Forum Moderators: open
I run several websites which use similar Web Forms to send emails to various folks within the organisation - of course, this was an attempt to keep them hidden from the spamers by not having their email addresses on line.
now, on one of my sites, my clients are getting spammed . I'm using a simple asp interface that I built and over time I've jury-rigged it to stop various spam attackers..
first- I put in a routien that checks that email addresses are properly formatted and that email addresses entered into the form don't contain my own domain name in them -
that stopped a lot of them.. since many were entering Something@myDomain.com as their email address and as their name
second I put in a routine that looks for the words "MIME-Version" in the content - this seemed to stop lots and lots of it
With the newest onslaught - I put in a 3rd line of defense - we check page referrer as such
strPageURL = Request.ServerVariables("HTTP_REFERER")
dim theirIP
theirIP = Request.ServerVariables("REMOTE_ADDR")
If InStr(strPageURL, theStringWeWant) > 0 then
isItGood="good"
else
isItGood="bad"
end if
if isItGood="bad" then
Response.Redirect "contact.asp?step=7&ip="&theirIP
else
end if
but that's not stopping them.
So I'm currently recording IP addresses in all emails to see if I can see a trend in the IP's that the emails are coming from
I don't want to put in a Captcha code because I have strong desires to keep the site simple and accessible - although I know there are some commercial captcha's out there that have .wav/.mp3 versions of the graphics and read them out to you when you click a button - seems all a bit extreme.
I'm tempted to just plug the new hole
All of the latest onslaught has been very very similar - has looked like this actually:
Dear Alex,
The following message was sent to you directly from the CONTACT page of the websiteName of sender: <snip>
Email Address: <snip>Their IP is: <snip>
Their comment or question is...:
snip [/url]magna rx
...End of Message.
I hope I'm not breaking any site rules by posting that.. (Those aren't the REAL URLS - I added "example" where the original domains were) but basically - all of my spams are following the same pattern.. sometimes it's for Poker, sometimes it's Casino, ... lots of gambling actually - so far no porn - it's really annoying.. we're getting dozens a day
I'm assuming my IP address watch won't turn up anything useful
My impulse is to search the message body for instances of [url=http:// under the assumption that any legitimate message wouldn't put that... of course then people might have a hard time sending in recommendations for new links on the site..
I just don't know.. any ideas from folks would be really really appreciated
cheers!
Stratus
[edited by: Stratus42 at 7:19 pm (utc) on Oct. 21, 2006]
[edited by: physics at 7:00 pm (utc) on Oct. 22, 2006]
[edited by: trillianjedi at 10:34 am (utc) on Oct. 24, 2006]
[edit reason] No specifics please [/edit]
You can log all the rejected form submissions and check them at your leisure for validity. I found no valid submissions being trapped in this way, only spam. YMMV...
If its spammers using the email field to send bcc's to aol etc one thing you could try is to count how many characters are in the email field that gets submitted to the script.
If its more than 100, then its a good chance that its a spam robot by which you just redirect to an error page.
You wont catch spammers with ip patterns, they mostly use proxy ip's which are used by their spam robots.
Again this was very effective, but I removed it since I thought it was a little unfair to genuine visitors. If you're not bothered about traffic from China and want to try this, let me know and I'll post the code. The list of IP blocks can be found by Googling "okean chinese" (without the quotes). There's a regularly updated text file there which I parse and add to a database table.
I've not had a legitimate message through from China since I removed the block, so I'm considering putting it back again. I'd be interested in hearing any other suggestions that don't involve blocking an entire country!
I have basic ASP forms on my site that send emails to me and tech reps at my company. Obviously my client side javascript is of no use against these spam bots.
I have my form (Form.asp), that submits to my submission page (Submit.asp) and that is sent to thanks (thankyou.asp) page.
the data is sent to an SQL dbase and is not supposed to allow NULL values in certain fields, although i just got 3 forms in my email that had all blank values.
Can someone direct me towards acuatal code snippets that i can either add to my submit page, or my actual form page to not allow these spam bots to send the forms to me blank?
i have been dealing with this for months....
[edited by: Ocean10000 at 3:59 pm (utc) on Nov. 10, 2006]
What is the last word in this question?
the response in the form then needs to be "question" making sure the response is human. I know its another step, but it does work.
What is the last word in this question?
the response in the form then needs to be "question" making sure the response is human. I know its another step, but it does work.
Its kind of like captcha but more friendly.
