mail() function to send mail.
> and that is the big hole for the spam mail to get through.

That wasn't the fault of mail(). That was the fault of incompetent
design/coding.

> Call/email that
> private company and they refuse to reply our call for fixing the problem.

Imagine that: Can't design/code competently and shuns customers.

[remainder snipped]

--
Jim Seymour | "Some of the lies are so strange it
WARNING: The "From:" address is a | makes you wonder about the spammer's
spam trap. DON'T USE IT! Use: | sanity."
EMAIL REMOVED | - Ed Foster, "The Gripe Line" 6/24/02

Thanks wrote:
> You might not believe it, our website was developed by a private company and
> they use the simple PHP mail() function to send mail.
> and that is the big hole for the spam mail to get through. Call/email that
> private company and they refuse to reply our call for fixing the problem.

That company flunks Computer Science 101. One of the major MUST DO
tasks in computer programming is to "check your input". Failure to
check input is the main cause of certain types of formmail and guestbook
spam.

For $DAYJOB, I have this web page for customers:

http://email.amhosting.com/php-scripts.html


> Now we have to do it our self by downloading phpmailer and install it into
> our webserver,
> our contact-us page is working now and no more spam can get through.

Why are you depending on the competence of others? Have you verified
that phpmailer does indeed check all input, and prevents people from
sending entire mails through, say, the Subject: field?

--
A little learning is a dang'rous thing;
Drink deep, or taste not the Pierian spring;
There shallow draughts intoxicate the brain,
And drinking largely sobers us again.
-- Alexander Pope, Essay on Criticism

Stephen Satchell wrote:
> Thanks wrote:
> > Now we have to do it our self by downloading phpmailer and install it into
> > our webserver,
> > our contact-us page is working now and no more spam can get through.
>
> Why are you depending on the competence of others? Have you verified
> that phpmailer does indeed check all input, and prevents people from
> sending entire mails through, say, the Subject: field?
>

Our own mail form was pretty tight, and still we shut it down recently
because some (incompetent) spammer was using it to send dozens of spams
to the contact address specified in the server-side code. It didn't
get outside our service, but it was annoying anyway.

On 20 Dec 2006 07:10:25 -0800, Rodney Engdahl put finger to keyboard
and typed:

>
>Stephen Satchell wrote:
>> Thanks wrote:
>> > Now we have to do it our self by downloading phpmailer and install it into
>> > our webserver,
>> > our contact-us page is working now and no more spam can get through.
>>
>> Why are you depending on the competence of others? Have you verified
>> that phpmailer does indeed check all input, and prevents people from
>> sending entire mails through, say, the Subject: field?
>>
>
>Our own mail form was pretty tight, and still we shut it down recently
>because some (incompetent) spammer was using it to send dozens of spams
>to the contact address specified in the server-side code. It didn't
>get outside our service, but it was annoying anyway.

I find that two simple tests catch 95% of attempted form spam:

1. Check for a newline in any input where the entry is via a one-line
field (such as <input type="text">). This is usually a sign of
attempted header injection, which of course won't get past any
competently-written script anyway, but you still want to avoid getting
the stuff in your own inbox.

2. Check for the strings "href=", "[http" and "[url" in any multi-line
input (eg, from a <textarea>). There's no reason why any genuine user
would use these, but they are all common spammer techniques as they
hope to get the URL displayed on some web-visible form.

If any of these are detected, my scripts go to sleep() for about 20
seconds and then display an "invalid input" message rather than
generate the email or database entry that results from a valid
submission. That bogs down the spambots without putting load on the
server. If I'm getting a lot of these attacks then I also capture the
submitting IP address and block it from the site.

Mark
--
Please give me one! http://www.pleasegivemeone.com
"Too sweet to be sour too nice to be mean"

Mark Goodge <EMAIL REMOVED> wrote:

> If any of these are detected, my scripts go to sleep() for about 20
> seconds and then display an "invalid input" message rather than
> generate the email or database entry that results from a valid
> submission.

I doubt if bots check for success.

> That bogs down the spambots without putting load on the
> server.

Spambots probably run 100-200 threads at the same time, or run distributed
anyway. You might harm a small fish though.


> If I'm getting a lot of these attacks then I also capture the
> submitting IP address and block it from the site.

And hopefully you also report that IP address. What most people forget is
reporting the shit. Sometimes a waste of time, but there are quite some
ISPs and hosting providers (of the aforementioned [url=...] etc. spam)
that disconnect the user (for IP) and drop the site(s).

Been there done that. My reporting has resulted in hundreds of sites being
taken down in a short time. No bragging, but just showing that *you*
reporting might make a difference.

--
John Need help with SEO? Get started with a SEO report of your site:

--> http://johnbokma.com/websitedesign/seo-expert-help.html

On 20 Dec 2006 21:19:24 GMT, John Bokma put finger to keyboard and
typed:

>Mark Goodge <EMAIL REMOVED> wrote:
>
>> If any of these are detected, my scripts go to sleep() for about 20
>> seconds and then display an "invalid input" message rather than
>> generate the email or database entry that results from a valid
>> submission.
>
>I doubt if bots check for success.

That's in case it happens to be a human.

>> That bogs down the spambots without putting load on the
>> server.
>
>Spambots probably run 100-200 threads at the same time, or run distributed
>anyway. You might harm a small fish though.

It's mostly to stop them hammering my site.

>> If I'm getting a lot of these attacks then I also capture the
>> submitting IP address and block it from the site.
>
>And hopefully you also report that IP address. What most people forget is
>reporting the shit. Sometimes a waste of time, but there are quite some
>ISPs and hosting providers (of the aforementioned [url=...] etc. spam)
>that disconnect the user (for IP) and drop the site(s).
>
>Been there done that. My reporting has resulted in hundreds of sites being
>taken down in a short time. No bragging, but just showing that *you*
>reporting might make a difference.

What would be helpful is some kind of automated reporting tool.

Mark
--
Visit: http://www.GoogleFun.info - fun and games with Google!
"All the promises we break from the cradle to the grave"

I Hate Form Spams wrote

> spews.org are going out of
> business

Again?

--
Charles Sweeney
http://CharlesSweeney.com