laburke Posted September 17, 2008 Share Posted September 17, 2008 I had put an order form on one of my clients' sites, and she got gazillions of spam through it, so much so that she had me take it off. It was from Matt's Script Archive. However, even a week or so after I deleted the order form page and formmail.pl itself from the server, she's still getting it, not as much as before, but still. How does that happen, and is there anything I can do about it? Thanks for your help. Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted September 17, 2008 Share Posted September 17, 2008 Not much you can do about it since the email address has been picked up and distributed all over by now. Short of deleting the email address you won't be able to stop it. When choosing a form script you need to make sure it's secure. Matt's formmail.pl script is very old. Quote Link to comment Share on other sites More sharing options...
laburke Posted September 17, 2008 Author Share Posted September 17, 2008 Well, I admit that's not what I wanted to hear. I set it up a few years ago when I knew even less than I know now, which is frightening. Although, now that I think about it, I wasn't really clear in my original post. What I mean is that they keep getting spammed forms, filled out with nonsense and obscene stuff, not just general spam e-mails. So does that make a difference in the answer? Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted September 17, 2008 Share Posted September 17, 2008 If you have deleted the form mail script from the server then they are coming from elsewhere (a cached site). I don't know how to deal with something like that. Quote Link to comment Share on other sites More sharing options...
laburke Posted September 18, 2008 Author Share Posted September 18, 2008 Maybe it will dwindle to nothing after a while... Quote Link to comment Share on other sites More sharing options...
SteveW Posted September 18, 2008 Share Posted September 18, 2008 If you deleted the .pl script, they can't be sending the spam through it anymore, but if the email address was exposed in the HTML of the form on the page, they "harvested" it and can now send email directly to the address. They don't need the form anymore. The email headers might have clues about where this is really coming from. Quote Link to comment Share on other sites More sharing options...
laburke Posted October 8, 2008 Author Share Posted October 8, 2008 I forgot to check back here and just now saw your answer, Steve. That helps to explain it. If you're still watching this topic, I'm wondering, what do I look for in the headers? Should I post a couple samples here, or can you tell me what I could do? Thanks in advance for any further help you can give. Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted October 8, 2008 Share Posted October 8, 2008 Look for the originating IP address of the mail they are receiving. Most likely it will not be a TCH owned IP. Quote Link to comment Share on other sites More sharing options...
laburke Posted October 8, 2008 Author Share Posted October 8, 2008 So I just block IPs individually? (Not that I know how anyway.) Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted October 8, 2008 Share Posted October 8, 2008 I don't think blocking an IP will stop email. Quote Link to comment Share on other sites More sharing options...
laburke Posted October 9, 2008 Author Share Posted October 9, 2008 Okay, so ... forgive me, but when I find the originating IP address, what do I do with that information? I'm just not getting it ... Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted October 9, 2008 Share Posted October 9, 2008 I didn't respond to tell you what to do with it. I was only trying to point out that the IP address they were receiving mail from was not the TCH servers. Does this email have a subject? Is it always the same? You can block those if so. Quote Link to comment Share on other sites More sharing options...
SteveW Posted October 9, 2008 Share Posted October 9, 2008 Okay, so ... forgive me, but when I find the originating IP address, what do I do with that information? Once you have the IP, you can look it up at a place like http://whois.domaintools.com/ to see what organization it's coming from and where it's located geographically. As Bruce said, it probably won't be your TCH server, which would be its origin if it were really coming from your .pl form. However, knowing this information doesn't give you any better tools to deal with the problem. As was said previously, there's really nothing you can do about this at this point. The email address has been harvested and given to a spam network. You could retire that email address and switch to using a new one. You can't use .htaccess to block email, but, come to think of it, you might be able to do it in cPanel. It would involve setting up an email "filter". The rule would be something like "any header" contains [the IP address]. That's just an idea. I haven't seen the email section of cPanel in a month or so, and don't remember what sorts of filter options are there, but it might be worth looking into. In the headers, you might also find the email address(es) from which the spam is being sent. (You might also, however, find faked or decoy email addresses. In fact, even some of the IP addresses may be faked.) If it's just one or a few email addresses, you could blacklist them in your email client so they get discarded. Or if these spam emails have other common characteristics (such as always the same subject heading), you could create a rule in your email client to discard them by that criterion. Basically, though, nothing that's been said here should be taken as an indication that you can "undo" the fact that the email address got out and is being spammed. At this point, you're just receiving spam and it's a spam-handling problem. The form has nothing to do with it anymore. Quote Link to comment Share on other sites More sharing options...
