Re: Blocking form spam

This WebDNA talk-list message is from

2006


It keeps the original formatting.
numero = 67928
interpreted = N
texte = After looking through my logs and completed mail folder I have come up with this: [TEXT]BlockMessage=F[/TEXT] [TEXT]BlockThis=cc:#Subject:#content-type:#multipart/ alternative;#multi-part#boundary=[/TEXT] [ListWords Words=[BlockThis]&Delimiters=#] [ShowIf [passedvariable]^[word]][TEXT]BlockMessage=T[/TEXT][/ShowIf] [/ListWords] [HideIf [BlockMessage]=T] Sendmail goes here [/HideIf] Stuart Tremain idfk web developments, sydney, australia On 10 Aug 2006, at 9:18 AM, Tom Duke wrote: > Stuart, > > My problem was determining what characters to grep for and be > confident > that I am catching the attempts to push email through my forms. > > Just to be clear there are two things happening to my forms:- > > > 1. Contact Form Spam / Comment Spam > This is where a spammer is sending loads of links through the form > hoping (I assume) that it may show up on a live web page (like a > blog or > guestbook) and help their google rating. What I have done here is > check > for the string 'http://' in fields where it is not appropriate and > then > block the form from sending if any are present. Where the field may > contain a link (like a comment textarea) then I count the number of > links and block if more than say five links or more are in the field. > > Links : [listwords words=[grep search=[url]http://[/url]&replace= | > ][COMMENT][/grep]&delimiters=|][text]links=[index][/text][/ > listwords][li > nks] > > > 2. Email Injection Spam > This is more worrying and is where a spammer tries to hijack a form > and > use it as an SMTP proxy to send spam. > (http://www.securephpwiki.com/index.php/Email_Injection) They do this > by putting strings like the following into form fields:- > > sender@anonymous.www%0ACc:recipient@someothersite.xxx% > 0ABcc:somebloke@gr > rrr.xxx,someotherbloke@oooops.xxx > > If the data from this field is passed on anywhere within a [sendmail] > context then the third party will get an email. The headers can be > messed around with more to fully hijack the form. After trial and > error > I have found the following grep seems to work: > > [grep search=(%250A|%250D|[cC][cC])&replace=][formfield][/grep] > > It removes linefeeds, carriage returns, and 'Cc' (also effectively > catching 'Bcc') > > > Sorry if I seem to be going on too much about this but I found a > couple > of my forms were exposed and it scared the crap out of me. I haven't > come across anything in the docs or on this list yet which highlights > that variables have to be checked and cleaned before being included > in a > sendmail context. Maybe its obvious that this should be done but I > had > missed it nonetheless. > > - Tom > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to digest@talk.smithmicro.com> > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: Blocking form spam ( Stuart Tremain 2006)
  2. Re: Blocking form spam ( Terry Wilson 2006)
  3. Re: Blocking form spam ( Stuart Tremain 2006)
  4. Re: Blocking form spam ( "Tom Duke" 2006)
  5. Re: Blocking form spam ( Stuart Tremain 2006)
  6. Re: Blocking form spam ( WJ Starck 2006)
  7. Re: Blocking form spam ( Gary Krockover 2006)
  8. Re: Blocking form spam ( Donovan Brooke 2006)
  9. Re: Blocking form spam ( "Brian B. Burton" 2006)
  10. Re: Blocking form spam ( WJ Starck 2006)
  11. Re: Blocking form spam ( Terry Wilson 2006)
  12. Re: Blocking form spam ( Stuart Tremain 2006)
  13. Blocking form spam ( "Tom Duke" 2006)
After looking through my logs and completed mail folder I have come up with this: [text]BlockMessage=F[/TEXT] [text]BlockThis=cc:#Subject:#content-type:#multipart/ alternative;#multi-part#boundary=[/TEXT] [ListWords Words=[BlockThis]&Delimiters=#] [ShowIf [passedvariable]^[word]][text]BlockMessage=T[/TEXT][/ShowIf] [/ListWords] [HideIf [BlockMessage]=T] Sendmail goes here [/HideIf] Stuart Tremain idfk web developments, sydney, australia On 10 Aug 2006, at 9:18 AM, Tom Duke wrote: > Stuart, > > My problem was determining what characters to grep for and be > confident > that I am catching the attempts to push email through my forms. > > Just to be clear there are two things happening to my forms:- > > > 1. Contact Form Spam / Comment Spam > This is where a spammer is sending loads of links through the form > hoping (I assume) that it may show up on a live web page (like a > blog or > guestbook) and help their google rating. What I have done here is > check > for the string 'http://' in fields where it is not appropriate and > then > block the form from sending if any are present. Where the field may > contain a link (like a comment textarea) then I count the number of > links and block if more than say five links or more are in the field. > > Links : [listwords words=[grep search=[url]http://[/url]&replace= | > ][COMMENT][/grep]&delimiters=|][text]links=[index][/text][/ > listwords][li > nks] > > > 2. Email Injection Spam > This is more worrying and is where a spammer tries to hijack a form > and > use it as an SMTP proxy to send spam. > (http://www.securephpwiki.com/index.php/Email_Injection) They do this > by putting strings like the following into form fields:- > > sender@anonymous.www%0ACc:recipient@someothersite.xxx% > 0ABcc:somebloke@gr > rrr.xxx,someotherbloke@oooops.xxx > > If the data from this field is passed on anywhere within a [sendmail] > context then the third party will get an email. The headers can be > messed around with more to fully hijack the form. After trial and > error > I have found the following grep seems to work: > > [grep search=(%250A|%250D|[cC][cC])&replace=][formfield][/grep] > > It removes linefeeds, carriage returns, and 'Cc' (also effectively > catching 'Bcc') > > > Sorry if I seem to be going on too much about this but I found a > couple > of my forms were exposed and it scared the crap out of me. I haven't > come across anything in the docs or on this list yet which highlights > that variables have to be checked and cleaned before being included > in a > sendmail context. Maybe its obvious that this should be done but I > had > missed it nonetheless. > > - Tom > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to digest@talk.smithmicro.com> > Web Archive of this list is at: http://webdna.smithmicro.com/ ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Stuart Tremain

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

psst (1997) Directory Overload (1998) Frames and WebCat (1997) Boolean Tests with dereferenced arrays are broken in WebDNA (2003) Emailer setup (1997) unsubscribe (1997) Separate server for jpg/gif files (1998) RequiredFields template (1997) Need help... (1997) File commands and Wild Cards ?? (1998) [protect admin] (1997) Hiding URL ? (1998) FW: The DNAForum Registration Confirmation (2002) This is an odd error (2001) Founditems context returning only 1 item (1997) Share cost of training videos! (1998) Conveting Characters to Graphics (1997) WC2.0 Memory Requirements (1997) Wanted: More Math Functions (or, Can You Solve This?) (1997) [WebDNA] [OT] the "Work in progress" thread. (2009)