Jump to content


Photo

Formmail Spam Problem


  • Please log in to reply
21 replies to this topic

#1 laburke

laburke

    Family Friend

  • Members
  • PipPip
  • 73 posts

Posted 17 September 2008 - 10:39 AM

I had put an order form on one of my clients' sites, and she got gazillions of spam through it, so much so that she had me take it off. It was from Matt's Script Archive. However, even a week or so after I deleted the order form page and formmail.pl itself from the server, she's still getting it, not as much as before, but still. How does that happen, and is there anything I can do about it?

Thanks for your help.

#2 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 17 September 2008 - 11:57 AM

Not much you can do about it since the email address has been picked up and distributed all over by now. Short of deleting the email address you won't be able to stop it. When choosing a form script you need to make sure it's secure. Matt's formmail.pl script is very old.

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#3 laburke

laburke

    Family Friend

  • Members
  • PipPip
  • 73 posts

Posted 17 September 2008 - 03:49 PM

Well, I admit that's not what I wanted to hear. I set it up a few years ago when I knew even less than I know now, which is frightening. :angry:

Although, now that I think about it, I wasn't really clear in my original post. What I mean is that they keep getting spammed forms, filled out with nonsense and obscene stuff, not just general spam e-mails. So does that make a difference in the answer?

#4 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 17 September 2008 - 06:18 PM

If you have deleted the form mail script from the server then they are coming from elsewhere (a cached site). I don't know how to deal with something like that.

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#5 laburke

laburke

    Family Friend

  • Members
  • PipPip
  • 73 posts

Posted 17 September 2008 - 08:15 PM

Maybe it will dwindle to nothing after a while...

#6 SteveW

SteveW

    Distant Family

  • Members
  • PipPipPip
  • 129 posts

Posted 18 September 2008 - 03:53 PM

If you deleted the .pl script, they can't be sending the spam through it anymore, but if the email address was exposed in the HTML of the form on the page, they "harvested" it and can now send email directly to the address. They don't need the form anymore.

The email headers might have clues about where this is really coming from.

#7 laburke

laburke

    Family Friend

  • Members
  • PipPip
  • 73 posts

Posted 08 October 2008 - 01:42 PM

I forgot to check back here and just now saw your answer, Steve. That helps to explain it. If you're still watching this topic, I'm wondering, what do I look for in the headers? Should I post a couple samples here, or can you tell me what I could do? Thanks in advance for any further help you can give.

#8 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 08 October 2008 - 02:03 PM

Look for the originating IP address of the mail they are receiving. Most likely it will not be a TCH owned IP.

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#9 laburke

laburke

    Family Friend

  • Members
  • PipPip
  • 73 posts

Posted 08 October 2008 - 04:59 PM

So I just block IPs individually? (Not that I know how anyway.) :)

#10 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 08 October 2008 - 06:27 PM

I don't think blocking an IP will stop email.

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#11 laburke

laburke

    Family Friend

  • Members
  • PipPip
  • 73 posts

Posted 08 October 2008 - 07:35 PM

Okay, so ... forgive me, but when I find the originating IP address, what do I do with that information? I'm just not getting it ...

#12 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 08 October 2008 - 08:00 PM

I didn't respond to tell you what to do with it. I was only trying to point out that the IP address they were receiving mail from was not the TCH servers.

Does this email have a subject? Is it always the same? You can block those if so.

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#13 SteveW

SteveW

    Distant Family

  • Members
  • PipPipPip
  • 129 posts

Posted 08 October 2008 - 08:02 PM

Okay, so ... forgive me, but when I find the originating IP address, what do I do with that information?

Once you have the IP, you can look it up at a place like http://whois.domaintools.com/ to see what organization it's coming from and where it's located geographically.

As Bruce said, it probably won't be your TCH server, which would be its origin if it were really coming from your .pl form.

However, knowing this information doesn't give you any better tools to deal with the problem. As was said previously, there's really nothing you can do about this at this point. The email address has been harvested and given to a spam network. You could retire that email address and switch to using a new one.

You can't use .htaccess to block email, but, come to think of it, you might be able to do it in cPanel. It would involve setting up an email "filter". The rule would be something like "any header" contains [the IP address]. That's just an idea. I haven't seen the email section of cPanel in a month or so, and don't remember what sorts of filter options are there, but it might be worth looking into.

In the headers, you might also find the email address(es) from which the spam is being sent. (You might also, however, find faked or decoy email addresses. In fact, even some of the IP addresses may be faked.) If it's just one or a few email addresses, you could blacklist them in your email client so they get discarded.

