Webmaster forum - Is my web form being attacekd?

Author

Is my web form being attacekd?

peter

2006-07-10, 7:20 pm

I have a website that has a form where customers can order free
samples. Their information is emailed to me. I usually get one or two
requests a day. In the past 24 hours, I have got about 30 requests.
The information always has a Brazil address. Before yesterday, I don't
think I got more than a few requests from Brazil in 2 years of
operation. The information on each email is unique, as are the IP
addresses. Any thoughts on this strange occurence?

Thanks,

Peter

Safalra

2006-07-10, 7:20 pm

On 8 Jul 2006 23:12:47 -0700, peter wrote:
> I have a website that has a form where customers can order free
> samples. Their information is emailed to me. I usually get one or two
> requests a day. In the past 24 hours, I have got about 30 requests.
> The information always has a Brazil address. Before yesterday, I don't
> think I got more than a few requests from Brazil in 2 years of
> operation. The information on each email is unique, as are the IP
> addresses. Any thoughts on this strange occurence?

It's always possible some Brazilian has told all their friends that there's
a website providing free samples of whatever it is that you supply. You
might like to check that at least a fair proportion of the IP addresses
actually resolve to Brazilian ISPs, though.

--
Safalra (Stephen Morley)
http://www.safalra.com/hypertext/

peter

2006-07-10, 7:20 pm

Yes, I did that, and the IP's are from Brazil. I don't know what else
to make of it.

Thanks,

Peter

TechnoHippie

2006-07-10, 7:20 pm

"peter" <plaz987@yahoo.com> wrote in news:1152454450.370871.140410
@m73g2000cwd.googlegroups.com:

> Yes, I did that, and the IP's are from Brazil. I don't know what else
> to make of it.

I'd add a step to your automated order process, like this: form sends
verification url/code to "customer" which must be visited/entered to
finalize the "free" order.

School's out and all the kiddies are playing with ill-formed exploits.

Judy
--
Trippy Triangle: http://technohippie.com
Millenium Theater: http://tinyurl.com/ozewy
The Usenet Improvement Project: http://blinkynet.net/comp/uip5.html

--
Posted via a free Usenet account from http://www.teranews.com

rwap

2006-07-10, 7:20 pm

In the meantime, it is surely worth sending an email response to a
handful of these people to see if they are genuine requests.

However, the problem comes with providing free samples overseas - too
many requests could easily ruin your business plan !! Maybe you should
add a note to your order page to say that you reserve the right to
provide free samples overseas.

Rich Mellor
www.internetbusinessangels.com

TechnoHippie wrote:
> "peter" <plaz987@yahoo.com> wrote in news:1152454450.370871.140410
> @m73g2000cwd.googlegroups.com:
>
>
> I'd add a step to your automated order process, like this: form sends
> verification url/code to "customer" which must be visited/entered to
> finalize the "free" order.
>
> School's out and all the kiddies are playing with ill-formed exploits.
>
> Judy
> --
> Trippy Triangle: http://technohippie.com
> Millenium Theater: http://tinyurl.com/ozewy
> The Usenet Improvement Project: http://blinkynet.net/comp/uip5.html
>
> --
> Posted via a free Usenet account from http://www.teranews.com

peter

2006-07-10, 7:20 pm

rwap wrote:[color=darkred]
> In the meantime, it is surely worth sending an email response to a
> handful of these people to see if they are genuine requests.
>
> However, the problem comes with providing free samples overseas - too
> many requests could easily ruin your business plan !! Maybe you should
> add a note to your order page to say that you reserve the right to
> provide free samples overseas.
>
> Rich Mellor
> www.internetbusinessangels.com
>
> TechnoHippie wrote:

peter

2006-07-10, 7:20 pm

peter

2006-07-10, 7:20 pm

Yes, it actually says on the website that they may be contacted for
shipping charges only. I do, in fact, already send emails to some of
the people requesting samples, asking them to call to pay for shipping
charges. I guess I will do that for all of these requests. I just
wanted to make sure there wasn't something more sinister going on here.
Awhile back, I had a problem with someone sending an automated script
trying to hijack my forms, for the purpose of sending spam. I put in
some new code and haven't had an attempt since, but you never know what
these characters will come up with next! Anyway, thanks to all for your
help!

Peter

rwap wrote:
> In the meantime, it is surely worth sending an email response to a
> handful of these people to see if they are genuine requests.
>
> However, the problem comes with providing free samples overseas - too
> many requests could easily ruin your business plan !! Maybe you should
> add a note to your order page to say that you reserve the right to
> provide free samples overseas.
>
> Rich Mellor
> www.internetbusinessangels.com
>

Anonyma

2006-07-10, 7:20 pm

The web-form-relay boys from Brazil are probably checking out your form for
spam relaying potential. From the number of hits you got, I suspect that
they think they found a positive.

The spammer injects the characters '\n' and '\r'_ (end of line and carriage
return) in the web form_ and then adds "bcc:" followed by a long list of
spamees. (If you start getting "bounces" then that is what has happened).
If he is allowed to do this several times, ends you end up on a set of
email blocklists from which removal is damn near impossible.

Spammers generally aren't the brightest bulbs in the box, and more and more
spammers are using this technique because it needs virtually no talent,
although it does require a lot of time.

Verify that there is a control character filter on you web form or that
whatever mail handler you use does not accept the "bcc" statement._Either
one will foil his attempts.___

peter

2006-07-10, 7:20 pm

Yeah, the code I set up for the last attack involved stripping "\n"
and"\r" from all fields. It seemed to stop those attempts, but do you
think this sufficient for this new attack? I am a little worried
because, like you say, I keep getting hits.

Thanks,

Peter
Anonyma wrote:
> The web-form-relay boys from Brazil are probably checking out your form for
> spam relaying potential. From the number of hits you got, I suspect that
> they think they found a positive.
>
> The spammer injects the characters '\n' and '\r' (end of line and carriage
> return) in the web form and then adds "bcc:" followed by a long list of
> spamees. (If you start getting "bounces" then that is what has happened).
> If he is allowed to do this several times, ends you end up on a set of
> email blocklists from which removal is damn near impossible.
>
> Spammers generally aren't the brightest bulbs in the box, and more and more
> spammers are using this technique because it needs virtually no talent,
> although it does require a lot of time.
>
> Verify that there is a control character filter on you web form or that
> whatever mail handler you use does not accept the "bcc" statement. Either
> one will foil his attempts.

peter

2006-07-10, 7:20 pm

I modeled my code after this:

$string=eregi_replace("[\n\r]+","",$_POST['address']);

Thanks again,

Peter

peter wrote:[color=darkred]
> Yeah, the code I set up for the last attack involved stripping "\n"
> and"\r" from all fields. It seemed to stop those attempts, but do you
> think this sufficient for this new attack? I am a little worried
> because, like you say, I keep getting hits.
>
> Thanks,
>
> Peter
> Anonyma wrote: