Is anyone getting spammed via their Contact Us form?

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • RedWingFan
    Senior Member
    • Sep 2004
    • 371
    • 4.0.0
    #1

    Is anyone getting spammed via their Contact Us form?

    I have my forum's Contact Us set up so that we are e-mailed via the sendmessage.php form. In the past two days, we've received a lot of strange messages through the form. Here's why I'm thinking it is a spam-bot:

    1. The messages are one sentence long, in poorly written broken English.

    2. The IP addresses are random--they are not from the same location, in other words.

    3. The batch of ten messages we received yesterday arrived within a 15 minute window.

    4. The usernames provided are all non-members, and are all short names attempting to sound "American".

    Here's the kicker:

    5. The subject lines are exactly the same: "united states" in all lowercase letters.

    6. The return addresses are all @yahoo.com, with gibberish characters before that.

    We also had four messages on the 11th with the same subject line, and the same randomness to usernames and IP addresses. From the 14 IP addresses in these messages, a few are repeats:

    205.234.145.223
    84.40.23.88
    72.21.49.2
    216.86.146.11
    67.15.188.23
    70.86.12.194
    65.98.58.250
    205.234.145.223
    147.202.65.178
    67.15.188.23
    216.127.74.35
    70.86.12.194
    64.202.123.207
    67.19.241.218

    We can just set up a filter to discard these messages since they all have the same subject line, but I know someone can adapt a spambot to circumvent this.

    Anyone else see this in their e-mails at all?
    Tags: None
    • Marco van Herwaarden
      Senior Member
      • Nov 2004
      • 6999
      • 3.8.x
      #2
      If you're running 3.5, you could enable Image Verification for teh Contact Us form.

      About others with the same problem: http://www.vbulletin.com/forum/showp...26&postcount=7

      (Thought i saw some more, but can't find them now)
      Want to take your board beyond the standard vBulletin features?
      Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

        Comment

        • RedWingFan
          Senior Member
          • Sep 2004
          • 371
          • 4.0.0
          #3
          Still on 3.0 on our "production" forum. If that's available in 3.5, I'll enable image verification for it when we upgrade.

          I considered renaming the file, but there would be too many places to edit within vB to make it practical.

            Comment

            • RedWingFan
              Senior Member
              • Sep 2004
              • 371
              • 4.0.0
              #4
              Update: I ran most of the addresses above through an IP check, and it appears that all of them are being sent from web hosting company accounts. I am wondering if there is some vulnerability on their customers' accounts, where a script kiddie was able to install something like a worm on the accounts.

              I wonder if something like this following issue could be related:

              Is this a trojan or backdoor in my images/attachments folder? - vBulletin Community Forum
              http://www.vbulletin.com/forum/showthread.php?t=173867

                Comment

                • RedWingFan
                  Senior Member
                  • Sep 2004
                  • 371
                  • 4.0.0
                  #5
                  I may have to check at vb.org and see if there is an image verification hack for 3.0. These annoyances are increasing, and now the subject line is "taiwan" instead of "united states". Total: 33 of these in the past week.

                  I say they're being sent from compromised web hosting accounts, since the IP addresses all seem to originate from hosting companies. Probably zombies.

                    Comment

                    • RedWingFan
                      Senior Member
                      • Sep 2004
                      • 371
                      • 4.0.0
                      #6
                      The spam continues, with new and improved subject lines.

                      Two ideas that might be worth someone looking into, which may be worthy of posting at vb.org:

                      1) A hidden form variable, using a unique (to your vB installtion) variable that the bots could not guess. I did this on another submit form on my sites, and it worked.

                      2) Change the name of the sendmessage.php file to something completely different. Again, it would have to be unique to each forum so the 'bots could not adapt (and who knows--whoever writes these bots may be lurking here to see what our solutions are). I do not know how many places in the script or templates we'd need to change to accomplish this, which is why I haven't attempted it yet.

                        Comment

                        Previous template Next
                        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                        Working...