SteveW Posted October 9, 2008 Share Posted October 9, 2008 I looked at the filtering options in cPanel. It should certainly be possible to create one that will discard these spam emails as long as you find something they all have in common. It's at cPanel > Mail > Account Level Filtering (or User Level Filtering if you only want this filter to apply to one mail account) > Create a new Filter. As an example of a filter, you can use the dropdown boxes to select: Any header Contains (the IP address) If it's a bunch of IP addresses, you might be able to match them with a regular expression (it might take some studying on regular expressions) Any header Matches regex (a regular expression that will match the various IP's you want to block) Actions = Discard Message Then click Activate. Quote Link to comment Share on other sites More sharing options...
laburke Posted October 9, 2008 Author Share Posted October 9, 2008 I didn't respond to tell you what to do with it. I was only trying to point out that the IP address they were receiving mail from was not the TCH servers. Does this email have a subject? Is it always the same? You can block those if so. I'm sorry, Bruce, I thought you were giving instructions that I just wasn't grasping. Happens to me all the time Yes, the subject is always "Ink Order Form" which was the title of the original form, although the IP addresses vary. Which means ... thank you, Steve, for the info on filters in cPanel. I didn't know (or forgot) that you could do that in cPanel. I really appreciate the time you took to post the info! I am saving it for future needs as well. Quote Link to comment Share on other sites More sharing options...
carbonize Posted October 17, 2008 Share Posted October 17, 2008 Are you sure there isn't still a copy of the script on the site somewhere? Was the script a single file or multiple files? Quote Link to comment Share on other sites More sharing options...
laburke Posted November 24, 2008 Author Share Posted November 24, 2008 Are you sure there isn't still a copy of the script on the site somewhere? Was the script a single file or multiple files? Just now saw this - I guess I don't have e-mail notification enabled! Anyway, yes, I'm quite sure it's gone from the server. It was only one file. Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted November 24, 2008 Share Posted November 24, 2008 There's just no way they would receiving form results if the form script is not on the site. Can you post the headers for the message they are getting to see where they are originating from? Quote Link to comment Share on other sites More sharing options...
laburke Posted November 25, 2008 Author Share Posted November 25, 2008 Thanks, Bruce, I don't have one to post now. She did say it has finally dwindled to very few, so I think we're okay now. If they come back full-force, I'll come back and post headers. Thanks everyone! Quote Link to comment Share on other sites More sharing options...
Hank_Top Posted July 11, 2011 Share Posted July 11, 2011 Not much you can do about it since the email address has been picked up and distributed all over by now. Short of deleting the email address you won't be able to stop it. When choosing a form script you need to make sure it's secure. Matt's formmail.pl script is very old. Can you suggest something that is secure? Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted July 11, 2011 Share Posted July 11, 2011 Really can't. Check hotscripts.com, you should be able to find something. Quote Link to comment Share on other sites More sharing options...
SteveW Posted July 11, 2011 Share Posted July 11, 2011 (edited) The replacement for Matt's Script is called "NMS FormMail", and it is very good. If this link is allowed, it is here (the "compat" package at top of page): http://nms-cgi.sourceforge.net/scripts.shtml Set up the configuration section carefully. By using an email alias, you can set it up so your email address is not exposed in the HTML code. You specify the allowed recipients hard-coded in the script, so even if the form is used to send spam, it can only go to you, no one else. And it is possible (not described in the instructions) to add a fake CAPTCHA (not quite as good as a real one, but good enough) to prevent bogus submissions, of which I've never received a single one, ever. Edited July 11, 2011 by SteveW Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.