How to stop email spammers abusing contact forms

Recently some email spammers figured that my contact forms aren’t that safe and started relaying their spam through my machine. I’ve spotted the abuse late on a Saturday, as my inbox got flooded with cc’d emails and bounce messages. I forwared such an email to my hosting service and whilst I cleaned up my inbox they stopped the spammer. Awesome service, thank you National Net!

NationalNet support patched my PHP scripts
if (ereg(’^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)+$’, $email-from))
mail($email-to, $email-subject, $email-message, $email-headers…

and they sent me an email explaining what they did to stop the spammer within 15 minutes or so.

GrayWolf posts a similar case and recommends this helpful page with PHP code to stop header injection, there is more useful stuff in the manual’s comment section, and a great thread at WMW. I found that a combination of the NatNet patch and the tips provided there, plus a few custom add-ons like database lookups, should secure my email forms in the future. Next step is sending automated complaints to the spammers ISP.



Share/bookmark this: del.icio.usGooglema.gnoliaMixxNetscaperedditSphinnSquidooStumbleUponYahoo MyWeb
Subscribe to      Entries Entries      Comments Comments      All Comments All Comments
 

2 Comments to "How to stop email spammers abusing contact forms"

  1. John on 16 February, 2006  #link

    Sebastian, your layout is blocking the display of the code you’re using :). Are you sure you didn’t have something like this in effect already? My forms were spammed with that issue 1-2 years ago and I got a “chance” to clean them up then. I get probed for these issues about once a month!

    If you have a dedicated server or a firewall-PC you can run “snort” (snort.org) on it, couple it with “DShield” (dshield.org) and mynetwatchman.com to help recognize new issues and respond to massive attacks, Symantec DeepSight Analyzer (analyzer.symantec.com; free as well) to analyze and send out mails to the ISP + upstream providers (also correlates data from other users). These systems work at most levels of the OSI reference model (http://en.wikipedia.org/wiki/OSI_model) and can recognize most forms of guesbook (mail-form, etc.) spam attempts. Once you have a system set up like that, you’ll be surprised at what you didn’t know / didn’t see before :-). It’s amazing (sick) how often a server on the net is probed for known attack vectors…

  2. Sebastian on 16 February, 2006  #link

    John, you can copy and paste the regex ;)

    I had something in place and got alerted on many “spam probes”, but the spammers never figured out how to abuse my forms - until recently.

    Thank you for the bunch of information! My post is pretty vague because I think it makes no sense to tell the fuckers how my stuff is protected. I’ve posted the regex first because I didn’t found it on the linked resources, and second because it’s only a tiny component of my code.

Leave a reply


[If you don't do the math, or the answer is wrong, you'd better have saved your comment before hitting submit. Here is why.]

Be nice and feel free to link out when a link adds value to your comment. More in my comment policy.