Or if these spam emails have other common characteristics (such as always the same subject heading), you could create a rule in your email client to discard them by that criterion.

Basically, though, nothing that's been said here should be taken as an indication that you can "undo" the fact that the email address got out and is being spammed. At this point, you're just receiving spam and it's a spam-handling problem. The form has nothing to do with it anymore.

#14 SteveW

SteveW

    Distant Family

  • Members
  • PipPipPip
  • 129 posts

Posted 09 October 2008 - 08:19 AM

I looked at the filtering options in cPanel. It should certainly be possible to create one that will discard these spam emails as long as you find something they all have in common.

It's at cPanel > Mail > Account Level Filtering (or User Level Filtering if you only want this filter to apply to one mail account) > Create a new Filter.

As an example of a filter, you can use the dropdown boxes to select:
Any header
Contains
(the IP address)

If it's a bunch of IP addresses, you might be able to match them with a regular expression (it might take some studying on regular expressions)
Any header
Matches regex
(a regular expression that will match the various IP's you want to block)

Actions = Discard Message

Then click Activate.

#15 laburke

laburke

    Family Friend

  • Members
  • PipPip
  • 73 posts

Posted 09 October 2008 - 09:05 AM

I didn't respond to tell you what to do with it. I was only trying to point out that the IP address they were receiving mail from was not the TCH servers.

Does this email have a subject? Is it always the same? You can block those if so.

I'm sorry, Bruce, I thought you were giving instructions that I just wasn't grasping. Happens to me all the time :)

Yes, the subject is always "Ink Order Form" which was the title of the original form, although the IP addresses vary. Which means ... thank you, Steve, for the info on filters in cPanel. I didn't know (or forgot) that you could do that in cPanel. I really appreciate the time you took to post the info! I am saving it for future needs as well.

#16 carbonize

carbonize

    Immediate Family

  • Members
  • PipPipPipPip
  • 828 posts

Posted 17 October 2008 - 12:59 PM

Are you sure there isn't still a copy of the script on the site somewhere? Was the script a single file or multiple files?
Carbonize
Lazarus Guestbook
A SPADE IS A SPADE - I'm here to help people not to win friends or gain popularity.

#17 laburke

laburke

    Family Friend

  • Members
  • PipPip
  • 73 posts

Posted 24 November 2008 - 01:16 PM

Are you sure there isn't still a copy of the script on the site somewhere? Was the script a single file or multiple files?

Just now saw this - I guess I don't have e-mail notification enabled!

Anyway, yes, I'm quite sure it's gone from the server. It was only one file.

#18 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 24 November 2008 - 02:04 PM

There's just no way they would receiving form results if the form script is not on the site. Can you post the headers for the message they are getting to see where they are originating from?

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#19 laburke

laburke

    Family Friend

  • Members
  • PipPip
  • 73 posts

Posted 24 November 2008 - 07:43 PM

Thanks, Bruce, I don't have one to post now. She did say it has finally dwindled to very few, so I think we're okay now. If they come back full-force, I'll come back and post headers. Thanks everyone!

#20 Hank_Top

Hank_Top

    New To The Neighborhood

  • Members
  • Pip
  • 9 posts

Posted 11 July 2011 - 05:54 PM

Not much you can do about it since the email address has been picked up and distributed all over by now. Short of deleting the email address you won't be able to stop it. When choosing a form script you need to make sure it's secure. Matt's formmail.pl script is very old.



Can you suggest something that is secure?

#21 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 11 July 2011 - 06:06 PM

Really can't. Check hotscripts.com, you should be able to find something.

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#22 SteveW

SteveW

    Distant Family

  • Members
  • PipPipPip
  • 129 posts

Posted 11 July 2011 - 06:23 PM

The replacement for Matt's Script is called "NMS FormMail", and it is very good.

If this link is allowed, it is here (the "compat" package at top of page):
http://nms-cgi.sourc...t/scripts.shtml

Set up the configuration section carefully. By using an email alias, you can set it up so your email address is not exposed in the HTML code.

You specify the allowed recipients hard-coded in the script, so even if the form is used to send spam, it can only go to you, no one else.

And it is possible (not described in the instructions) to add a fake CAPTCHA (not quite as good as a real one, but good enough) to prevent bogus submissions, of which I've never received a single one, ever.

Edited by SteveW, 11 July 2011 - 06:27 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users