[Tfug] wits end spoofing? or no

Jon bigj at tfug.org
Thu Feb 2 13:24:12 MST 2006


You could also use the timestamp of 1 Feb 2006 12:38:58 and search your
Apache logs for anything around that time.

In the meantime though I would put in an attribute, via whatever scripting
language you're using, to spit back the station IP filling out the form.
This will accomplish a few things:

1) you'll know their IP
2) it'll confirm they are using your form to spam
3) you can then block the f'er using iptables or whatever means you have
available to you

I would also contemplate using captcha to curb this problem:
http://en.wikipedia.org/wiki/Captcha

HTH

--
Jon

Judy said:
> I do, however I removed it for a while... and it didn't stop.  I guess I
> should permanently remove it and see if it works this time. So frustrating
>
> Thanks Jon :o)
>
> Judy
>
>> -----Original Message-----
>> From: tfug-bounces at tfug.org [mailto:tfug-bounces at tfug.org] On Behalf Of
>> Jon
>> Sent: Wednesday, February 01, 2006 11:14 PM
>> To: Tucson Free Unix Group
>> Subject: Re: [Tfug] wits end spoofing? or no
>>
>> Looks like a classic case of a script exploiting a form page. Got any of
>> those on the box (forns)?
>>
>> --
>> Jon
>>
>> Judy said:
>> > Question, I have a dedicated server running redhat and I recently have
>> > been
>> > receiving 100's of emails a week, I thought it was spoofed, but it is
>> > stranger than I am used to... we haven't figured out what the heck is
>> > going
>> > on.  I am hoping someone here has a better idea than I do : / Note:
>> the
>> > email changes the name each time, this one is lead, the last one is
>> you,
>> > two
>> > me etc... the bcc is always the same as well (so weird)
>> > TYIA
>> >
>> > Judy
>> >
>> >> -----Original Message-----
>> >> From: lead at vn1108.fireboxhosting.com
>> >> [mailto:lead at vn1108.fireboxhosting.com]
>> >> Sent: Wednesday, February 01, 2006 12:39 PM
>> >> To: doc at thebitdoctor.com
>> >> Subject: Support from Website
>> >>
>> >> e57d607004dc7def74d1b2fbea23aa03
>> >> .
>> >> <>
>> >>
>> >> From: lead
>> >> Content-Type: text/plain; charset=\"us-ascii\"
>> >> MIME-Version: 1.0
>> >> Content-Transfer-Encoding: 7bit
>> >> Subject: one may
>> >> bcc: charleses3299 at aol.com
>> >>
>> >> e57d607004dc7def74d1b2fbea23aa03
>> >> .
>> > Headers:
>> >
>> > Return-Path: <apache at vn1108.fireboxhosting.com>
>> > Received: from vn1108.fireboxhosting.com (root at localhost)
>> > 	by thebitdoctor.com (8.12.10/8.12.10) with ESMTP id k11Jd2Ba025779
>> > 	for <doc at thebitdoctor.com>; Wed, 1 Feb 2006 12:39:02 -0700
>> > X-ClientAddr: 127.0.0.1
>> > Received: from vn1108.fireboxhosting.com (localhost.localdomain
>> > [127.0.0.1])
>> > 	by vn1108.fireboxhosting.com (8.12.10/8.12.10) with ESMTP id
>> > k11Jcw67025775;
>> > 	Wed, 1 Feb 2006 12:38:58 -0700
>> > Received: (from apache at localhost)
>> > 	by vn1108.fireboxhosting.com (8.12.10/8.12.10/Submit) id
>> > k11JcwMG025773;
>> > 	Wed, 1 Feb 2006 12:38:58 -0700
>> > Date: Wed, 1 Feb 2006 12:38:58 -0700
>> > Message-Id: <200602011938.k11JcwMG025773 at vn1108.fireboxhosting.com>
>> > To: <doc at thebitdoctor.com>
>> > Subject: Support from Website
>> > from: lead at vn1108.fireboxhosting.com
>> > Content-Type: text/plain; charset=\"us-ascii\"
>> > MIME-Version: 1.0
>> > Content-Transfer-Encoding: 7bit
>> > Subject: one may
>> > Status:
>> > X-Antivirus: avast! (VPS 0605-4, 02/01/2006), Inbound message
>> > X-Antivirus-Status: Clean
>> >
>> >
>> > _______________________________________________
>> > tfug mailing list
>> > tfug at tfug.org
>> > http://www.tfug.org/mailman/listinfo/tfug
>> >
>>
>> _______________________________________________
>> tfug mailing list
>> tfug at tfug.org
>> http://www.tfug.org/mailman/listinfo/tfug
>
> _______________________________________________
> tfug mailing list
> tfug at tfug.org
> http://www.tfug.org/mailman/listinfo/tfug
>



More information about the tfug mailing list