|
|
| jtucker@rrmm.net 2005-09-19, 5:53 pm |
| hello, for awhile i have been running a php email contact page on our web
site. scenario is someone visits the page, fills in a form, hits submit
and two people on our system receive emails with the info that was
submitted in the body of the email.
each day i am getting several emails from this page that appear bogus.
first is they arrive within like asecond of each other. second is they
are obviously random email addresses (IE cfmdw@ ftyur@ etc). third is the
email address is somehow getting the reverse DNS name of the server as
the domain for the bogus email address. this seems like a bot to me. the
apache logs show this happening from varying IP blocks. like one day
germany. another sweden. etc. so i cannot just deny access to IPs.
how can i stop this from happening? any suggestions? patch or something?
thanks
| |
| Andy Thompson (SysOp) 2005-09-19, 5:53 pm |
| jtucker@rrmm.net wrote:
> hello, for awhile i have been running a php email contact page on our web
> site. scenario is someone visits the page, fills in a form, hits submit
> and two people on our system receive emails with the info that was
> submitted in the body of the email.
>
> each day i am getting several emails from this page that appear bogus.
> first is they arrive within like asecond of each other. second is they
> are obviously random email addresses (IE cfmdw@ ftyur@ etc). third is the
> email address is somehow getting the reverse DNS name of the server as
> the domain for the bogus email address. this seems like a bot to me. the
> apache logs show this happening from varying IP blocks. like one day
> germany. another sweden. etc. so i cannot just deny access to IPs.
>
> how can i stop this from happening? any suggestions? patch or something?
Sounds like a spammer got hold of the address the page sends to. Is the
address published anywhere on your web site? Or is it a common address
like sales@ or info@? Does the email header show it came from your page
or is it from an external server?
--
-andy
| |
| jtucker@rrmm.net 2005-09-20, 5:53 pm |
| thanks for the reply. the internal addresses the forms send to are not
published. and the return address of the fake submission is a combonation
of the bogus email and the A record of the IP address as the domain.
which is why i thought it was a bot. another thing is there is nothing
worthwhile in the messages. just seems to be exploiting the php somehow.
>
> Sounds like a spammer got hold of the address the page sends to. Is
the
> address published anywhere on your web site? Or is it a common address
> like sales@ or info@? Does the email header show it came from your
page
> or is it from an external server?
>
> --
>
> -andy
| |
| Andy Thompson (SysOp) 2005-09-20, 5:53 pm |
| jtucker@rrmm.net wrote:
> thanks for the reply. the internal addresses the forms send to are not
> published. and the return address of the fake submission is a combonation
> of the bogus email and the A record of the IP address as the domain.
> which is why i thought it was a bot. another thing is there is nothing
> worthwhile in the messages. just seems to be exploiting the php somehow.
Look at the message source and check the envelope header of the message
in question and see where it really came from. You are interested in
the Received: headers. I'm curious whether it really came from your
website or not.
--
-andy
| |
| jtucker@rrmm.net 2005-09-21, 5:46 pm |
| thanks for the reply. the way the form works is the GWIA is used to send
the message via the normal means (scanning appliance then gwia) and the
header of course shows the internal addresses. the only way i can tell
who is sending the form data is by going to the apache logs and look at
the hits on the form.
| |
| Andy Thompson (SysOp) 2005-09-22, 8:46 pm |
| jtucker@rrmm.net wrote:
> thanks for the reply. the way the form works is the GWIA is used to send
> the message via the normal means (scanning appliance then gwia) and the
> header of course shows the internal addresses. the only way i can tell
> who is sending the form data is by going to the apache logs and look at
> the hits on the form.
>
Do the apache logs correspond with the emails you've received?
--
-andy
|
|
|
|