Hi Guys I need help, some spammer is attacking my web site with some automatic program spaming my web form - at this location http://www.hirefitness.co.uk/contactus.asp My devolpers have added a Character recognition . but we are still being attatcked any tip or ideas it is a windows site running asp Cheers
As I see everything should be normal on your site and work fine, you have method post, you veryfy before going to the contectus_submit.asp page. Maybe the problem is in the ASP when they link to lets say contectus_submit.asp?name=X&email=Y and your sending page gets the data and sends it. Do you get the data like this? strName = request.form("name") or its just strName = request("name") Besides I don't like the letter on your site, asp them to make it images and transfer the values with a session parameter and forget about written TEXT Good Luck
You have to add some code to your asp page, that verifies that the script is being run from your domain. I could show you in PHP, but in ASP, I don't know. Just for reference here's how it's done in PHP, in case it helps you figure it out in ASP. // referers.. domains/ips that you will allow forms to // reside on. $referers = array ('yourdomain.com','www.yourdomain.com'); // function to check the referer for security reasons. function check_referer($referers) { if (count($referers)) { $found = false; $temp = explode("/",getenv("HTTP_REFERER")); $referer = $temp[2]; if ($referer=="") {$referer = $_SERVER['HTTP_REFERER']; list($remove,$stuff)=split('//',$referer,2); list($home,$stuff)=split('/',$stuff,2); $referer = $home; } for ($x=0; $x < count($referers); $x++) { if (eregi ($referers[$x], $referer)) { $found = true; } } if ($referer =="") $found = false; if (!$found){ print_error("You are coming from an <b>unauthorized domain.</b>"); error_log("[FormMail.php] Illegal Referer. (".getenv("HTTP_REFERER").")", 0); } return $found; } else { return true; // not a good idea, if empty, it will allow it. } } if ($referers) check_referer($referers); Code (markup):
Checking HTTP_REFERER is an old an unreliable security measure. Sure, it can add a tiny bit of security but it's very very easy to spoof the referer info, even automatically. There's a PHP security expert named Chris Shiflet that has written a lot about this topic. One of his ideas is to generate two related strings, store one in an invisible tag in the form, and the other in a cookie set in the browser. When the data is received, the two values are compared. If there is no cookie (session) info, script dies. If they don't match, the script dies. In a nutshell, the one string is psuedo randomly generated off the current time, and the other is a one-way hash (md5) of that string plus a secret component. Like this: $hash = md5('secret salt here'.$string); Chris Shiflet does a better job of explaining it. The technique does require cookies allowed by your visitor, but it is very easy for the "good guys" to use your form while being very tough on preventing "bad guys" from taking advantage. I've adapted this idea a bit for my own use and I limit the time involved for each token/hash pair. In other words, you only have 15 minutes to submit the form. This means that a spammer can't gather a token/hash pair from my site and use it from now on to send spam through my form. Hope that helps.
Thanks Surefire For a small token surefire sorted my spam problems out in few hours many thanks this guy really knows what he is doing Top guy