* * * * *

           How desperate do you have to be to spam someone? Part II

Okay, two days later [1] and I have more information about that spammer:
they're not trying to send email, they're trying to spam guestbooks and
forums.

Before I get there, let me explain how the Obligatory Email Notification
System [2] works. When you fill in the form, your email address is added to
an “optin” list, and an email is then sent. Only when you reply to that email
is your email address moved from the “optin” list to the “verified” list and
it's from the “verified” list that emails are sent when I make a new entry.

So I decided to check the “optin” list, and boy, was I in for a surprise. I
haven't checked the actual “optin” list for, oh, three years or so? It would
be an understatement to say the email addresses were predominately sex
related. I grabbed one ([email protected]) and lo, look at all
that guestbook spam [3].

My guess: the spammer searched the net for HTML (HyperText Markup Language)
forms that looked like guestbook for forum forms, and since many guestbook
forms have an email field (usually named email) they tagged my Obligatory
Email Notification as a possible guestbook script (since it, too, has a field
named email).

But here's where things get weird: the only fields they fill out, in regards
to my Obligatory Email Notification form, are the fields defined in that
form. I had hoped to see some additional fields being sent in, like comments
or message (which wouldn't do anything anyway) but nope, the only fields they
sent in were the fields defined for my form.

I thought maybe because I didn't have a field named comments or message they
weren't sending in such a field. So I added a field named comments (it's a
<TEXTAREA> but with a style of display: none).

Still, only the fields I had originally defined were being sent in.

Checking the logs, and yes, the spammer has definely cached the original form
(because the spammer is simply doing a POST to the form, and not retrieving
it before doing the POST). I'm going to rename the form and see if that has
any effect.

One more thing though: It's one spammer doing all this, and while you would
think I could just block that one IP (Internet Protocol) address, I can't.
That's because this particular spammer, running their script from
72.232.102.130 [4], is using a series of open web proxies to submit the form,
so the actual IP address to block changes all the time. So anyone who is
getting spam to a guestbook or forum, and you're running Apache [5], you
might want to check the environment variable HTTP_X_FORWARDED_FOR.

[1] gopher://gopher.conman.org/0Phlog:2007/05/08.1
[2] https://boston.conman.org/
[3] http://clusty.com/search?input-form=clusty-simple&v%3Asources=webplus&query=hcl_tab_tramadol%40hotmail.com
[4] http://clusty.com/search?input-form=clusty-simple&v%3Asources=webplus&query=72.232.102.130
[5] http://httpd.apache.org/

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.