Announcement

Collapse
No announcement yet.

Is anyone getting spammed via their Contact Us form?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is anyone getting spammed via their Contact Us form?

    I have my forum's Contact Us set up so that we are e-mailed via the sendmessage.php form. In the past two days, we've received a lot of strange messages through the form. Here's why I'm thinking it is a spam-bot:

    1. The messages are one sentence long, in poorly written broken English.

    2. The IP addresses are random--they are not from the same location, in other words.

    3. The batch of ten messages we received yesterday arrived within a 15 minute window.

    4. The usernames provided are all non-members, and are all short names attempting to sound "American".

    Here's the kicker:

    5. The subject lines are exactly the same: "united states" in all lowercase letters.

    6. The return addresses are all @yahoo.com, with gibberish characters before that.

    We also had four messages on the 11th with the same subject line, and the same randomness to usernames and IP addresses. From the 14 IP addresses in these messages, a few are repeats:

    205.234.145.223
    84.40.23.88
    72.21.49.2
    216.86.146.11
    67.15.188.23
    70.86.12.194
    65.98.58.250
    205.234.145.223
    147.202.65.178
    67.15.188.23
    216.127.74.35
    70.86.12.194
    64.202.123.207
    67.19.241.218

    We can just set up a filter to discard these messages since they all have the same subject line, but I know someone can adapt a spambot to circumvent this.

    Anyone else see this in their e-mails at all?

  • #2
    If you're running 3.5, you could enable Image Verification for teh Contact Us form.

    About others with the same problem: http://www.vbulletin.com/forum/showp...26&postcount=7

    (Thought i saw some more, but can't find them now)
    Want to take your board beyond the standard vBulletin features?
    Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

    Comment


    • #3
      Still on 3.0 on our "production" forum. If that's available in 3.5, I'll enable image verification for it when we upgrade.

      I considered renaming the file, but there would be too many places to edit within vB to make it practical.

      Comment


      • #4
        Update: I ran most of the addresses above through an IP check, and it appears that all of them are being sent from web hosting company accounts. I am wondering if there is some vulnerability on their customers' accounts, where a script kiddie was able to install something like a worm on the accounts.

        I wonder if something like this following issue could be related:

        http://www.vbulletin.com/forum/showthread.php?t=173867

        Comment


        • #5
          I may have to check at vb.org and see if there is an image verification hack for 3.0. These annoyances are increasing, and now the subject line is "taiwan" instead of "united states". Total: 33 of these in the past week.

          I say they're being sent from compromised web hosting accounts, since the IP addresses all seem to originate from hosting companies. Probably zombies.

          Comment


          • #6
            The spam continues, with new and improved subject lines.

            Two ideas that might be worth someone looking into, which may be worthy of posting at vb.org:

            1) A hidden form variable, using a unique (to your vB installtion) variable that the bots could not guess. I did this on another submit form on my sites, and it worked.

            2) Change the name of the sendmessage.php file to something completely different. Again, it would have to be unique to each forum so the 'bots could not adapt (and who knows--whoever writes these bots may be lurking here to see what our solutions are). I do not know how many places in the script or templates we'd need to change to accomplish this, which is why I haven't attempted it yet.

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...
            X