[CanadianDave]

Normally, I can figure most things out on my own but I have a spam issue that has been going on for a few years and could use some insight from ABW'ers... I have a coupon site with a contact form that keeps getting spammed.
What I would like to know is why do the messages look like links made up of giberish?

The spam messages seem to be built in four different parts divided by commas:
1) A standard < a href > link but the url and linked text are non-sensical letters and numbers (different from the other links and text)
2) A second [ url= ] tag but again, the url and linked text are non-sensical letters and numbers (different from the other links and text)
3) A third [ link= ] tag but again, the url and linked text are non-sensical letters and numbers (different from the other links and text)
4) A straight-up http link and again, the url and linked text are non-sensical letters and numbers (different from the other links and text)

It is a pain but I just wondering what is the purpose behind this?
What possible use is a domain made from a jumble of letters?

Dave

[2busy]

Maybe human testing for spam bot setup? Practicing their routine? I have never seen a problem like this, hope someone else can tell you for sure what it is. I have seen redirect sites set up with useless jumbled names. Can you match the junk with access logs and see if there is an IP to ban?

[MichaelColey]

What they're probably trying to do is to overflow the input field and make your contact form send spam emails out to people.

For instance, they might enter a from email address of "test@test.com\nTo: huge list of email addresses\nSubject: Buy Viagra\n\nVisit my spam site to buy Viagra.\n\n\n\n\n\n". If your script doesn't handle things right, that may cause your server to send spam out instead of sending the feedback to you.

The fact that you got the email makes it sound like it's probably handling things right. They're just testing it (probably in an automated way) to try to find vulnerable contact forms.

That's my guess, anyway.

[Kellie aka Ms. B]

Quote:

What possible use is a domain made from a jumble of letters?

A throw away domain.

[John Powell]

Quote:

Originally Posted by CanadianDave

Normally, I can figure most things out on my own but I have a spam issue that has been going on for a few years and could use some insight from ABW'ers... I have a coupon site with a contact form that keeps getting spammed.
What I would like to know is why do the messages look like links made up of giberish?

The spam messages seem to be built in four different parts divided by commas:
1) A standard < a href > link but the url and linked text are non-sensical letters and numbers (different from the other links and text)
2) A second [ url= ] tag but again, the url and linked text are non-sensical letters and numbers (different from the other links and text)
3) A third [ link= ] tag but again, the url and linked text are non-sensical letters and numbers (different from the other links and text)
4) A straight-up http link and again, the url and linked text are non-sensical letters and numbers (different from the other links and text)

It is a pain but I just wondering what is the purpose behind this?
What possible use is a domain made from a jumble of letters?

Dave

I saw this for the first time today. 2 emails back to back and not one word that I could recognize. It doesn't even begin to look like a language. Contact form also here.

[John Powell]

Quote:

Originally Posted by Kellie aka Ms. B

A throw away domain.

I got another one this morning with 5 different gibberish domains that whois says are invalid. Looking in the server log shows it was from Barcelona, Spain. Can't figure out what's the point.

[bobby131313]

They try to inject a line break so they can piggyback a CC field on the "to" field. So when they submit the form it goes to you plus a bazillion addresses they've injected into the new cc field. It's an old exploit that most apps have sanitized, but they still try to make it work.

[John Powell]

Quote:

Originally Posted by bobby131313

They try to inject a line break so they can piggyback a CC field on the "to" field. So when they submit the form it goes to you plus a bazillion addresses they've injected into the new cc field. It's an old exploit that most apps have sanitized, but they still try to make it work.

So I guess then this would just be a probe to see if there is a vulnerability. If it works then they do a real spam message that would benefit them?

[MichaelColey]

That's my guess. They probably have a spider/bot just looking for contact forms and testing them for vulnerabilities, then a separate spider/bot that spams through any vulnerabilities they find.

[CanadianDave]

Thanks everyone! It's good to get some informed information on this. Now that I think of it, I am seeing similar spam across a number of different domains/flavour of email (form to database, Yahoo mail and domain addresses).