laburke Posted September 17, 2008 Posted September 17, 2008 I had put an order form on one of my clients' sites, and she got gazillions of spam through it, so much so that she had me take it off. It was from Matt's Script Archive. However, even a week or so after I deleted the order form page and formmail.pl itself from the server, she's still getting it, not as much as before, but still. How does that happen, and is there anything I can do about it? Thanks for your help. Quote
TCH-Bruce Posted September 17, 2008 Posted September 17, 2008 Not much you can do about it since the email address has been picked up and distributed all over by now. Short of deleting the email address you won't be able to stop it. When choosing a form script you need to make sure it's secure. Matt's formmail.pl script is very old. Quote
laburke Posted September 17, 2008 Author Posted September 17, 2008 Well, I admit that's not what I wanted to hear. I set it up a few years ago when I knew even less than I know now, which is frightening. Although, now that I think about it, I wasn't really clear in my original post. What I mean is that they keep getting spammed forms, filled out with nonsense and obscene stuff, not just general spam e-mails. So does that make a difference in the answer? Quote
TCH-Bruce Posted September 17, 2008 Posted September 17, 2008 If you have deleted the form mail script from the server then they are coming from elsewhere (a cached site). I don't know how to deal with something like that. Quote
laburke Posted September 18, 2008 Author Posted September 18, 2008 Maybe it will dwindle to nothing after a while... Quote
SteveW Posted September 18, 2008 Posted September 18, 2008 If you deleted the .pl script, they can't be sending the spam through it anymore, but if the email address was exposed in the HTML of the form on the page, they "harvested" it and can now send email directly to the address. They don't need the form anymore. The email headers might have clues about where this is really coming from. Quote
laburke Posted October 8, 2008 Author Posted October 8, 2008 I forgot to check back here and just now saw your answer, Steve. That helps to explain it. If you're still watching this topic, I'm wondering, what do I look for in the headers? Should I post a couple samples here, or can you tell me what I could do? Thanks in advance for any further help you can give. Quote
TCH-Bruce Posted October 8, 2008 Posted October 8, 2008 Look for the originating IP address of the mail they are receiving. Most likely it will not be a TCH owned IP. Quote
laburke Posted October 8, 2008 Author Posted October 8, 2008 So I just block IPs individually? (Not that I know how anyway.) Quote
TCH-Bruce Posted October 8, 2008 Posted October 8, 2008 I don't think blocking an IP will stop email. Quote
laburke Posted October 9, 2008 Author Posted October 9, 2008 Okay, so ... forgive me, but when I find the originating IP address, what do I do with that information? I'm just not getting it ... Quote
TCH-Bruce Posted October 9, 2008 Posted October 9, 2008 I didn't respond to tell you what to do with it. I was only trying to point out that the IP address they were receiving mail from was not the TCH servers. Does this email have a subject? Is it always the same? You can block those if so. Quote
SteveW Posted October 9, 2008 Posted October 9, 2008 Okay, so ... forgive me, but when I find the originating IP address, what do I do with that information? Once you have the IP, you can look it up at a place like http://whois.domaintools.com/ to see what organization it's coming from and where it's located geographically. As Bruce said, it probably won't be your TCH server, which would be its origin if it were really coming from your .pl form. However, knowing this information doesn't give you any better tools to deal with the problem. As was said previously, there's really nothing you can do about this at this point. The email address has been harvested and given to a spam network. You could retire that email address and switch to using a new one. You can't use .htaccess to block email, but, come to think of it, you might be able to do it in cPanel. It would involve setting up an email "filter". The rule would be something like "any header" contains [the IP address]. That's just an idea. I haven't seen the email section of cPanel in a month or so, and don't remember what sorts of filter options are there, but it might be worth looking into. In the headers, you might also find the email address(es) from which the spam is being sent. (You might also, however, find faked or decoy email addresses. In fact, even some of the IP addresses may be faked.) If it's just one or a few email addresses, you could blacklist them in your email client so they get discarded. Or if these spam emails have other common characteristics (such as always the same subject heading), you could create a rule in your email client to discard them by that criterion. Basically, though, nothing that's been said here should be taken as an indication that you can "undo" the fact that the email address got out and is being spammed. At this point, you're just receiving spam and it's a spam-handling problem. The form has nothing to do with it anymore. Quote
SteveW Posted October 9, 2008 Posted October 9, 2008 I looked at the filtering options in cPanel. It should certainly be possible to create one that will discard these spam emails as long as you find something they all have in common. It's at cPanel > Mail > Account Level Filtering (or User Level Filtering if you only want this filter to apply to one mail account) > Create a new Filter. As an example of a filter, you can use the dropdown boxes to select: Any header Contains (the IP address) If it's a bunch of IP addresses, you might be able to match them with a regular expression (it might take some studying on regular expressions) Any header Matches regex (a regular expression that will match the various IP's you want to block) Actions = Discard Message Then click Activate. Quote
laburke Posted October 9, 2008 Author Posted October 9, 2008 I didn't respond to tell you what to do with it. I was only trying to point out that the IP address they were receiving mail from was not the TCH servers. Does this email have a subject? Is it always the same? You can block those if so. I'm sorry, Bruce, I thought you were giving instructions that I just wasn't grasping. Happens to me all the time Yes, the subject is always "Ink Order Form" which was the title of the original form, although the IP addresses vary. Which means ... thank you, Steve, for the info on filters in cPanel. I didn't know (or forgot) that you could do that in cPanel. I really appreciate the time you took to post the info! I am saving it for future needs as well. Quote
carbonize Posted October 17, 2008 Posted October 17, 2008 Are you sure there isn't still a copy of the script on the site somewhere? Was the script a single file or multiple files? Quote
laburke Posted November 24, 2008 Author Posted November 24, 2008 Are you sure there isn't still a copy of the script on the site somewhere? Was the script a single file or multiple files? Just now saw this - I guess I don't have e-mail notification enabled! Anyway, yes, I'm quite sure it's gone from the server. It was only one file. Quote
TCH-Bruce Posted November 24, 2008 Posted November 24, 2008 There's just no way they would receiving form results if the form script is not on the site. Can you post the headers for the message they are getting to see where they are originating from? Quote
laburke Posted November 25, 2008 Author Posted November 25, 2008 Thanks, Bruce, I don't have one to post now. She did say it has finally dwindled to very few, so I think we're okay now. If they come back full-force, I'll come back and post headers. Thanks everyone! Quote
Hank_Top Posted July 11, 2011 Posted July 11, 2011 Not much you can do about it since the email address has been picked up and distributed all over by now. Short of deleting the email address you won't be able to stop it. When choosing a form script you need to make sure it's secure. Matt's formmail.pl script is very old. Can you suggest something that is secure? Quote
TCH-Bruce Posted July 11, 2011 Posted July 11, 2011 Really can't. Check hotscripts.com, you should be able to find something. Quote
SteveW Posted July 11, 2011 Posted July 11, 2011 (edited) The replacement for Matt's Script is called "NMS FormMail", and it is very good. If this link is allowed, it is here (the "compat" package at top of page): http://nms-cgi.sourceforge.net/scripts.shtml Set up the configuration section carefully. By using an email alias, you can set it up so your email address is not exposed in the HTML code. You specify the allowed recipients hard-coded in the script, so even if the form is used to send spam, it can only go to you, no one else. And it is possible (not described in the instructions) to add a fake CAPTCHA (not quite as good as a real one, but good enough) to prevent bogus submissions, of which I've never received a single one, ever. Edited July 11, 2011 by SteveW Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.