Was not sure where to post, so forgive me if in wrong place.
I have a form on an html page and when submitted it call an asp page that formats and sends an email.
I just started receiving emails a little while ago and they would not stop. I finally went in and renamed the asp file to get them to stop. All the form fields contained an email addresses and some other garbage. Each time the form was submitted the email addresses changed. See below, I hid the domain name:
Quantity: iqr@***************.com
Size: iqr@***************.com
Stock: iqr@***************.com
Inks Per Side
Front: iqr@***************.com
Inks Per Side
Back: iqr@***************.com
Ink Color
Front: iqr@***************.com
Ink Color
Back: 9697d02b Content-Type: multipart/mixed; boundary="===============0190910647==" MIME-Version: 1.0 Subject: 9697d02b To: iqr@***************.com bcc: <!-- e --><a href="mailto:[email protected]">[email protected]</a><!-- e --> From: iqr@***************.com This is a multi-part message in MIME format. --===============0190910647== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit seyualplt --===============0190910647==--
Ink: Standard
Screens: No
Reverses: No
Bleeds: No
Number Size: iqr@***************.com
Number Of Digits: iqr@***************.com
Number Color: iqr@***************.com
Barcode Size: iqr@***************.com
Barcode Style: iqr@***************.com
Perforations: No
Punch: No
Patch: No
Metal Eyelet: No
String: None
Wire Type: None
Packaging: iqr@***************.com
Additional Info: iqr@***************.com
Company: iqr@***************.com
Account Number: iqr@***************.com
Name: iqr@***************.com
Phone: iqr@***************.com
Address: iqr@***************.com
City: iqr@***************.com
State: iqr@***************.com
Zip: iqr@***************.com
Email: iqr@***************.com
I received about 100 emails befor I renamed the file. Good thing I was sitting in front of my PC at the time.
How is this happening?
What can I do to stop it?post the URL, look at your servers logs to attempt track it down.
How is it happening? someone wrote a script.
You can block the address that you find in the logs.I am working on getting copies of the logs now. May need help latter on the method for plocking the IP.
THNX!for future reference here's the php version, I'm sure you will have no problem changing it into ASP.
// $_SERVER['REMOTE_ADDR'] is the users current ipaddress
// $blocked_ip is an ip which is no longer allowed to post your form.
if ($_SERVER['REMOTE_ADDR'] == $blocked_ip) {
die();
}
An additional alternative would be to see if somebody had posted from the same IP Address in the last 5 emails by storing an Ip and Id in a database i.e.
-----------------
| ID | IP ADDY |
-----------------
|1 | 127.0.0.1 |
-----------------
And if the IP addy of the current user matched the IP then of say 2 of the last 5 posters, then make it alert your website via email and block the posters ip address as in the first example till you re-enable it.
That was just an idea and there are lots of variations on it and you should come up with what works best of you.
Good luck!
Jamesno it would be best to stop it before it even got to a scripting engine. In IIS i know it is possible to block or grant ip addresses, which occurs before IIS hands the request to the filter which is the scripting engine.Thanks James, I am going to implement this right now.afterburn, I was posting when you were posting, so did not see your message. As I am only a web design guy, I am not real sharp on the IIS stuff. I am going to start to work on the other thing, unless you can give me more details on your idea.ok on IIS, right click on the website, properties->Directory Security->IP Address and Domain name restrictions.
Enter IP Addresses, with the option that says grant all but those below.Not sure exactly the type of attack they are doing, but I have a fix for a popular method.
The method is that they find out the name of your submission page (ASP page) and call it directly either using a form on their server or passing variables in via the url.
The fix is to verify that the page calling your ASP page is on the same server as that page. (so they can't build a dummy form on their server that points to the page on your server and just keep submitting it over and over and over and circumventing any validation/protection done on the first page)
Here's the code....
