From: Brian Dunning on
Hey - It looks like a PHP form on my server is insecure and is being used to send spam. This is Rackspace's best guess. The problem is there are SO MANY forms on all the web sites on this server that it would be a nightmare task to try and look at them all to be sure they're properly secured.

Is anyone aware of a way to shortcut this process, maybe find out what script(s) are being attacked to send the spam?

:-(

From: Peter Lind on
On 7 June 2010 22:25, Brian Dunning <brian(a)briandunning.com> wrote:
> Hey - It looks like a PHP form on my server is insecure and is being used to send spam. This is Rackspace's best guess. The problem is there are SO MANY forms on all the web sites on this server that it would be a nightmare task to try and look at them all to be sure they're properly secured.
>
> Is anyone aware of a way to shortcut this process, maybe find out what script(s) are being attacked to send the spam?
>
> :-(
>

Check your server access logs - if it's sending lots of spam it's
getting hit more than other forms (and you should possibly see other
equally interesting signs, such as referrer). Also ... if you're
letting users specify an email address to send to as well as content
and you don't make sure to authenticate users, you're really asking to
get abused.

Regards
Peter


--
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
</hype>
From: Jim Lucas on
Brian Dunning wrote:
> Hey - It looks like a PHP form on my server is insecure and is being used to send spam. This is Rackspace's best guess. The problem is there are SO MANY forms on all the web sites on this server that it would be a nightmare task to try and look at them all to be sure they're properly secured.
>
> Is anyone aware of a way to shortcut this process, maybe find out what script(s) are being attacked to send the spam?
>
> :-(
>
>

Usually it isn't your "php/html form" that is insecure, it is the processing
script that processes said form. Change all the forms to use a single
processing script and then you won't have such a big problem tracking down the
"information processing error/insecurity" that you are having.

--
Jim Lucas

A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
From: Paul M Foster on
On Mon, Jun 07, 2010 at 01:25:28PM -0700, Brian Dunning wrote:

> Hey - It looks like a PHP form on my server is insecure and is being used to send spam. This is Rackspace's best guess. The problem is there are SO MANY forms on all the web sites on this server that it would be a nightmare task to try and look at them all to be sure they're properly secured.
>
> Is anyone aware of a way to shortcut this process, maybe find out what script(s) are being attacked to send the spam?

Assuming that the form is using the mail() function or something similar
to send the spam, add yourself as a recipient of the forms you manage.
Then you will see for sure if *your* forms are being used for spam.

If you find that your forms are being used to spam, implement CAPTCHA to
hinder bots. (Nothing will stop humans manually spamming via your
forms.) Very little short of this will stop bot spam. You could sanitize
form values and reject spam-like forms, but that's complicated and
error-prone. CAPTCHA is simpler.

Paul

--
Paul M. Foster
From: Brian Dunning on
Agreed that's a great overall strategy but what I need now is a way to track down the offending script, within the next few days if possible.

On Jun 7, 2010, at 1:35 PM, Jim Lucas wrote:

> Change all the forms to use a single
> processing script and then you won't have such a big problem tracking down the
> "information processing error/insecurity" that you are having.