Results 1 to 21 of 21
  1. #1
    ABW Ambassador writerguy's Avatar
    Join Date
    January 17th, 2005
    Location
    Springfield, Missouri, USA
    Posts
    3,248
    Can anyone explain this odd type contact SPAM I keep getting?
    I have some contact forms on several of my sites. A couple of those sites keep getting some sort of spam, I guess, that generally appears to be either unreadable garble or maybe in a foreign language. They all look something like this:

    Subject Line: pjPHkgdGcydxdIyXxlI

    email body:

    K8mxwC <a href="http://rshudernhbox.com/">rshudernhbox</a>, http://XXXXXeiqiqn.com/zsoadteiqiqn, http://XXXXXzdsukop.com/XXXXXzdsukop, http://XXXXXbpbz.com/

    I have used XXXXX to replace some of the letters in the original, because I do not wish to give anyone legitimate links here or on my website.

    But, can anyone explain in simple terms an Old Guy can understand -- what in the world is this? What are they hoping to accomplish submitting this via contact forms on my blogs?

    I just really don't "get it" on this. Are the blogs receiving this stuff in trouble? Anybody know how I can stop it? Or do I even need to worry about it?
    Last edited by loxly; November 11th, 2008 at 02:05 PM. Reason: unlinked links that were automatically linked
    Generate more fake news.

  2. #2
    ABW Ambassador Boom or Bust's Avatar
    Join Date
    February 3rd, 2008
    Posts
    3,955
    This reminds me of what we saw a few weeks back when one of our contact forms got hammered with stuff that apparently was attempting a buffer overflow to break in to the server. If you start seeing hundreds or thousands, either block their IP or take the site down temporarily...



    X

  3. #3
    Comfortably Numb John Powell's Avatar
    Join Date
    October 17th, 2005
    Location
    Bayou Country, LA
    Posts
    3,432
    If your form script is in a directory that is the same as the name of the script it seems to get more interest from crooks. I'm talking of well known scripts here, and not homemade ones.

    I have some from Phorm and the directory was /phorm/. I changed the directory and the file name away from contact-us.php. This reduced the traffic from crackers a lot. Once they had my old URLs they where probing me from all over the world. Now at least they are temporarily confused.

    This is not the answer to your question but something that might help in the overall plan.


  4. #4
    ABW Ambassador Greg Rice's Avatar
    Join Date
    January 18th, 2005
    Location
    Ohio
    Posts
    4,889
    Getting the same here for about the past 2 or 3 weeks. They usually come 2 in a row; the first one is blank and the second one is the spam. There have only been maybe 5 or 6 total though.
    Greg Rice Affiliate Program Management
    www.gocmc.com info(AT)gocmc.com | 330-259-1223

    Join us! - MiNeeds.com | DiscountCandleShop/CheeseSupply | Feng Shui Plaza

  5. #5
    ABW Ambassador Bob Lawrence's Avatar
    Join Date
    July 2nd, 2007
    Posts
    1,090
    I could be wrong here. But if you have a spare computer with PHP onit you might try run this script onit to see if it will decode it. Becareful tho it could be a hack script encode.

    <?php
    $txt="bla bla bla text in spam mail";

    $txt .= base64_decode($txt);

    echo $txt;
    ?>
    Example below produces the last line of text.
    <?php

    $txt = "I Love ABestWeb ";

    $txt .= base64_encode($txt);

    echo $txt;


    ?>

    SSBMb3ZlIEFCZXN0V2ViIDop
    Last edited by Bob Lawrence; November 11th, 2008 at 04:49 PM. Reason: left out some important code. Added Example
    Where's the Great Life of Affiliate Marketing Hiding?

  6. #6
    ABW Ambassador Greg Rice's Avatar
    Join Date
    January 18th, 2005
    Location
    Ohio
    Posts
    4,889
    Just got my second one of the day:

    From: nmEJJhDDWkxDknt (wwfkjd@xxxxx.com)

    Title: bVfakeMxjFWzDc

    Phone: wxJOVfyCp

    Website: http://xxxxxrvp.com/

    Message: jplnsy <a href="http://xxxxxbxf.com/">gmszelrwlbxf</a>, wnaxepnoxosa, [link=http://xxxxxxmx.com/]rhduwqtflxmx[/link], http://xxxxxauxs.com/


    What's odd is that none of the URLs are even registered so I don't know what the point is. Apparently someone has way too much free time on their hands.
    Greg Rice Affiliate Program Management
    www.gocmc.com info(AT)gocmc.com | 330-259-1223

    Join us! - MiNeeds.com | DiscountCandleShop/CheeseSupply | Feng Shui Plaza

  7. #7
    ABW Ambassador Bob Lawrence's Avatar
    Join Date
    July 2nd, 2007
    Posts
    1,090
    Just to let you know Greg,
    I tried decoding it. base64 and encoding it base64 and nothing made any sence.
    I don't have the foreign language module installed or I should say enabled in php.
    Where's the Great Life of Affiliate Marketing Hiding?

