CraigA Posted October 16, 2018 Share Posted October 16, 2018 (edited) Problem: I'm starting to get 3-5 spam contacts/day through my Contact Form, and this appears to be escalating quickly. So far I've been careful not to report these to SpamCop. But what if I did? Would SpamCop process these in a sane way, or if not (best case) ignore the report, or (worst case) block my own domain? Here is an example of what I see: ==================================== Return-Path: <www-data@myDomain.net> X-Original-To: me@myDomain.net Delivered-To: me@myDomain.net Received: by myMachine.home (Postfix, from userid 33) id D004D226BC5; Mon, 15 Oct 2018 12:03:16 -0700 (PDT) To: me@myDomain.net Subject: Contact from myDomain.net X-PHP-Originating-scri_pt: 1000:contact.php From: "Kozaimgox" <andry.zaims@mailert.ru> Reply-To: "Kozaimgox" <andry.zaims@mailert.ru> X-Mailer: chfeedback.php 2.15.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Message-Id: <20181015190316.D004D226BC5@pluto.home> Date: Mon, 15 Oct 2018 12:03:16 -0700 (PDT) This message was sent from:http://www.myDomain.net/contact.html ------------------------------------------------------------ Name of sender: Kozaimgox Email of sender: andry.zaims@mailert.ru ------------------------- COMMENTS ------------------------- Оформить онлайн займ в наше время не составляет трудностей. Оформить ссуду возможно в любое время, главное – иметь доступ к сети. Необходимо сказать, что, если вы желаете получить займ, вам нужно внимательно выбирать сервис, где вы будете оформлять займ. Советуем обращать интерес при выборе компании на разные факторы. На mega-zaimer.ru достаточно много личностей получают займы. Сервис, который может предоставить срочный виртуальный займ – найти не так уж и просто. Достаточно много служб заставляют посетителей предоставлять разные документы, которые могут быть полезны кредитору в том случае, если заемщик пропадет. Однако, на сайте доступны самые лучшие МФО. Они предоставляют онлайн займы без проверок и без отказа. Именно по этой причине они безумно ценятся, а сервис их предлагает. Некоторые МФО выдают виртуальные займы на карту. Вы можете сделать выбор, на какую карту вы желаете взять ссуду. Большинство сервисов предоставляют ссуды на дебитные карты. Некоторые фирмы предоставляют деньги даже на online кошельки. Некоторые из сервисов, которые представлены на mega-zaimer.ru предоставляют шанс взять первый кредит бесплатно. Сейчас подобрать сервис, который предоставляет шанс выбирать релевантные предложения очень тяжело. Последнее время достаточно много фирм, которые предоставляют финансовые услуги, начали предоставлять кредиты на короткий срок. Некоторые из таких сервисов считаются не надежными. Именно для того, чтобы потребители могли брать деньги без проблем вне зависимости от положения, вы можете оформить кредит на карту виртуально без отказа в любое время дня. Сервис пользуется спросом в связи с тем, что он регулярно проводит анализ компаний и специалисты следят за всеми изменениями на рынке. Именно это позволяет создать объективный рейтинг всех сервисов и верных кредиторов. На ресурсе подготовлен список новых МФО 2018 года, где доступны самые крутые МФО. Большинство из компаний предоставляют срочный займ на карту без проверки кредитной истории, что является большим преимуществом в наше время. На <a href=https://mega-zaimer.ru/srochiy-zaimu/>https://mega-zaimer.ru/srochiy-zaimu/</a> вы можете найти компанию, которая будет удобна именно вам. Сайт очень простой и будет интересным для всех пользователей. Необходимо выделить, что на сайте вы выберете МФО по следующим параметрам: сумма займа, срок ссуды, регион, метод получения денег. Большинство людей предпочитают брать виртуальные займы на карту, чтобы распоряжаться финансами. Сейчас любой заемщик может взять займ и ему 100% одобрят его займ. Ведь сервис собрал самых надежных кредиторов, которые являются настоящими профессионалами. Сотрудники сервиса постоянно отслеживают всю информацию по поводу работы МФО. Возможность получить кредит есть даже у тех, у кого ужасная кредитная история. Сервис будет полезным и по той причине, что он предлагает компании, которые предоставляют займы ночью. Не так много МФО выдают займы в ночное время суток. Сегодня выбрать компанию, которая предоставит займ мгновенно без отказов и проверок на кредитку круглосуточно, да еще и ночью – практически невозможно. Но, сервис предлагает каталок МФО, которые могут быть полезны вам. На финансовом портале mega-zaimer.ru клиенты имеют возможность взять займ на карту вне зависимости от направления средств. Вам не нужно будет информировать, как в банковское учреждение, куда будут идти финансы. За вашими транзакциями также не будут следить. Во всех МФО заявки обрабатываются очень быстро. Также стоит отметить, что для постоянных кредиторов функционируют специальные предложения. Сервис также оснащен service desk, которая предоставит ответы на все ваши вопросы при первой же необходимости. ------------------------------------------------------------ Edited October 16, 2018 by CraigA Quote Link to comment Share on other sites More sharing options...