I ended up doing a few stop-gap, plaster-applying methods which seems to have slowed the flow significantly.
1st, I'm checking the referrer page to ensure that the poster is indeed originating from my contact page
2nd, I'm blocking all posts that contain either of a few common strings in their urls, mostly directing people to someplace on blogspot or to hometown aol.
3rd, I'm blocking all posts that do not have at least 10 characters in the message (this is blocking the blank ones)
4th, i'm blocking any post without a "real" formatted email example@example.com
5th, i'm blocking any post that contains my own domain name in the name or email fields
6th, I found a few isp's that were being repeated -.. so I'm blocking those
7th, I found one rash of spam that was using "zzy@example.com".. so I blocked any email address that contains the string "zzy"
finally - in order to keep a close eye on any emerging trends.. i've bcc'ed every message sent to the various form recipients - to myself - this i hesitate to do because i'm sure my clients would prefer some privacy - but I informed them, and the reasons and they were ok with it.
I REALLY like the "type the word 'word' this this box" method - much easier and more accessible than a standard captcha - although I did find a captcha system that I could purchase for something like $30 that included a button to click to have the various letters/numbers read out to you audibly.. Not especially accessible - but much better than a standard one which relies on the visual accuity of the poster.
Happy to receive any more suggestions!
Cheers
Stratus
Then measure the length of the value before and after stripping out illegal characters. If they're different then you know your dealing with a post that contains HTML.
The Contact Us button does a POST to the Contact Us form. One of the hidden variables in the first "form" is URL of the referring page. I also put in an MD5 has of referring page URL and a secret phrase that changes from time to time.
That way if the someone tries to copy my forms to submit, it will only work for a few hours then be invalid after the secret phrase changes.
Barry
I am glad to learn that I am not the only one that is experiencing this problem.
Unfortunately for a guy like me, my hand-coding isn't the best. All the asp development I do through Dreamweaver MX and I can't find anything that would better enable me to protect my asp forms.
I have a website registration form with the following fields
First Name
Last Name
Username
Password
Company
Email Address
Web site URL
company Description
While some of the fields are optional some are not like username and password. What happens is data from the above form gets inserted into a database table.
For the past several weeks now, it seems that spammers insert html code into the password field. Then the form when the submit button is hit, is supposed to go to the new user with his username and password as well as I get a copy. This is how I have discovered that the spammer is doing this.
The problem I'm having is that my database table now contains a bunch of garbase and useles information. It isn't a problem for me to go in and delete this but I'd sure like it to stop and prevent this from getting work. I don't think my server has been hijacked as the email headers don't show and BCC info.
After reading some of the suggestions here, I would like to be able to find coding examples so I can implement some of these suggestions.
Thanks for any help.
Mechaworx.
One of the new and interesting techniques I've implemented on one of my client sites was built to try and block the spam submissions that contain what looks like a whole bunch of random, senseless characters - maybe it's chinese or a differnt char-set or something - Anyway.. what ive done there is put in a form field that, using css, is not visible in browsers and a name bots may find inticing!
The idea is, spam bots will spot this field, and fill it in. humans, using browsers, won't see it and will leave it blank. I then use some asp to check if that field has been filled in or not.. if it has, the message is rejected.
example:
<style type="text/css">
.shhh{display:none;}
</style><p class="shhh">Don't put anything in the following field: <input name="EmailAddress" id="EmailAddress" type="text" class="shhh" /></p>
<% dim spamStop1
spamStop1 = trim(request.form("EmailAddress"))
if spamStop1 <> "" then
response.redirect "contact.asp?step=4"
end if %>
I have some high hopes for this one and will report back on it's effectiveness :-)
cheers!
Stratus
let me know how that works out, and i think i might implement that....
i am receiving less spam over the last week or so....
i tried a few different things, but this looks good too...
thanks
I see in my log the call to the "formSubmit.asp" page, but no corresponding call to "form.asp" yet the referrer from the spammer shows the proper referrer.
The CAPCHA code looks for a value of session("myvariableName")
How do they know what the session variable required is and how do they fake that?
More importantly, what else can be done? I can't use the "invisible field" tecnique described above, since they are bypassing the original form and just using the formSubmit.asp page.
Thanks in advance.
Dave
There is probably a more elegant way to do this but it works for me......(i dont use a capthca)
<%
'FORM SPAMMER CHECKS
'check the email field - count the number of words and characters in the email field.
