Getting hit hard with spam through the "contact us" form

**Chroder** · Sun 11 Jun '06, 9:13am

PHP mail()'s function does use sendmail.

**Marco** · Sun 11 Jun '06, 9:32am

Allow Unregistered Users to use 'Contact Us'? --> No

Fixed!

... But then again, I don't really take my forums that seriously.

**Reverend** · Sun 11 Jun '06, 10:57am

Originally posted by Marco

Allow Unregistered Users to use 'Contact Us'? --> No

Fixed!

Thats the obvious solution, but it defeats the purpose of having the link though because in our experience, (and probably the majority of other boards), is that it's usually unregistered users that will have an enquiry, whereas registered members will use the PM system.

**cyburbia** · Sun 11 Jun '06, 12:52pm

I "opened up" my .htaccess file just for the hell of it, and now I'm getting hit with a drug spam e-mail every 20 minutes.

YES, IMAGE VERIFICATION IS TURNED ON!

So, I'm wondering - what's the point of going through the trouble of verifying an CAPTCHA image, just to send the same drug spam to one person over and over and over again. I have a sneaking suspicion that some Ukrainian hackers have beaten vBulletin's CAPTCHA system.

**Zachery** · Sun 11 Jun '06, 1:21pm

You could disable contactus for guests

**Reverend** · Sun 11 Jun '06, 1:32pm

Cyburbia, when i click your forum link it now asks to download the index.php.

Zach, the suggestion of disabling contact us for guests is an obvious "temp" fix but like i said previously

it defeats the purpose of having the link because in our experience, (and probably the majority of other boards), it's usually unregistered users that will have an enquiry, whereas registered members will use the PM system.

Somehow they are bypassing the image verification.

Cyburbia, is it possible you can change your "contact us" address temporarily then see if you still get the spam.

**cyburbia** · Sun 11 Jun '06, 1:39pm

Originally posted by Reverend

Cyburbia, when i click your forum link it now asks to download the index.php.

Zach, the suggestion of disabling contact us for guests is an obvious "temp" fix but like i said previously Somehow they are bypassing the image verification.

Cyburbia, is it possible you can change your "contact us" address temporarily then see if you still get the spam.

My server is down right now. It'll be back up in a half hour or so,

Do you want me to change the forum email address, or the name of the "contact us" script? My logs are showing that the IP from the Ukraine/Belarus is visiting the contact form.

**Reverend** · Sun 11 Jun '06, 2:44pm

Originally posted by cyburbia

Do you want me to change the forum email address, or the name of the "contact us" script?

Change the
"Contact Us Link" from using sendmessage.php to a mailto address. Obviously with that mail option the image verification is disabled, but then the mailto process will not be as automated for a bot to get through. See how it goes for a few days, and if no spam gets through then revert back to sendmessage.php with the image verification turned on "Yes, but verify image".

Or alternatively leave sendmessage.php in place but do as Zach suggested and disable the "Contact Us" for guests. Turn it off temporarily for a few days and hopefully the bots will get bored and leave you alone.

It is strange though that your image verify doesn't seem to deter them. As i said previously i was getting the same spam as you but when i turned on "Yes, but verify image" (only had it on "Yes" originally) it worked and i have had no more spam since.

**cyburbia** · Sun 11 Jun '06, 3:27pm

Originally posted by Reverend

Change the
"Contact Us Link" from using sendmessage.php to a mailto address.

Actually, it's already that way. I'm using the Drupal integration, and the "Contact Us" link goes to my Drupal-based "Contact Us" link, which doesn't have a form - just the text image of the address.

The bots are hitting sendmessage.php.

**cyburbia** · Sun 11 Jun '06, 4:59pm

I've attached what one of their spammed messages looks like.

Here's what my log looks like.

85.255.117.18 - - [11/Jun/2006:06:06:20 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:06:35:21 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:07:04:30 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:07:29:45 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:07:52:26 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:08:15:33 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:08:38:52 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:09:01:46 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:09:25:43 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:09:50:18 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:10:13:37 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:10:35:47 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:10:57:59 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:11:22:41 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:11:45:56 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:12:07:31 -0400] "POST /forums/sendmessage.php HTTP/1.1" 403 521 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:12:28:54 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2723 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:12:50:39 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2743 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:13:19:31 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2715 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:13:42:03 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2739 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:14:04:19 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2715 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:14:26:21 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2715 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:14:48:29 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2723 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:15:17:59 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2687 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:15:40:18 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2711 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:16:00:18 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2703 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:16:20:27 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2723 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:16:40:15 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2711 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:16:59:06 -0400] "POST /forums/sendmessage.php HTTP/1.1" 405 325 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:17:42:30 -0400] "POST /forums/sendmessage.php HTTP/1.1" 405 325 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:18:04:45 -0400] "POST /forums/sendmessage.php HTTP/1.1" 405 325 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:18:28:14 -0400] "POST /forums/sendmessage.php HTTP/1.1" 405 325 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:18:49:39 -0400] "POST /forums/sendmessage.php HTTP/1.1" 405 325 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:19:11:20 -0400] "POST /forums/sendmessage.php HTTP/1.1" 405 325 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:19:35:10 -0400] "POST /forums/sendmessage.php HTTP/1.1" 405 325 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:19:56:24 -0400] "POST /forums/sendmessage.php HTTP/1.1" 405 325 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:20:17:49 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2587 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
85.255.117.18 - - [11/Jun/2006:20:37:49 -0400] "POST /forums/sendmessage.php HTTP/1.1" 200 2583 "http://www.cyburbia.org/forums/showthread.php?t=18553" "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

I've got another in the same range, hammering at a nonexistent Moveable Type script.

It's coming from a hosting company called Inhoster in the Ukraine, through an IP block in Belarus. Inhoster is notorious for hosting malware, spyware, spamming scripts, and so on.

Here's the IP range, in convenient "just add it to your .htaccess file" form.

deny from 85.255.112.
deny from 85.255.113.
deny from 85.255.114.
deny from 85.255.115.
deny from 85.255.116.
deny from 85.255.117.
deny from 85.255.118.
deny from 85.255.119.
deny from 85.255.120.
deny from 85.255.121.
deny from 85.255.122.
deny from 85.255.123.
deny from 85.255.124.
deny from 85.255.125.
deny from 85.255.126.
deny from 85.255.127.
deny from 195.95.218.
deny from 195.95.219.
deny from 195.225.176.
deny from 195.225.177.
deny from 195.225.178.
deny from 195.225.179.

Attached Files

inhoster_spam.txt (1.7 KB, 32 views)

**cyburbia** · Sun 11 Jun '06, 5:05pm

I just checked out the form, and image verification is missing!

However, in my settings:

Something's wrong.

**BIGMONAY2K** · Sun 11 Jun '06, 5:08pm

Originally posted by Marco

Allow Unregistered Users to use 'Contact Us'? --> No

Fixed!

... But then again, I don't really take my forums that seriously.

that's what I do.

**wbear** · Sun 11 Jun '06, 5:52pm

Originally posted by cyburbia

I just checked out the form, and image verification is missing!

Something's wrong.

2 things stand out for me:
You're logged in as Dan (not unregistered).
You've specified some other form: 'contact.html'.

**Zachery** · Sun 11 Jun '06, 8:39pm

Is that template the default one?

**ManagerJosh** · Sun 11 Jun '06, 8:52pm

Image verification will always be missing if you are logged in. If you are not logged in, then you will get the CAPTCHA.

Getting hit hard with spam through the "contact us" form

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment