Thursday, May 10, 2007
How desperate do you have to be to spam someone? Part II
Okay, two days later and I have more information about that spammer: they're not trying to send email, they're trying to spam guestbooks and forums.
Before I get there, let me explain how the Obligatory Email Notification System works. When you fill in the form, your email address is added to an “optin” list, and an email is then sent. Only when you reply to that email is your email address moved from the “optin” list to the “verified” list and it's from the “verified” list that emails are sent when I make a new entry.
So I decided to check the “optin” list, and boy, was I in for a surprise. I haven't checked the actual “optin” list for, oh, three years or so? It would be an understatement to say the email addresses were predominately sex related. I grabbed one (
firstname.lastname@example.org) and lo, look at all that guestbook spam.
My guess: the spammer searched the net for HTML forms that looked like guestbook for forum forms, and since many guestbook forms have an email field (usually named
But here's where things get weird: the only fields they fill out, in regards to my Obligatory Email Notification form, are the fields defined in that form. I had hoped to see some additional fields being sent in, like
message (which wouldn't do anything anyway) but nope, the only fields they sent in were the fields defined for my form.
I thought maybe because I didn't have a field named
message they weren't sending in such a field. So I added a field named
comments (it's a
<TEXTAREA> but with a style of
Still, only the fields I had originally defined were being sent in.
Checking the logs, and yes, the spammer has definely cached the original form (because the spammer is simply doing a
POST to the form, and not retrieving it before doing the
POST). I'm going to rename the form and see if that has any effect.
One more thing though: It's one spammer doing all this, and while you would think I could just block that one IP address, I can't. That's because this particular spammer, running their script from 184.108.40.206, is using a series of open web proxies to submit the form, so the actual IP address to block changes all the time. So anyone who is getting spam to a guestbook or forum, and you're running Apache, you might want to check the environment variable