Posted by Allodoxaphobia on 12/05/06 17:56

On Tue, 05 Dec 2006 17:23:11 GMT, mantrid wrote:
> "Allodoxaphobia" <bit-bucket@config.com> wrote in message
> news:slrnen9c5b.vad.bit-bucket@shell.config.com...
>> On Mon, 04 Dec 2006 19:07:17 GMT, mantrid wrote:
>>
>> <-snip->
>>
>> > Im getting more of these notices of spamming than I was getting
> originally
>> > spammed messages with many more emails in the cc: bcc: and a proper
> message
>> > (just sales stuff about tea oil). Why is he still attempting this if the
>> > spam is not working and being sent to the recipients. I have an
> appropriate
>> > message displayed when the spam is attempted. Is he stupid and just
> sitting
>> > there trying to spam my feedback form even though he is getting this
> message
>> > telling him to go away, or is do you think there is some sort of
> automatic
>> > process being run on my webpage?
>>
>> Most certainly you're being targeted by a botnet controlled by a spammer.
>> The 'nonsense' emails you first saw were "proof of concept" testing
>> before your URL was passed out to hundreds of "working" machines in the
>> botnet. Most certainly no Real Person is viewing anything that you
>> present on the screen. At most the http return code(s) and, maybe, some
>> screen scraping for successful results are sent back upstream to the
>> slime ball running the botnet.
>
> Thanks
> Very informative reply.
> The function I have uses eregi() to check POST data for "cc:" and "subject:"
> what other checks should I be using in my function to tighten my security
> further?
> Ian

I can't be of much help to you there, since my focus is on a message
board and controlling the content that gets posted there -- versus your
email process where you want to control inappropriate usage. Where I
need to worry about html tags in the message(s), javascript insertion,
and detecting URL's, you need to be concerned about the injection of
'extra' email headers, etc.

You certainly can control access if your audience is geographically
'constrained'. Using .htaccess in your sub-directory, you can
"deny from" most or all of RIPE, and/or APNIC, etc. That should
cut down on the volume.
Reference: http://www.iana.org/assignments/ipv4-address-space

There's a lot more I need to understand and learn -- both on the
incomimg sewage side, and on the managing and controlling side.

One thing you should feel certain about is that the slimeball spammers
are wallowing in their septic tanks and reading these discussions.
If you control the software (in my case I wrote my PHP message board)
you should be circumspect about tactics you design and employ. It
sounds selfish, and it'll raise the hackles of the "Don't Do Security
Through Obscurity" crowd, but it'll help you tread water better.
Since my tactics of using .htaccess "deny from" and disallowing URL's in
the postings (URL's are not at all necessary in my message boards) can
not be thwarted ("he says innocently"), I'm willing to disclose that.

Disallowing any URL's in the payload of your email might be something
you could employ. As well, disallowing multi-part construction and
image injection might be something you could employ, too.

gl and keep up The Good Fight.
Jonesy
--
Marvin L Jones | jonz | W3DHJ | linux
38.24N 104.55W | @ config.com | Jonesy | OS/2
*** Killfiling google posts: <http//jonz.net/ng.htm>

[Back to original message]