Greg K — Wed, 31 Aug 2005 21:37:53 +0000

fifeclub wrote: Then it ends off with "If see this message email THIS url to [email=complaints2@land.ru]complaints2@land.ru[/email]"

I've seen enough spam to say I think this is just a poorly translated "click here to remove" message.

And did you try the suggestion in my last message I had posted about this topic?

RangerLord wrote: I can tolerate the situation, but what I would like to know is (1) Is this a security issue I should be concerned about? and (2) Is it possible to put a stop to this, or will I just be chasing IP's?

First, welcome to the forums! Now as to your questions. The security issue well that would depend on the script you are using, if it has any security issues. Mainly it is just going to be an annoyance filling up your guestbook (why do you think there are so many "Type the characters in the box below (that you need some good drugs to make look like letters)" things in effect anymore.

As to putting a stop to it, again the filtering would be based on your script and/or your own coding ability to do so. If you can don't filter by individual IP addresses, do a whole group of them that the one IP address belongs to. This really comes down to how much time you want to spend on it.

The whole thing in general is just something you ahve to put up with when you offer a free place for people to post what ever they want.

-Greg

RangerLord — Wed, 31 Aug 2005 19:42:50 +0000

Hi everyone... I'm new on here, and this is my first post. I've been searching the web regarding a question I have about guestbooks and spammers, and that brought me here. I'm glad to be on board.

After reading fifeclub's posts (and dropping in on his site) I feel guilty posting my question 'cause I'm not getting spammed, yet. Here it is, though....

I have a hobby site that's been up just short of two months. Shortly after it opened, I installed a guestbook (phpBook 1.50). Within days I got spammed, but only two messages. Both had some BS text that had nothing to do with the gambling site they were promoting, and the log showed the hits coming from Slovenia and Israel. The spam links were within the message text. I deleted the two entries, and I haven't been spammed since. But....

I am seeing some odd behaviour in my site tracker. After the spam entries, I would receive hits from Israel every few days, from 80.74.111.114. The hits always came in pairs, a few minutes apart, and went straight to the guestbook. Nothing was entered in the book, however. After seeing this for a couple weeks, I decided to use phpBook's IP blocker and shut them out. Five days later, the Israel/guestbook hits started again, this time from IP 212.29.214.240. Still no spam.

My apologies again to fifeclub for complaining about something so insignificant compared to his problem. This is a startup site, and traffic is low, and it just annoys me that almost 7% of the hits listed in my site tracker are from this Israel/guestbook IP. I've considered blocking this new IP, but I figure the problem will just migrate to a new one.

I can tolerate the situation, but what I would like to know is (1) Is this a security issue I should be concerned about? and (2) Is it possible to put a stop to this, or will I just be chasing IP's?

Thanks!
R/L

chrishirst — Mon, 29 Aug 2005 18:33:53 +0000

It's not the database fields, it's the form input names that are the issue. What these bots do is rescrape the page source and retrieve the names.

With a bit of programming you can generate random names for the inputs each time the page is opened, store the names & fields in a cookie\session variable and retrieve these on submission. This makes it absolutely impossible for auto-submitters to recover the names for future use because they will never be the same on two occasions.
For instance; You can use the session id and split that into say 8 char chunks for the names this will be unique for each visit.

definitely don't reply

I'm back!

fifeclub — Mon, 29 Aug 2005 16:58:00 +0000

I took the time to change all the fields of my mySQL database. It worked for over a month but they're starting to sneak back in again, even thought I customized all the database fields to non-standard names.

I can't figure out if these new entries are automated or entered manually (automation should be much more difficult now) but the latest entry has an odd message that I wanted to ask about. The website field is empty but the message field is full of spam links. Then it ends off with "If see this message email THIS url to complaints2@land.ru"

Is this a trick? I assume that if I send an email to this address (from Russia once again) that I'll just be put on 10,000 more spamming lists.