Lking Posted October 16, 2018 Share Posted October 16, 2018 The short answer is no. The email you are receiving from the Contact form on your website/domain will appear to come from your system NOT from the mailert.ru, in your example above. You can see this by looking at the header of the received email, depending on the email application you are using. For example in thunderbird, when looking at the email if you press <crtl> U you will see how the email was delivered. If you follow the path from the top down you should see that the IP address is the same as your domain or you host. In reality these are emails you are sending to yourself. Quote Link to comment Share on other sites More sharing options...
petzl Posted October 16, 2018 Share Posted October 16, 2018 2 hours ago, CraigA said: Problem: I'm starting to get 3-5 spam contacts/day through my Contact Form, and this appears to be escalating quickly. you need to install a "Captcha" it is a bot filling out your form https://www.whoishostingthis.com/resources/captcha/ Quote Link to comment Share on other sites More sharing options...
CraigA Posted October 16, 2018 Author Share Posted October 16, 2018 Lking, thank you for your insight into how SpamCop will process the message. petzl, You're right, I'll investigate Captcha next. The "invisible field" and "Invisible reCAPTCHA" options are looking especially attractive (no Google dependency for the first, no human interaction for either). Thanks. With this information I have two choices: Install Capcha. Since I'd rather not lose clients, I'll try to install a Captcha mechanism. Remove the Contact form from my site. I think in the last decade I've only had one actual client use my contact form, mostly because he said he could remember my site, but not my email address. I considered how to modify my contact page to collect and report additional information, like IP information, but then I'd also have to figure out how to tie this into SpamCop's RBL system. I think there are only 2 realistic choices, though I may add code to record connecting IP information as this might be a simple change. Maybe at a later date I can figure out how to tie this IP information into iptables for blocking. I can't let this distract me for too long, so option #2 is still on the table. Thanks guys! Quote Link to comment Share on other sites More sharing options...
Lking Posted October 16, 2018 Share Posted October 16, 2018 Another quick add to the form would be a site unique simple question or a Sesame Street type question (things that are not Google-able) for example: Which one doesn't belong? Orange, Grape, Apple? With a set of 3 or 4 random questions, with different answers it slows down the bots. It is also quick to implement and change the questions. It is all an arms race. Quote Link to comment Share on other sites More sharing options...
CraigA Posted October 16, 2018 Author Share Posted October 16, 2018 19 minutes ago, Lking said: Another quick add to the form would be a site unique simple question or a Sesame Street type question (things that are not Google-able) for example: Which one doesn't belong? Orange, Grape, Apple? With a set of 3 or 4 random questions, with different answers it slows down the bots. It is also quick to implement and change the questions. It is all an arms race. Timely, I'm looking at this in between other time sensitive tasks. Quote Link to comment Share on other sites More sharing options...
CraigA Posted October 16, 2018 Author Share Posted October 16, 2018 Couldn't get "display:none" to work as "Forms" kept filling out the blank, even when hidden. So went with a "Sesame Street" question, which doesn't get filled in by "Forms", and that works. Thanks Lking. Quote Link to comment Share on other sites More sharing options...
Lking Posted October 16, 2018 Share Posted October 16, 2018 A bot looks at the html not the screen so it 'sees' what style or CSS would hide. Hope the question approach works for you. Quote Link to comment Share on other sites More sharing options...
CraigA Posted October 17, 2018 Author Share Posted October 17, 2018 (edited) So far, the Sesame Street approach has blocked all spam type contacts. This scri_pt shows me some of what can be collected if spam escalates (possible next steps): <?php $indicesServer = array('PHP_SELF', 'argv', 'argc', 'GATEWAY_INTERFACE', 'SERVER_ADDR', 'SERVER_NAME', 'SERVER_SOFTWARE', 'SERVER_PROTOCOL', 'REQUEST_METHOD', 'REQUEST_TIME', 'REQUEST_TIME_FLOAT', 'QUERY_STRING', 'DOCUMENT_ROOT', 'HTTP_ACCEPT', 'HTTP_ACCEPT_CHARSET', 'HTTP_ACCEPT_ENCODING', 'HTTP_ACCEPT_LANGUAGE', 'HTTP_CONNECTION', 'HTTP_HOST', 'HTTP_REFERER', 'HTTP_USER_AGENT', 'HTTPS', 'REMOTE_ADDR', 'REMOTE_HOST', 'REMOTE_PORT', 'REMOTE_USER', 'REDIRECT_REMOTE_USER', 'SCRIPT_FILENAME', 'SERVER_ADMIN', 'SERVER_PORT', 'SERVER_SIGNATURE', 'PATH_TRANSLATED', 'SCRIPT_NAME', 'REQUEST_URI', 'PHP_AUTH_DIGEST', 'PHP_AUTH_USER', 'PHP_AUTH_PW', 'AUTH_TYPE', 'PATH_INFO', 'ORIG_PATH_INFO') ; echo '<table cellpadding="10">' ; foreach ($indicesServer as $arg) { if (isset($_SERVER[$arg])) { echo '<tr><td>'.