  8. #8
    ABW Ambassador purplebear's Avatar
    Join Date
    January 18th, 2005
    Posts
    3,960
    I've been getting these same messages for quite some time, too. They're coming from just the one site's contact forum (guess they haven't discovered the other ones yet lol ) Gonna keep an eye on this thread to see if there is something I can do to stop it. Don't quite understand what Johnny posted but don't have the time right now to attempt to understand it either lol so will wait til after the holidays and come back to this. ummm that is unless I forget lol

  9. #9
    ABW Ambassador ladidah's Avatar
    Join Date
    October 15th, 2007
    Location
    MA
    Posts
    1,888
    Gary and others,

    Do you have CAPTCHA installed for the contact form?

  10. #10
    Member
    Join Date
    October 11th, 2008
    Posts
    69
    It's an attempt to drill thru greylisting.. Send one total junk, then send the second one which will trigger the greylisting software to let it pass. The added "benefit" is that the spam looks more legitimate when the message next to it is total junk.

    It's an old trick that we first noticed when the first greylisting systems came online a few years ago.

    Captcha fixes it for online form abuse.

    Scott

  11. #11
    Believe knight01's Avatar
    Join Date
    August 14th, 2006
    Location
    Dayton, Ohio
    Posts
    1,815
    I got these for a while. It is a script that fills out a form and submits it. Since most forms use common form names and inputs they use different variables to learn which form returns a 200 code from a thank you or confirmation page.

    I stuck a captcha on the forms and haven't had one since.

    I'd guess they are hoping to form spam you at some point. They could also be gathering email addresses from auto responders or worse they are looking for some vulnerability or injection they can use in your form, by learning the submit process they hope to find a way to add a bcc field to the form submission. I don't recall the name now, but there was a free cgi form that was widely used about 7 or 8 years ago and it had such a vulnerability. Kind of like a sql injection with php.
    Someday starts today
    Military Discounts

  12. #12
    ABW Ambassador purplebear's Avatar
    Join Date
    January 18th, 2005
    Posts
    3,960
    umm I made my contact form up just with FrontPage. Dummy question but is the captcha just like a bit of html or javascript code that I could edit into the page??

  13. #13
    ABW Ambassador Greg Rice's Avatar
    Join Date
    January 18th, 2005
    Location
    Ohio
    Posts
    4,889
    Some great info here and some things I didn't think about. I made some changes, including removing the CC field for my form. Thanks all!
    Greg Rice Affiliate Program Management
    www.gocmc.com info(AT)gocmc.com | 330-259-1223

    Join us! - MiNeeds.com | DiscountCandleShop/CheeseSupply | Feng Shui Plaza

  14. #14
    ABW Ambassador Boom or Bust's Avatar
    Join Date
    February 3rd, 2008
    Posts
    3,955
    Quote Originally Posted by ladidah
    Gary and others,

    Do you have CAPTCHA installed for the contact form?
    We had CAPTCHA on all but one, and it was attacked a few weeks ago. So as a result of this and another previous thread on the subject, I just fixed the remaining form.



    X

  15. #15
    ABW Ambassador jodyq's Avatar
    Join Date
    August 28th, 2008
    Location
    Melbourne, Florida
    Posts
    660
    That reminds me of new spam I am getting from people located in Taiwan, They have been sending me weird emails like that but I got one straight one and it was advertising for their replica store and cheap electronics, scammers and spammers.
    Wear Short Sleeves!!! Support the right to bare arms!

  16. #16
    ABW Ambassador writerguy's Avatar
    Join Date
    January 17th, 2005
    Location
    Springfield, Missouri, USA
    Posts
    3,248
    Thanks so much, all who have responded to my original question. Very helpful.

    The sites I run contact forms on are all WordPress.

    I was using a WordPress contact plugin called "Contact Form 7." If it offers captcha, I've not seen how to set it up.

    I switched to a plugin called "cforms." But I am simply not smart enough to figure out how to get that awful thing to even work! Okay, it may be a fine plugin, so I take back the "awful thing," but I can't figure it out.

    SO I found a WP plugin called "easy contact," and I can figure it out. This one offers a security question you can require, either a random math problem or challenge question, or both.

    My question about this would be: Is such a verification system as effective as a captcha?

    If not, does anyone know a good captcha plugin for WP that I don't need to be a bona fide rocket scientist to install and configure?