Function sameServer()
dim strFrom, arrFrom
strFrom = request.ServerVariables("HTTP_REFERER")
if strFrom <> "" then
arrFrom = split(strFrom,"/")
if lcase(request.ServerVariables("SERVER_NAME")) = lcase(arrFrom(2)) then
sameServer = true
else
sameServer = false
end if
else
sameServer = true
end if
End Function
You'd put that code on your ASP page that is doing the email.
If they are just calling the HTML form over and over again and submitting it every time, then you may need to block the IP address. Of course, these guys are prolly working on a proxy or dynamic IP so that will only be a temporary and may block more good people than bad ones. These guys are typically good at that sort of stuff.
The other option in that case is to log every email sent out into a database table using the current time and the IP Address that called the page. Then, have your ASP page do a check against that table and make sure the current IP Address making the request hasn't sent out a email in the last so-many minutes. This way, if they switch IP addresses, it won't matter because it won't care what the IP address just that it hasn't sent an email in the last little while.Oh, and with sameServer.....
Your code would look something like this.....
<%
If sameServer() then
'Code to send the email
Else
response.write("We only process pages submitted by our server thank you")
response.redirect("http://junk.junk.com")
end if
function sameServer()
'code pasted in here - just make sure it's outside the if statement
end function
%>
Now, why junk.junk.com? Well, just to send their connection somewhere else and maybe help slow them down. The nastier page (as in lots of images or something similar that takes a long time to load) would be best........but I didn't say that
OK, I put in code to capture the IP address and to only allow 2 submissions within a 24-hour period. This is working properly because I tested it thoroughly. This weekend someone, or more than one, submitted the form over fifty times. When I looked at the IP address file they were all different IP address. This time there was no data filled out on the form. I have to leave all fields as optional. Any ideas or suggestions at this point?you need to leave all fields optional? how about just making sure at least one of the fields compulsary... like if somebody didn't fill in any data then it won't send. but if somebody fills in any one or more field(s) the form will submit... it's not a lot, but it's a start and would stop people randomly pressing the submit button without thought...THNX! I should have thought of that. I will add code today to not send if no fields are filled in.
I have a form on an html page and when submitted it call an asp page that formats and sends an email.
I just started receiving emails a little while ago and they would not stop. I finally went in and renamed the asp file to get them to stop. All the form fields contained an email addresses and some other garbage. Each time the form was submitted the email addresses changed. See below, I hid the domain name:
Quantity: iqr@***************.com
Size: iqr@***************.com
Stock: iqr@***************.com
Inks Per Side
Front: iqr@***************.com
Inks Per Side
Back: iqr@***************.com
Ink Color
Front: iqr@***************.com
Ink Color
Back: 9697d02b Content-Type: multipart/mixed; boundary="===============0190910647==" MIME-Version: 1.0 Subject: 9697d02b To: iqr@***************.com bcc: <!-- e --><a href="mailto:[email protected]">[email protected]</a><!-- e --> From: iqr@***************.com This is a multi-part message in MIME format. --===============0190910647== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit seyualplt --===============0190910647==--
Ink: Standard
Screens: No
Reverses: No
Bleeds: No
Number Size: iqr@***************.com
Number Of Digits: iqr@***************.com
Number Color: iqr@***************.com
Barcode Size: iqr@***************.com
Barcode Style: iqr@***************.com
Perforations: No
Punch: No
Patch: No
Metal Eyelet: No
String: None
Wire Type: None
Packaging: iqr@***************.com
Additional Info: iqr@***************.com
Company: iqr@***************.com
Account Number: iqr@***************.com
Name: iqr@***************.com
Phone: iqr@***************.com
Address: iqr@***************.com
City: iqr@***************.com
State: iqr@***************.com
Zip: iqr@***************.com
Email: iqr@***************.com
I received about 100 emails befor I renamed the file. Good thing I was sitting in front of my PC at the time.
How is this happening?
What can I do to stop it?post the URL, look at your servers logs to attempt track it down.
How is it happening? someone wrote a script.