$arg.'</td><td>' . $_SERVER[$arg] . '</td></tr>' ; } else { echo '<tr><td>'.$arg.'</td><td>-</td></tr>' ; } } echo '</table>' ; /* That will give you the result of each variable like (if the file is server_indices.php at th e root and Apache Web directory is in E:\web) : PHP_SELF /server_indices.php argv - argc - GATEWAY_INTERFACE CGI/1.1 SERVER_ADDR 127.0.0.1 SERVER_NAME localhost SERVER_SOFTWARE Apache/2.2.22 (Win64) PHP/5.3.13 SERVER_PROTOCOL HTTP/1.1 REQUEST_METHOD GET REQUEST_TIME 1361542579 REQUEST_TIME_FLOAT - QUERY_STRING DOCUMENT_ROOT E:/web/ HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,* / *;q=0.8 HTTP_ACCEPT_CHARSET ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP_ACCEPT_ENCODING gzip,deflate,sdch HTTP_ACCEPT_LANGUAGE fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4 HTTP_CONNECTION keep-alive HTTP_HOST localhost HTTP_REFERER http://localhost/ HTTP_USER_AGENT Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko ) Chrome/24.0.1312.57 Safari/537.17 HTTPS - REMOTE_ADDR 127.0.0.1 REMOTE_HOST - REMOTE_PORT 65037 REMOTE_USER - REDIRECT_REMOTE_USER - SCRIPT_FILENAME E:/web/server_indices.php SERVER_ADMIN myemail@personal.us SERVER_PORT 80 SERVER_SIGNATURE PATH_TRANSLATED - SCRIPT_NAME /server_indices.php REQUEST_URI /server_indices.php PHP_AUTH_DIGEST - PHP_AUTH_USER - PHP_AUTH_PW - AUTH_TYPE - PATH_INFO - ORIG_PATH_INFO - */ ?> Edited October 17, 2018 by CraigA Quote Link to comment Share on other sites More sharing options...
Lking Posted October 18, 2018 Share Posted October 18, 2018 If you just do <?php foreach($_SERVER as $key => $value) { echo "$key => $value<BR>"; } ?> Then you will get any values in the $_SERVER array that you may not know the name of, for example Quote MIBDIRS => C:/xampp/php/extras/mibs MYSQL_HOME => \xampp\mysql\bin OPENSSL_CONF => C:/xampp/apache/bin/openssl.cnf PHP_PEAR_SYSCONF_DIR => \xampp\php PHPRC => \xampp\php TMP => \xampp\tmp HTTP_HOST => localhost HTTP_USER_AGENT => Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 HTTP_ACCEPT => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 HTTP_ACCEPT_LANGUAGE => en-US,en;q=0.5 HTTP_ACCEPT_ENCODING => gzip, deflate HTTP_COOKIE => PHPSESSID=jn2kt85fluv2h3auqogonchog1 HTTP_CONNECTION => keep-alive HTTP_UPGRADE_INSECURE_REQUESTS => 1 ... Quote Link to comment Share on other sites More sharing options...
CraigA Posted October 18, 2018 Author Share Posted October 18, 2018 I like that better, nothing is missed, and concise. Any other information or arrays which might be useful to dump when trying to gather information about a slew of unwanted connections? I'm not a PHP expert. I'm thinking for now I'll just write a simple log file with CSV type records of "try-again" attempts which I probably won't look at until the system is experiencing some kind of problem. Quote Link to comment Share on other sites More sharing options...
Lking Posted October 18, 2018 Share Posted October 18, 2018 For what you're doing right now, that is all you can fined out about the "visitor" Quote Link to comment Share on other sites More sharing options...
petzl Posted October 18, 2018 Share Posted October 18, 2018 5 hours ago, Lking said: For what you're doing right now, that is all you can fined out about the "visitor" Wish spamcop pointyheads would get a working Captcha this is ridiculous! Quote Link to comment Share on other sites More sharing options...
C2H5OH Posted October 23, 2018 Share Posted October 23, 2018 Craig, you said, "Remove the Contact form from my site. I think in the last decade I've only had one actual client use my contact form, mostly because he said he could remember my site, but not my email address. " On that basis, would a simpler solution be to change your contact form to a "contact" page on your website containing a jpeg of your email address? Quote Link to comment Share on other sites More sharing options...
CraigA Posted October 24, 2018 Author Share Posted October 24, 2018 I already have JPEG email information in the "Resume" section of my site, JPEG business card. Guess it didn't occur to him to look there. But yes, I agree reasonably good idea. You never know what people will see. Apparently he kept trying to send it to first.last@last.com when the real address is first@last.com. I considered making mail aliases for all combinations, but decided I have enough trouble with spam, why make spam even easier to deliver by opening up address combinations? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.