' Read in the input from the text area.
strInputText = request("email")
'set the error page
strErrorPage= "error.asp"
' Deal with tabs and carriage returns
' by replacing them with spaces.
strTemp = Replace(strInputText, vbTab, " ")
strTemp = Replace(strTemp, vbCr, " ")
strTemp = Replace(strTemp, vbLf, " ")
'Remove leading and trailing spaces
strTemp = Trim(strTemp)
' Combine multiple spaces down to single ones
Do While InStr(1, strTemp, " ", 1) <> 0
strTemp = Replace(strTemp, " ", " ")
Loop
' Get a count by splitting the string into an array
' and retreiving the number of elements in it.
' I add one to deal with the 0 lower bound.
GetWordCount = UBound(Split(strTemp, " ", -1, 1)) + 1
GetCharCount = Len(strInputText)
if GetCharCount > 50 then response.redirect strErrorPage end if
if GetWordCount > 1 then response.redirect strErrorPage end if
'check the other fields for stop words
strInputText = request("address")
strSearchText="http"
if Instr(1, strInputText, strSearchText, 1) > 0 then response.redirect strErrorPage end if
strInputText = request("address")
strSearchText="url"
if Instr(1, strInputText, strSearchText, 1) > 0 then response.redirect strErrorPage end if
strInputText = request("comments")
strSearchText="http"
if Instr(1, strInputText, strSearchText, 1) > 0 then response.redirect strErrorPage end if
strInputText = request("comments")
strSearchText="url"
if Instr(1, strInputText, strSearchText, 1) > 0 then response.redirect strErrorPage end if
strInputText = request("email")
strSearchText="viagra"
if Instr(1, strInputText, strSearchText, 1) > 0 then response.redirect strErrorPage end if
strInputText = request("email")
strSearchText="cialis"
if Instr(1, strInputText, strSearchText, 1) > 0 then response.redirect strErrorPage end if
strInputText = request("email")
strSearchText="levitra"
if Instr(1, strInputText, strSearchText, 1) > 0 then response.redirect strErrorPage end if
%>
strInputText = request("comments")
strSearchText="url"
if Instr(1, strInputText, strSearchText, 1) > 0 then response.redirect strErrorPage end if
@Stratus - I really like your hidden "EmailAddress" field idea. I've recently added this to my contact forms and it seems to be working very well at the moment. I've now started logging every time a message fails and why it failed, so I'll post some results when I get a decent amount of data.
@Stratus - I really like your hidden "EmailAddress" field idea. I've recently added this to my contact forms and it seems to be working very well at the moment. I've now started logging every time a message fails and why it failed, so I'll post some results when I get a decent amount of data.
wow.. hey how do you do that? what are you doing which loggs when a message fails and why? I'd love to find a way to see if my spam techniques are working, and which ones are working, or if the spammers have just taken a holiday.
I suppose I could look at my logs.. i'd have to contact my webhost and ask him to send me the log files.
Somebody asked me how I Test to see if the hidden input field does actually fail if it's filled in - and I thought it worth posting here.
I go into Opera and select view - user mode - emulate text browser - and then fill in the field .. if it lets me send.. then I did something wrong :-)
-- right now, and I hope I'm not jinxing something here. but since I put in the hidden field, I havn't had a single spam go through.
Also.. I wish I could take credit for it.. but I found the idea on the web - can't remember where and I couldn't post the url if I did.. but i'm dead pleased that it seems to have worked so far.
cheers folks
Stratus
To log the spam attempts I set up a simple access database with the table "SpamLog". I added a numeric field (starting at 0) for each spam check:
BBCodeURL - Messages containing "[url="
OwnEmail - Messages sent from an email address at my domain
HiddenField - Messages with input in the hidden "EmailAddress" field
After I've done my usual form validation, I validate the message against the spam rules:
[pre]if InStr(LCase(sMessage), "[url=") then
bSpam = true
ConnOpen
oConn.Execute "update [SpamLog] set BBCodeURL = BBCodeURL + 1"
ConnClose
end if
'
if InStr(LCase(sEmail), "mydomain.com") then
bSpam = true
ConnOpen
oConn.Execute "update [SpamLog] set OwnEmail = OwnEmail + 1"
ConnClose
end if
'
if Len(Request.Form("EmailAddress")) > 0 then
bSpam = true
ConnOpen
oConn.Execute "update [SpamLog] set HiddenField = HiddenField + 1"
ConnClose
end if[/pre]
