Jump to content

Formmail Spam Problem

laburke

By laburke
in Security Discussions

 Share

Recommended Posts

laburke Enthusiast

laburke

Posted
Posted

I had put an order form on one of my clients' sites, and she got gazillions of spam through it, so much so that she had me take it off. It was from Matt's Script Archive. However, even a week or so after I deleted the order form page and formmail.pl itself from the server, she's still getting it, not as much as before, but still. How does that happen, and is there anything I can do about it?

 

Thanks for your help.

Link to comment
Share on other sites
laburke Enthusiast

laburke

Posted
  • Author
Posted

Well, I admit that's not what I wanted to hear. I set it up a few years ago when I knew even less than I know now, which is frightening. :angry:

 

Although, now that I think about it, I wasn't really clear in my original post. What I mean is that they keep getting spammed forms, filled out with nonsense and obscene stuff, not just general spam e-mails. So does that make a difference in the answer?

Link to comment
Share on other sites
SteveW Collaborator

SteveW

Posted
Posted

If you deleted the .pl script, they can't be sending the spam through it anymore, but if the email address was exposed in the HTML of the form on the page, they "harvested" it and can now send email directly to the address. They don't need the form anymore.

 

The email headers might have clues about where this is really coming from.

Link to comment
Share on other sites
  • 3 weeks later...
laburke Enthusiast

laburke

Posted
  • Author
Posted

I forgot to check back here and just now saw your answer, Steve. That helps to explain it. If you're still watching this topic, I'm wondering, what do I look for in the headers? Should I post a couple samples here, or can you tell me what I could do? Thanks in advance for any further help you can give.

Link to comment
Share on other sites
SteveW Collaborator

SteveW

Posted
Posted
Okay, so ... forgive me, but when I find the originating IP address, what do I do with that information?

Once you have the IP, you can look it up at a place like http://whois.domaintools.com/ to see what organization it's coming from and where it's located geographically.

 

As Bruce said, it probably won't be your TCH server, which would be its origin if it were really coming from your .pl form.

 

However, knowing this information doesn't give you any better tools to deal with the problem. As was said previously, there's really nothing you can do about this at this point. The email address has been harvested and given to a spam network. You could retire that email address and switch to using a new one.

 

You can't use .htaccess to block email, but, come to think of it, you might be able to do it in cPanel. It would involve setting up an email "filter". The rule would be something like "any header" contains [the IP address]. That's just an idea. I haven't seen the email section of cPanel in a month or so, and don't remember what sorts of filter options are there, but it might be worth looking into.

 

In the headers, you might also find the email address(es) from which the spam is being sent. (You might also, however, find faked or decoy email addresses. In fact, even some of the IP addresses may be faked.) If it's just one or a few email addresses, you could blacklist them in your email client so they get discarded.

 

Or if these spam emails have other common characteristics (such as always the same subject heading), you could create a rule in your email client to discard them by that criterion.

 

Basically, though, nothing that's been said here should be taken as an indication that you can "undo" the fact that the email address got out and is being spammed. At this point, you're just receiving spam and it's a spam-handling problem. The form has nothing to do with it anymore.

Link to comment
Share on other sites
SteveW Collaborator

SteveW

Posted
Posted

I looked at the filtering options in cPanel. It should certainly be possible to create one that will discard these spam emails as long as you find something they all have in common.

 

It's at cPanel > Mail > Account Level Filtering (or User Level Filtering if you only want this filter to apply to one mail account) > Create a new Filter.

 

As an example of a filter, you can use the dropdown boxes to select:

Any header

Contains

(the IP address)

 

If it's a bunch of IP addresses, you might be able to match them with a regular expression (it might take some studying on regular expressions)

Any header

Matches regex

(a regular expression that will match the various IP's you want to block)

 

Actions = Discard Message

 

Then click Activate.

Link to comment
Share on other sites
laburke Enthusiast

laburke

Posted
  • Author
Posted
I didn't respond to tell you what to do with it. I was only trying to point out that the IP address they were receiving mail from was not the TCH servers.

 

Does this email have a subject? Is it always the same? You can block those if so.

I'm sorry, Bruce, I thought you were giving instructions that I just wasn't grasping. Happens to me all the time :)

 

Yes, the subject is always "Ink Order Form" which was the title of the original form, although the IP addresses vary. Which means ... thank you, Steve, for the info on filters in cPanel. I didn't know (or forgot) that you could do that in cPanel. I really appreciate the time you took to post the info! I am saving it for future needs as well.

Link to comment
Share on other sites
  • 2 weeks later...
  • 1 month later...
laburke Enthusiast

laburke

Posted
  • Author
Posted
Are you sure there isn't still a copy of the script on the site somewhere? Was the script a single file or multiple files?

Just now saw this - I guess I don't have e-mail notification enabled!

 

Anyway, yes, I'm quite sure it's gone from the server. It was only one file.

Link to comment
Share on other sites
  • 2 years later...
Hank_Top Apprentice

Hank_Top

Posted
Posted

Not much you can do about it since the email address has been picked up and distributed all over by now. Short of deleting the email address you won't be able to stop it. When choosing a form script you need to make sure it's secure. Matt's formmail.pl script is very old.

 

 

Can you suggest something that is secure?

Link to comment
Share on other sites
SteveW Collaborator

SteveW

Posted
Posted (edited)

The replacement for Matt's Script is called "NMS FormMail", and it is very good.

 

If this link is allowed, it is here (the "compat" package at top of page):

http://nms-cgi.sourceforge.net/scripts.shtml

 

Set up the configuration section carefully. By using an email alias, you can set it up so your email address is not exposed in the HTML code.

 

You specify the allowed recipients hard-coded in the script, so even if the form is used to send spam, it can only go to you, no one else.

 

And it is possible (not described in the instructions) to add a fake CAPTCHA (not quite as good as a real one, but good enough) to prevent bogus submissions, of which I've never received a single one, ever.

Edited by SteveW
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...