Announcement

Collapse
No announcement yet.

Spam originating from formmail script

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Spam originating from formmail script

    Hi,

    Over the last week or so I have been getting an ever increasing volume of spam that comes through our filters that appears to originate from the contact us formmail.

    Since it started I have installed image verification, however the problem has persisted, so it would appear that the mf000001.pl script is being directly accessed, and that the spam is not coming from the contact us page. I have found references to this on earlier verson, however I am using 9.03 Business Plus (Multiuser) and I cannot find anything that relates to anything prior to version 7 that reports a similar problem.

    The spam emails are all of a very similar nature, but are sufficiently different to stop us from filtering specific terms:

    Name:http://www.*********.com/bbs/data/__...ocodonehd.htm#
    Email Address:********@*******.com
    Message:
    I am so thankful for finding your website! http://www.*********.com/bbs/data/__...ocodonehd.htm# [a href=http://www.*******.com/bbs/data/

    My concerns are two fold, firstly whether the script is being used to send emails to anyone other than us, and secondly that the amount of spam is getting very annoying and is starting to make spotting legitimate emails difficult.

    Has anyone come across this before ?

    thanks

    Alistair

    www.kcm-catering-equipment.co.uk

    #2
    I've not heard of any issues with security of the script being compromised.

    Check your permissions on the files and cgi-bin folders and change the email address used for your store. It may also be worthwhile checking your server access logs to see if you cn spot any unusual activity.

    Comment


      #3
      Thanks for your reply, I have had a look at the raw access logs for the server and they do show that it is being accessed. It is littered with logs such as:

      120.28.64.69 - - [22/Mar/2009:06:07:36 +0000] "POST /cgi-bin/mf000001.pl HTTP/1.1" 200 15742 "http://www.kcm-catering-equipment.co.uk/cgi-bin/mf000001.pl?ACTION=SHOWFORM" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"

      194.170.32.253 - - [22/Mar/2009:06:02:20 +0000] "POST /cgi-bin/mf000001.pl HTTP/1.1" 200 15742 "http://www.kcm-catering-equipment.co.uk/cgi-bin/mf000001.pl?ACTION=SHOWFORM" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"

      68.63.102.122 - - [22/Mar/2009:08:35:25 +0000] "POST /cgi-bin/mf000001.pl HTTP/1.1" 200 15742 "http://www.kcm-catering-equipment.co.uk/cgi-bin/mf000001.pl?ACTION=SHOWFORM" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"

      Any ideas on what needs to be changed to prevent it ?

      many thanks

      Comment


        #4
        This could be normal actinity if your site entry page is being used by a robot to send you mail. It doesn't neccessarily indicate that the perl has been hacked.

        First thing to do is change your email address used on the site and then see what happens. Also look into perhaps changing the captcha code as it's more likely that someone has found a way to get a robot around that.

        Comment


          #5
          Thanks, I'll try changing the email address, the captcha code has only been put on since this all started - it was not there originally anyway.

          The entries in the raw data logs correspond with the spam emails coming in.

          Comment


            #6
            I have changed the email address on the website, the spam is now coming into the new address........ what does this indicate ?

            thanks

            Comment


              #7
              Odd - so fast?
              All else I can suggest is to change your script ID and then do a purge and refresh of the site.
              (Remember that any hard coded cgi-bin links may need to be updated to eth new script ID)

              Comment


                #8
                I had the same thought yesterday, however I really wanted to avoid going down that route as its not something that I am totally comfortable doing myself. Do you think that there are many hard coded references, and would they be over wrtitten by future patches and upgrades ?

                Comment


                  #9
                  Unless you (or however created the site) has made some hardcoded cgi links then there won't be any. I think your greatest concern is getting the store running. You can always change the script ID back again later if you wanted.

                  Comment


                    #10
                    I've seen this before as well, it just seemed to stop after a while. Very annoying though.

                    Regards,
                    Jan Strassen, Mole End Software - Plugins and Reports for Actinic V4 to V11, Sellerdeck V11 to V2018, Sellerdeck Cloud
                    Visit our facebook page for the latest news and special offers from Mole End

                    Top Quality Integrated label paper for Actinic and Sellerdeck
                    A4 Paper with one or two peel off labels, free reports available for our customers
                    Product Mash for Sellerdeck
                    Link to Google Shopping and other channels, increase sales traffic, prices from £29.95
                    Multichannel order processing
                    Process Actinic, Sellerdeck, Amazon, Ebay, Playtrade orders with a single program, low cost lite version now available from £19.95

                    Comment


                      #11
                      Thanks for all your input.

                      I have changed the script ID (I did not realise that it was so easy!), and then completed a total refresh of the site. Once I then deleted the original mail script from the cgi-bin the spam emails have stopped - at least for the moment.

                      I don't fully undestand the reasons behind what has allowed the form mail script to be used so easily to send so many emails, however, it does seem that being able to use the script from multiple remote locations to spam so intensively is a bit of a loop hole. Is this a risk that comes with using the integral Actinic form mail script, is it generic to all these types of form mail, and is there anything that either users or Actinic can do to prevent it from happening again ?

                      If it does not send out spam email to other users then it seems a little pointless - it is just very annoying to the individual website being targeted. Still, the volume of mail that I have seen is unbelievable!

                      Thanks again.

                      Comment


                        #12
                        If you change the script id you need to ftp to your webspace and delete all the old scripts otherwise the robot that uses these scripts to send spammail will carry on using them

                        Comment


                          #13
                          we have the same problem with lots of spam coming in directly from the script and have changed id's several times but the bots seem to work the id change out within a day or so and the spam starts again so perhaps it's an issue for Actinic need to look in to.

                          Comment

                          Working...
                          X