[BBLISA] spam & autoresponse webforms

Dean Anderson dean at av8.com
Fri Mar 12 15:28:04 EST 2004 

On Fri, 12 Mar 2004, Tabor J. Wells wrote:

> On Thu, Mar 11, 2004 at 04:28:47PM +0000,
> David Cogley <cogley at gibraltar.basespace.net> is thought to have said:
> 
> > At the request of our CEO, I set up a web form which is processed by a cgi 
> > script so that it logs to a file and then sends an autoresponse to the 
> > email address entered on the web form.  Last night, someone downloaded my 
> > web form, modified it and used the modified version to POST, thereby 
> > spamming one person 3 times in quick succession.  This got our domain 
> > placed on a spam list.  One of our outgoing emails was bounced this 
> > morning. 
> > I am running perl in taint mode, so all of the nasty characters entered on 
> > the web form were scrubbed out.  Looking at our logs, I cannot see that our 
> > server was compromised.  The person looking for an open relay did not find 
> > one.  I have turned off the autoresponse feature of the cgi script. 
> 
> It's not formmail.pl is it? There's several security holes in this very
> popular cgi that cause it to be used by spammers inthe way you describe.

It doesn't have to be formmail.pl. *Any* web page that sends email can be
abused.  Any web form that accepts any text that will be emailed to the
address entered can be abused with arbitrary messages. 

If your abusers only sent 3 emails, then certainly the abuser intended to
try to get you blacklisted.  The people that do that are either blacklist
operators who are scanning for things, or someone who has a more personal
beef.  If you weren't runnign formmail.pl, then it is probably the latter.

There are anti-spammers scanning for formmail and open relays, who will
abuse your services. The most effective solution is to block the
blacklists to interfere with their scanning.

Those three addresses should certainly never get any email again, and the
IP addresses they used should also be denied further access, and the abuse
reported to your ISP, who can coordinate with their ISP.

> Rate limit the usage of the form based on the IP address, sender address, 
> number of recipients, and number of times the same recpient can receive
> email.

Also a good idea.

> For example my dayjob site (www.smarterliving.com) has one of those "mail
> this article to a friend" things (which personally I dislike, but whatever).
> In order to prevent abuse we had to remove the freeform text field where
> someone could enter a note and add a low max number of times per day that it
> can be used to send mail to any given recipient and from any given ip.
> 
> We also log all of the details of when it is used so that if we do get
> complaints about abuse we can take action to either block the IP it came
> from or contact the site where the abuse originated from.
> 
> We haven't had any problems since those changes were implemented.

Yep. Good ideas---not enough to actually stop abuse, but enough to satisfy 
the radicals who insist on abusing sites.

More information about the bblisa mailing list