Announcement

**mje** · 13-Sep-2012, 05:30 PM

Mentioned this myself here http://community.sellerdeck.com/showthread.php?t=53224

Drives me nuts as it is a recent development!

**Mike Hughes** · 13-Sep-2012, 05:57 PM

I suspect they're more likely reading around the [dot] obfuscation you have on the email address on your terms page than cracking the recaptcha.

Mike

ps. An easy way to tell the difference would be to look at where they come from. If they're being sent via the form they should have your server as the source.

ps2. email harvesters don't even have to be too clever to harvest an email address. All they have to do is find something that could be an email address ( such as sales (at) mywebsite (dot) com ) and use the first bit of text as the name and the website domain for the rest of the address.

**mje** · 13-Sep-2012, 08:53 PM

The email does appear to be via the form. (properties / details / message source)

Received: from www.devotedly-discus.co.uk (unknown [127.0.0.1])
by phclhosting.co.uk (Postfix) with SMTP

Why though do they send nonsensical gobbledegook? What's the point?!

**steve61** · 14-Sep-2012, 07:52 AM

We do not have the @ in our email address on the terms page and I have had it confirmed by my ISP that the source is definitely the contact us page...

Kaspersky doesn't capture these as spam either because they come from a bonafide email address (mine!).

**Mike Hughes** · 14-Sep-2012, 08:29 AM

OK. That means it's either the recaptcha then or they've found a way to bypass it. It could be worth hiding the form on the page and seeing if that stops it or it still comes through. Just in case they've found a way to bypass the recaptcha and that could be fixed.

There are already commercial captcha solving scripts though that operate on a pay as you go basis. I guess maybe one or more of the email harvesting solutions have come up with their own solution.

Given what you say about the source being a problem for the anti-spam filtering then it might be best to remove the form and go back to a simple obfuscated mailto. I think Norman's published a few options on here before.

At least that way any that come through can be caught by the spam filters and it avoids your server from becoming seen as a source of spam.

Mike

**Sean Williams** · 25-Apr-2013, 09:59 AM

We are having a severe problem with one of our sites.
Incidentally, we have four sites running under V11, all have the Recaptcha active, but only the one site (t w i n m a x dot co dot u k) is having this problem.

We disabled the complete Form on the Contact Us page and deleted the associated email address from our email server and left it for a week.
No spam at all.

We made a completely new, unique email address, attached it to the site and re-instated the Contact Us page Form.
Spam within (I'm not exaggerating) three minutes.

This is the report from our Host UKFast

Hi Sean,

After further investigate, we have determined that the contact form of the twin***.co.uk website is being exploited,
rather than a particular mailbox (though obviously spam is being received)

Checking the post requests in /var/www/vhosts/twin***.co.uk/statistics/logs/access_log

cd /var/www/vhosts/twin***.co.uk
grep -i 'post' statistics/logs/access_log

111.73.46.66 - - [24/Apr/2013:14:22:15 +0100] "POST /cgi-bin/mf000001.pl HTTP/1.0" 200 10370
"http://www.twin***.co.uk/cgi-bin/mf000001.pl?ACTION=SHOWFORM" "Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1"
111.73.46.66 - - [24/Apr/2013:14:23:01 +0100] "POST /cgi-bin/mf000001.pl HTTP/1.0" 200 10370
"http://www.twin***.co.uk/cgi-bin/mf000001.pl?ACTION=SHOWFORM" "Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:17.0) Gecko/20100101 Firefox/17.0"
94.27.65.214 - - [24/Apr/2013:14:26:55 +0100] "POST /cgi-bin/mf000001.pl HTTP/1.0" 200 10400
"http://www.twin***.co.uk/cgi-bin/mf000001.pl?ACTION=SHOWFORM" "Opera/9.80 (Windows NT 6.1; U; ru)
Presto/2.10.229 Version/11.64"
36.251.44.213 - - [24/Apr/2013:14:53:32 +0100] "POST /cgi-bin/mf000001.pl HTTP/1.0" 200 10371
"http://www.twin***.co.uk/cgi-bin/mf000001.pl?ACTION=SHOWFORM" "Mozilla/5.0 (Windows NT 6.0)
AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.91 Safari/537.11"
110.85.113.42 - - [24/Apr/2013:14:57:07 +0100] "POST /cgi-bin/mf000001.pl HTTP/1.0" 200 10371
"http://www.twin***.co.uk/cgi-bin/mf000001.pl?ACTION=SHOWFORM" "Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:12.0) Gecko/20100101 Firefox/12.0"
91.231.40.27 - - [24/Apr/2013:15:14:16 +0100] "POST /cgi-bin/mf000001.pl HTTP/1.0" 200 10370
"http://www.twin***.co.uk/cgi-bin/mf000001.pl?ACTION=SHOWFORM" "Opera/9.80 (Windows NT 5.1; U; YB/3.5.1;
ru) Presto/2.10.229 Version/11.64"
175.44.31.41 - - [24/Apr/2013:15:31:33 +0100] "POST /cgi-bin/mf000001.pl HTTP/1.0" 200 10370
"http://www.twin***.co.uk/cgi-bin/mf000001.pl?ACTION=SHOWFORM" "Mozilla/5.0 (Windows NT 6.1; rv:16.0)
Gecko/20100101 Firefox/16.0"

These post requests to mf000001.pl are at the exact times that spam is being send to this email address. After searching
for your address in these perl files, I found that this is set in se000001.pl, as shown below;

grep -Ri '*******@twin***.co.uk' cgi-bin/*
cgi-bin/se000001.pl:$::g_sEmailAddress = 'customerservice3@twin***.co.uk';

This would indicate that mf000001.pl is calling se000001.pl, and therefore mail is being sent out, regardless of how
many times the email is changed.

The gist of this is that the form is being exploited by multiple post requests, in spite of the captcha being in place.
As the spam is coming from various different IPs, simply blocking them would not be effective. I would suggest taking a
look with your developers at ways to stop captchas being exploited, as a quick google indicates that depending on the
captcha you have, there is usually a way to bypass it using free tools online.

Could we have a response from Sellerdeck about this issue please?

Thanks

Announcement

Spammers

Spammers

Comment

Comment

Comment

Comment

Comment

Comment