    Oh, one other thing: If you want to see that "easy contact" WP as I have it working, it's on the "Contact Us" page of the blog you can reach through the "Writerguy" link in my sig file.
    Last edited by writerguy; November 12th, 2008 at 01:24 PM. Reason: To add last paragraph
    Generate more fake news.

  17. #17
    ABW Ambassador ladidah's Avatar
    Join Date
    October 15th, 2007
    Location
    MA
    Posts
    1,888
    Quote Originally Posted by writerguy

    I switched to a plugin called "cforms." But I am simply not smart enough to figure out how to get that awful thing to even work! Okay, it may be a fine plugin, so I take back the "awful thing," but I can't figure it out.
    I agree that it is not easy to configure but that is the one I use with CAPTCHA. What I did was to look at the few templates they offer and use them instead to tweak my own. That way you don't have to start from scratch and later on tweak the css if you want to.

    On a side note: I just de-installed the plugin a few days ago because my site RSS was messed up (not updating and getting errors) due to one of the multiple plugins I had. So I de-installed each one to see which one was the culprit. After I de-and-re-installed cforms the form I used was not working. I need to spend time setting it up again but haven't had the chance. Low and behold, last night I got the exact same spam you were talking about. Together followed by another even longer spam full of porn, etc.

  18. #18
    Believe knight01's Avatar
    Join Date
    August 14th, 2006
    Location
    Dayton, Ohio
    Posts
    1,815
    I tried cforms on a site, my gawd, after about 2 hours I gave up and found contact 7.

    To add the captcha use something like this

    <p>[captchac captcha-280 size:m]</p>
    <p>Enter the above code into the box below</p>
    <p>[captchar captcha-280]</p>
    Last edited by knight01; November 12th, 2008 at 01:50 PM. Reason: didn't have the box below code
    Someday starts today
    Military Discounts

  19. #19
    ABW Ambassador writerguy's Avatar
    Join Date
    January 17th, 2005
    Location
    Springfield, Missouri, USA
    Posts
    3,248
    Quote Originally Posted by ladidah
    Low and behold, last night I got the exact same spam you were talking about. Together followed by another even longer spam full of porn, etc.
    Ah-HAH! So, it seems pretty obvious to me -- someone here at ABW must be sending Spam/Porn through our contact forms!!!!!

    Who's the culprit? C'mon -- confess now and it'll go easier on you.

    On a serious note, I made at least three tries at getting that cforms plugin to work. Twice I had a friend on another forum give me suggestions that really should have been easy to follow, using already existing cform stuff and modifying it for my site as you suggested you did.

    Just couldn't figure out how to get anything right from it all. I think I had a form working, but it looked about as classy and "business like" as something from a 5-year-old's coloring book. (No offense meant to any 5-year-olds out there reading this.)
    Generate more fake news.

  20. #20
    ABW Ambassador writerguy's Avatar
    Join Date
    January 17th, 2005
    Location
    Springfield, Missouri, USA
    Posts
    3,248
    Quote Originally Posted by knight01
    I tried cforms on a site, my gawd, after about 2 hours I gave up and found contact 7.

    To add the captch use something like this
    Yeah, I was just looking at the WP plugins directory at the contact-7 info one more time. I was never able to get the captcha in contact-7 to show up. Something in the guy's instructions mentions making a directory writable in the plugin files. Then in newer versions he says to make a directory in the upload structure writable instead. At that point, when I couldn't locate the upload structure he was talking about, I tried creating that folder within upload, making it writable -- and that didn't work either.

    Groan. Probably gonna stick with the easy-contact form using the math question option. *sigh* Thought I knew at least a LITTLE bit about running WordPress, but now I dunno.
    Generate more fake news.

  21. #21
    Lite On The Do, Heavy On The Nuts Donuts's Avatar
    Join Date
    January 18th, 2005
    Location
    Winter Park, FL
    Posts
    6,930
    Quote Originally Posted by knight01
    or worse they are looking for some vulnerability or injection they can use in your form, by learning the submit process they hope to find a way to add a bcc field to the form submission. I don't recall the name now, but there was a free cgi form that was widely used about 7 or 8 years ago and it had such a vulnerability. Kind of like a sql injection with php.
    that is what they're doing, feeling out your injection defenses.

    Quote Originally Posted by ladidah
    I agree that it is not easy to configure but that is the one I use with CAPTCHA.
    here's one for php or wordpress folks that is easy to configure, supports CAPTCHA, is free, and i very strongly recommend it:
    http://www.dagondesign.com/articles/...mailer-script/

  22. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Contact Form Spam
    By Snib in forum Midnight Cafe'
    Replies: 26
    Last Post: April 9th, 2007, 06:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •