Thursday, May 10, 2007
How desperate do you have to be to spam someone? Part II
Okay, two days later and I have more information about that spammer: they're not trying to send email, they're trying to spam guestbooks and forums.
Before I get there, let me explain how the Obligatory Email Notification System works. When you fill in the form, your email address is added to an “optin” list, and an email is then sent. Only when you reply to that email is your email address moved from the “optin” list to the “verified” list and it's from the “verified” list that emails are sent when I make a new entry.
So I decided to check the “optin” list, and boy, was I in for a surprise. I haven't checked the actual “optin” list for, oh, three years or so? It would be an understatement to say the email addresses were predominately sex related. I grabbed one (hcl_tab_tramadol@hotmail.com
) and lo, look at all that guestbook spam.
My guess: the spammer searched the net for HTML forms that looked like guestbook for forum forms, and since many guestbook forms have an email field (usually named email
) they tagged my Obligatory Email Notification as a possible guestbook script (since it, too, has a field named email
).
But here's where things get weird: the only fields they fill out, in regards to my Obligatory Email Notification form, are the fields defined in that form. I had hoped to see some additional fields being sent in, like comments
or message
(which wouldn't do anything anyway) but nope, the only fields they sent in were the fields defined for my form.
I thought maybe because I didn't have a field named comments
or message
they weren't sending in such a field. So I added a field named comments
(it's a <TEXTAREA>
but with a style of display: none
).
Still, only the fields I had originally defined were being sent in.
Checking the logs, and yes, the spammer has definely cached the original form (because the spammer is simply doing a POST
to the form, and not retrieving it before doing the POST
). I'm going to rename the form and see if that has any effect.
One more thing though: It's one spammer doing all this, and while you would think I could just block that one IP address, I can't. That's because this particular spammer, running their script from 72.232.102.130, is using a series of open web proxies to submit the form, so the actual IP address to block changes all the time. So anyone who is getting spam to a guestbook or forum, and you're running Apache, you might want to check the environment variable HTTP_X_FORWARDED_FOR
.