Blocking list for IPs abusing web forms
axlq
didn't get a moderator reject message.
Is there a blocking list consisting of IP address that abuse web
contact forms?
Perhaps someone can also explain this observation:
Like many sites, we have no email addresses exposed on any
page. Anyone who wants to contact us must fill out a web form, and
the server sends us a message. I implemented this myself in php.
Every day, I've been getting the strangest email messages emanating
from that web form. They invariably have a random-character subject
line, a random-character 'from' address, and a message body full of
random-character URLs. Occasionally the URLs are valid, leading to
mortgage scams, prescription drugs, or porn, but mostly they are
just random-string URLs.
The IP addresses of the offenders are all over the place: ISPs in
the United States, Bermuda, Brazil, China, India, etc.
At first, I thought someone might be trying to spoof the POST data
in a way to inject a 'To' address in there to send spam (but my php
script ignores any POST fields other than what's allowed). So I
modified my php script to send me the POST data in the event that a
URL exists in the message body. Result: Nothing. Whoever is doing
this isn't trying to spoof anything.
Complaints to ISPs are unanswered.
I've started collecting IP addresses in a list when the web form is
submitted with a URL in the body. I use that list to deny access to
the web form in the future. What I'd really like to know is, does
anyone maintain such a list already, that I can query?
Here's an example of such a message sent through my web contact form
just today. I omit the headers 'cause they belong to my own server.
>From: "\"ypoxkfvdso" <lhh...@hfvpkb.com>
>Date: Tue, 19 Aug 2008 02:59:33 -0700
>Subject: eBjnCFXJwl
>
>Q2xxUw <a href="http://shmtxqiojlyh.com/">shmtxqiojlyh</a>,
>[url=http://xijwvbiwshsh.com/]xijwvbiwshsh[/url],
>[link=http://umtscfdaxznd.com/]umtscfdaxznd[/link],
>http://tswseyrkvlkd.com/
>
>Sent to 'inquiry' from IP 89.149.242.149
>(89-149-242-149.internetserviceteam.com)
The POST data reveals nothing unusual:
POST data:
Array
(
[name] => ypoxkfvdso
[email] => lhh...@hfvpkb.com
[email_confirm] => lhh...@hfvpkb.com
[target] => inquiry
[subject] => eBjnCFXJwl
[message] => Q2xxUw <a
href="http://shmtxqiojlyh.com/">shmtxqiojlyh</a>,
[url=http://xijwvbiwshsh.com/]xijwvbiwshsh[/url],
[link=http://umtscfdaxznd.com/]umtscfdaxznd[/link],
http://tswseyrkvlkd.com/
[submit] => Send Email
)
Anyone know what's going on here? And is there a list of IP addresses
already out there somewhere that exhibits similar behaviors?
-A
--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.
E-Mail Sent to this address will be added to the BlackLists
Most are likely Botnets or Open Proxies
Try CBL, or XBL-SBL (but not the PBL or ZEN)
and open proxy DNSbls
proxies.dnsbl.sorbs.net = http, socks and misc zones
and ircbl.ahbl.org = proxy and DDoS
89.149.242.149 is a TOR node.
try tor.ahbl.org
Between the above, will likely cover most of the issues.
--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.
axlq
<Nu...@BlackList.Anitech-Systems.invalid> wrote:
>>> Sent to 'inquiry' from IP 89.149.242.149
>>> (89-149-242-149.internetserviceteam.com)
>
>Most are likely Botnets or Open Proxies
>
>Try CBL, or XBL-SBL (but not the PBL or ZEN)
OK, thanks. I had tried CBL once, but nixed it as too broad
after one of my beta-testers in France got blocked from my site.
CBL applied to just that web contact form, though, it might be OK.
> and open proxy DNSbls
> proxies.dnsbl.sorbs.net = http, socks and misc zones
> and ircbl.ahbl.org = proxy and DDoS
>
>89.149.242.149 is a TOR node.
> try tor.ahbl.org
Aha. I forgot all about TOR. That may what these incidents have in
common. Thanks.
-A