[BBLISA] spam & autoresponse webforms

Tabor J. Wells twells at fsckit.net
Fri Mar 12 14:40:50 EST 2004 

On Thu, Mar 11, 2004 at 04:28:47PM +0000,
David Cogley <cogley at gibraltar.basespace.net> is thought to have said:

> At the request of our CEO, I set up a web form which is processed by a cgi 
> script so that it logs to a file and then sends an autoresponse to the 
> email address entered on the web form.  Last night, someone downloaded my 
> web form, modified it and used the modified version to POST, thereby 
> spamming one person 3 times in quick succession.  This got our domain 
> placed on a spam list.  One of our outgoing emails was bounced this 
> morning. 
> I am running perl in taint mode, so all of the nasty characters entered on 
> the web form were scrubbed out.  Looking at our logs, I cannot see that our 
> server was compromised.  The person looking for an open relay did not find 
> one.  I have turned off the autoresponse feature of the cgi script. 

It's not formmail.pl is it? There's several security holes in this very
popular cgi that cause it to be used by spammers inthe way you describe.

> Even with an autoresponder in place, it is possible to prevent bulk 
> spammers from sending out large messages through a server.  I can do this 
> by using the cgi script to truncate all of the web form values to just 
> enough characters to suit the purposes of the web form.  However, someone 
> can still send unwanted emails to anyone they list in the email address box 
> on the web form. 
> 
> I don't see how I can easily prevent unwanted emails being sent from a web 
> form.  There must be a way since I see so many web forms which send 
> autoresponses.  I have a vague sense that I could do a reverse DNS lookup 
> on the IP address that is accessing the web page and then only autorespond 
> if the browser access and the email address match.  However, that would 
> prevent someone from filling out a web form at home and asking for the 
> response to be sent to a work email address. 

Rate limit the usage of the form based on the IP address, sender address, 
number of recipients, and number of times the same recpient can receive
email.

For example my dayjob site (www.smarterliving.com) has one of those "mail
this article to a friend" things (which personally I dislike, but whatever).
In order to prevent abuse we had to remove the freeform text field where
someone could enter a note and add a low max number of times per day that it
can be used to send mail to any given recipient and from any given ip.

We also log all of the details of when it is used so that if we do get
complaints about abuse we can take action to either block the IP it came
from or contact the site where the abuse originated from.

We haven't had any problems since those changes were implemented.

> As far as I can tell, anyone visiting a web page can fill in someone else's 
> email address.  I conclude that a web form autoresponder is always likely 
> to get one's domain added to a spam list, eventually.  Getting off a spam 
> list is time consuming. 

Indeed it is. But if you take some sensible precautions you can drastically
limit your exposure. And if you're using formmail.pl you should disable it
immediately and find another script (or write your own) with security in
mind.

Tabor
-- 
--------------------------------------------------------------------
Tabor J. Wells                                     twells at fsckit.net
Fsck It!                 Just another victim of the ambient morality

More information about the bblisa mailing list