You can block the address that you find in the logs.I am working on getting copies of the logs now. May need help latter on the method for plocking the IP.
THNX!for future reference here's the php version, I'm sure you will have no problem changing it into ASP.
// $_SERVER['REMOTE_ADDR'] is the users current ipaddress
// $blocked_ip is an ip which is no longer allowed to post your form.
if ($_SERVER['REMOTE_ADDR'] == $blocked_ip) {
die();
}
An additional alternative would be to see if somebody had posted from the same IP Address in the last 5 emails by storing an Ip and Id in a database i.e.
-----------------
| ID | IP ADDY |
-----------------
|1 | 127.0.0.1 |
-----------------
And if the IP addy of the current user matched the IP then of say 2 of the last 5 posters, then make it alert your website via email and block the posters ip address as in the first example till you re-enable it.
That was just an idea and there are lots of variations on it and you should come up with what works best of you.
Good luck!
Jamesno it would be best to stop it before it even got to a scripting engine. In IIS i know it is possible to block or grant ip addresses, which occurs before IIS hands the request to the filter which is the scripting engine.Thanks James, I am going to implement this right now.afterburn, I was posting when you were posting, so did not see your message. As I am only a web design guy, I am not real sharp on the IIS stuff. I am going to start to work on the other thing, unless you can give me more details on your idea.ok on IIS, right click on the website, properties->Directory Security->IP Address and Domain name restrictions.
Enter IP Addresses, with the option that says grant all but those below.Not sure exactly the type of attack they are doing, but I have a fix for a popular method.
The method is that they find out the name of your submission page (ASP page) and call it directly either using a form on their server or passing variables in via the url.
The fix is to verify that the page calling your ASP page is on the same server as that page. (so they can't build a dummy form on their server that points to the page on your server and just keep submitting it over and over and over and circumventing any validation/protection done on the first page)
Here's the code....
Function sameServer()
dim strFrom, arrFrom
strFrom = request.ServerVariables("HTTP_REFERER")
if strFrom <> "" then
arrFrom = split(strFrom,"/")
if lcase(request.ServerVariables("SERVER_NAME")) = lcase(arrFrom(2)) then
sameServer = true
else
sameServer = false
end if
else
sameServer = true
end if
End Function
You'd put that code on your ASP page that is doing the email.
If they are just calling the HTML form over and over again and submitting it every time, then you may need to block the IP address. Of course, these guys are prolly working on a proxy or dynamic IP so that will only be a temporary and may block more good people than bad ones. These guys are typically good at that sort of stuff.
The other option in that case is to log every email sent out into a database table using the current time and the IP Address that called the page. Then, have your ASP page do a check against that table and make sure the current IP Address making the request hasn't sent out a email in the last so-many minutes. This way, if they switch IP addresses, it won't matter because it won't care what the IP address just that it hasn't sent an email in the last little while.Oh, and with sameServer.....
Your code would look something like this.....
<%
If sameServer() then
'Code to send the email
Else
response.write("We only process pages submitted by our server thank you")
response.redirect("http://junk.junk.com")
end if
function sameServer()
'code pasted in here - just make sure it's outside the if statement
end function
%>
Now, why junk.junk.com? Well, just to send their connection somewhere else and maybe help slow them down. The nastier page (as in lots of images or something similar that takes a long time to load) would be best........but I didn't say that
OK, I put in code to capture the IP address and to only allow 2 submissions within a 24-hour period. This is working properly because I tested it thoroughly. This weekend someone, or more than one, submitted the form over fifty times. When I looked at the IP address file they were all different IP address. This time there was no data filled out on the form. I have to leave all fields as optional. Any ideas or suggestions at this point?you need to leave all fields optional? how about just making sure at least one of the fields compulsary... like if somebody didn't fill in any data then it won't send. but if somebody fills in any one or more field(s) the form will submit... it's not a lot, but it's a start and would stop people randomly pressing the submit button without thought...THNX! I should have thought of that. I will add code today to not send if no fields are filled in.