Greg K — Wed, 15 Jun 2005 15:51:16 +0000

You have to realize how this works.

Normally you have a form on your site, that when submitted, sends the information to a script on your site that processes all of the information. (sometimes, it is the same file, usually not).

Here is what is most likely happening. They call your script file, just as your form would. They have it programmed to send the same information your form sends in. (which is why changing the names of the form fields can make a difference). You script does realize that the information it is being sent is NOT coming from your form.

If i remember right, your script is in PHP. If so, go in there where it saves the data to your database. Make a field in your database, and send to it the value of $_SERVER['HTTP_REFERER']. This is the page that the person was at when they clicked to get to your script. Normally, this should be the URL of your form.

Remember though, some people have this information blocked (either manually, or their antivirus software does it without them knowing).

After a day, check these values, you will most likely notice all the spam ones are coming from "-" (or just an empty string) which indicates that it was directly called. Well you know your script should always be called from your form, so if the referer isn't your form, block the saving of information.

Like I said, you may loose those whose refer is blocked, but that is a lot less than how many you loose by shutting off the guestbook. Again, remember to leave a "polite" error message explaining why the information was not submitted. "We're sorry, but we were unable to determine which page sent you here. Either you have your 'referer' information disabled, or your antivirus software may have blocked this information."

BTW, ever wonder why all these sites anymore have those weird text pictures and ask you to enter the text?? This is exactly why. Bots automatically making new accounts.

-Greg

fifeclub — Wed, 15 Jun 2005 13:56:15 +0000

Thanks everybody for the help. "IP Deny Manager" may or may not have worked. I woke up this morning to a new flood of guestbook spam and thought the Deny Manager didn't work because it wasn't using my webform anyway. But after checking my database I can see that all the new spam is now from 63.246.133.54 unknown.sagonet.net. So the bottom line is that it's pointless to try to ban them. Crap! I'm about to notify my host provider and also try those links y'all mentioned. Thanks again.

One follow up question: If they aren't using my webform to submit info to my MySQL database, then how can they add information without knowing my username and password????

CptAwesome — Wed, 15 Jun 2005 01:45:07 +0000

You can try installing this:
http://www.plebian.com/news.php?artc=138&

it will stop bots cold

Abhishek Reddy — Tue, 14 Jun 2005 23:47:56 +0000

Since recently, I get poker spam in comments on my blog. I'd been expecting it for about a year, since my site was launched. I was starting to worry that I had none while everyone else was getting it -- I saw it as a measure of success, or the extent of publication, I guess.

Anyway, I was prepared for it when it came a few weeks back. I spent a couple of weeks manually handling the spam to wait and see if it was the real thing. When I was satisfied that it was, I simply installed Drupal's Spam.module. Works like a charm.

fifeclub — Tue, 14 Jun 2005 21:52:45 +0000

8 more since I wrote this morning. That's a lot since my guestbook only had about 50 in the past several years. They're starting to repeat similar phrases and names.

Greg K wrote: Have you notified your provider? Does it seem to be all coming form same IP (or IP range)? Notify them, maybe they can put a block on it.

Do you mean my host? No, I haven't told them yet. My gb program records a bunch of other information Every single of my recent spammers lists the following info: 69.31.86.244 neg229.named1.com

I have cPanel, which has a bunch of features I've never used. One says "IP Deny Manager". It looks like it should do the trick but will it work if they aren't actually using the website to access my database? (note: my logs do show Mozilla 4.0 as a user agent). I'll enter that IP in there and see what happens over the next 24 hours or so.

Greg K wrote: Did you try the requiring the referrer to match your site?

I wouldn't have a clue how to do that. Me is simple man.

Greg K — Tue, 14 Jun 2005 20:53:52 +0000

Have you notified your provider? Does it seem to be all coming form same IP (or IP range)? Notify them, maybe they can put a block on it.

Did you try the requiring the referrer to match your site?

-Greg