Jump to content
laburke

Formmail Spam Problem

Recommended Posts

I had put an order form on one of my clients' sites, and she got gazillions of spam through it, so much so that she had me take it off. It was from Matt's Script Archive. However, even a week or so after I deleted the order form page and formmail.pl itself from the server, she's still getting it, not as much as before, but still. How does that happen, and is there anything I can do about it?

 

Thanks for your help.

Share this post


Link to post
Share on other sites

Not much you can do about it since the email address has been picked up and distributed all over by now. Short of deleting the email address you won't be able to stop it. When choosing a form script you need to make sure it's secure. Matt's formmail.pl script is very old.

Share this post


Link to post
Share on other sites

Well, I admit that's not what I wanted to hear. I set it up a few years ago when I knew even less than I know now, which is frightening. :angry:

 

Although, now that I think about it, I wasn't really clear in my original post. What I mean is that they keep getting spammed forms, filled out with nonsense and obscene stuff, not just general spam e-mails. So does that make a difference in the answer?

Share this post


Link to post
Share on other sites

If you have deleted the form mail script from the server then they are coming from elsewhere (a cached site). I don't know how to deal with something like that.

Share this post


Link to post
Share on other sites

If you deleted the .pl script, they can't be sending the spam through it anymore, but if the email address was exposed in the HTML of the form on the page, they "harvested" it and can now send email directly to the address. They don't need the form anymore.

 

The email headers might have clues about where this is really coming from.

Share this post


Link to post
Share on other sites

I forgot to check back here and just now saw your answer, Steve. That helps to explain it. If you're still watching this topic, I'm wondering, what do I look for in the headers? Should I post a couple samples here, or can you tell me what I could do? Thanks in advance for any further help you can give.

Share this post


Link to post
Share on other sites

Look for the originating IP address of the mail they are receiving. Most likely it will not be a TCH owned IP.

Share this post


Link to post
Share on other sites

Okay, so ... forgive me, but when I find the originating IP address, what do I do with that information? I'm just not getting it ...

Share this post


Link to post
Share on other sites

I didn't respond to tell you what to do with it. I was only trying to point out that the IP address they were receiving mail from was not the TCH servers.

 

Does this email have a subject? Is it always the same? You can block those if so.

Share this post


Link to post
Share on other sites
Okay, so ... forgive me, but when I find the originating IP address, what do I do with that information?

Once you have the IP, you can look it up at a place like http://whois.domaintools.com/ to see what organization it's coming from and where it's located geographically.

 

As Bruce said, it probably won't be your TCH server, which would be its origin if it were really coming from your .pl form.

 

However, knowing this information doesn't give you any better tools to deal with the problem. As was said previously, there's really nothing you can do about this at this point. The email address has been harvested and given to a spam network. You could retire that email address and switch to using a new one.

 

You can't use .htaccess to block email, but, come to think of it, you might be able to do it in cPanel. It would involve setting up an email "filter". The rule would be something like "any header" contains [the IP address]. That's just an idea. I haven't seen the email section of cPanel in a month or so, and don't remember what sorts of filter options are there, but it might be worth looking into.

 

In the headers, you might also find the email address(es) from which the spam is being sent. (You might also, however, find faked or decoy email addresses. In fact, even some of the IP addresses may be faked.) If it's just one or a few email addresses, you could blacklist them in your email client so they get discarded.

 

Or if these spam emails have other common characteristics (such as always the same subject heading), you could create a rule in your email client to discard them by that criterion.

 

Basically, though, nothing that's been said here should be taken as an indication that you can "undo" the fact that the email address got out and is being spammed. At this point, you're just receiving spam and it's a spam-handling problem. The form has nothing to do with it anymore.

Share this post


Link to post
Share on other sites

I looked at the filtering options in cPanel. It should certainly be possible to create one that will discard these spam emails as long as you find something they all have in common.

 

It's at cPanel > Mail > Account Level Filtering (or User Level Filtering if you only want this filter to apply to one mail account) > Create a new Filter.

 

As an example of a filter, you can use the dropdown boxes to select:

Any header

Contains

(the IP address)

 

If it's a bunch of IP addresses, you might be able to match them with a regular expression (it might take some studying on regular expressions)

Any header

Matches regex

(a regular expression that will match the various IP's you want to block)

 

Actions = Discard Message

 

Then click Activate.

Share this post


Link to post
Share on other sites
I didn't respond to tell you what to do with it. I was only trying to point out that the IP address they were receiving mail from was not the TCH servers.

 

Does this email have a subject? Is it always the same? You can block those if so.

I'm sorry, Bruce, I thought you were giving instructions that I just wasn't grasping. Happens to me all the time :)

 

Yes, the subject is always "Ink Order Form" which was the title of the original form, although the IP addresses vary. Which means ... thank you, Steve, for the info on filters in cPanel. I didn't know (or forgot) that you could do that in cPanel. I really appreciate the time you took to post the info! I am saving it for future needs as well.

Share this post


Link to post
Share on other sites

Are you sure there isn't still a copy of the script on the site somewhere? Was the script a single file or multiple files?

Share this post


Link to post
Share on other sites
Are you sure there isn't still a copy of the script on the site somewhere? Was the script a single file or multiple files?

Just now saw this - I guess I don't have e-mail notification enabled!

 

Anyway, yes, I'm quite sure it's gone from the server. It was only one file.

Share this post


Link to post
Share on other sites

There's just no way they would receiving form results if the form script is not on the site. Can you post the headers for the message they are getting to see where they are originating from?

Share this post


Link to post
Share on other sites

Thanks, Bruce, I don't have one to post now. She did say it has finally dwindled to very few, so I think we're okay now. If they come back full-force, I'll come back and post headers. Thanks everyone!

Share this post


Link to post
Share on other sites

Not much you can do about it since the email address has been picked up and distributed all over by now. Short of deleting the email address you won't be able to stop it. When choosing a form script you need to make sure it's secure. Matt's formmail.pl script is very old.

 

 

Can you suggest something that is secure?

Share this post


Link to post
Share on other sites

Really can't. Check hotscripts.com, you should be able to find something.

Share this post


Link to post
Share on other sites

The replacement for Matt's Script is called "NMS FormMail", and it is very good.

 

If this link is allowed, it is here (the "compat" package at top of page):

http://nms-cgi.sourceforge.net/scripts.shtml

 

Set up the configuration section carefully. By using an email alias, you can set it up so your email address is not exposed in the HTML code.

 

You specify the allowed recipients hard-coded in the script, so even if the form is used to send spam, it can only go to you, no one else.

 

And it is possible (not described in the instructions) to add a fake CAPTCHA (not quite as good as a real one, but good enough) to prevent bogus submissions, of which I've never received a single one, ever.

Edited by SteveW

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×