Help out a low-tech girl please? [Archive] - Glock Talk

PDA

View Full Version : Help out a low-tech girl please?


Shoeless
11-19-2005, 14:37
I'll try to be as thorough as possible, but ask any questions you think I haven't covered the answers to.

1. I have a web site and it is hosted on my husband's company's server. They pay to have their own server through an outside company.

2. On my web site, I have forms to contact me. You fill in your name, email, and your question, and it sends me an email automatically.

3. Lately, I have been getting a LOT of strange emails that look as though they've come from people filling out the forms, but they are obviously not from humans. The form fields come through with gibberish in them, etc. I get MANY of these every day.

4. Simultaneously, I am getting emails from people I don't even know, asking me to remove them from my list. Now, these people aren't even ON my list, I don't know who they are and how they are getting emails from my domain (catalystorganizing-dot-com) or else they look like they are coming from the server (tpstrategies-dot-com). It is making me look like some crazy crackpot spammer!!

Is there some sort of crazy bot thing out there that is just randomly sending emails to random people that I don't know?? Could the nutty form fields data be tied to the sending of these emails?

Is there anything I can do?

Help!!!

Thanks!!

Shoeless, frustrated and annoyed

ps: The lady who emailed me today (who is being very kind about the whole thing) said that the thinks our server maybe was hacked and some spammer is sending out mass emails from the tpstrategies server. Is this possible? And if so, what can we do to make the server safer from hackers?

Bunny_FuFu_4u
11-19-2005, 16:19
My group used to have forms on our website for a guestbook, but after taking turns cleaning up the mess from bots, viruses, and hackers, we ditched the idea and got rid of the forms. The most secure website is one that allows no user input of any kind. If you do have any input then you are going to need more security.

David_G17
11-19-2005, 16:39
are you using formmail?

this: http://www.scriptarchive.com/formmail.html

if so, we were having problems as well:
discussion: http://rickconner.net/spamweb/spam_formmail.html

aspartz
11-19-2005, 17:36
Is there a chance that people are using your server as a mail relay?

ARS

grantglock
11-20-2005, 22:16
Whats the link to the form? It's pretty easy to tell if its an open relay, which is likely from what you are telling us.

Shoeless
11-21-2005, 08:11
Here is the form:

http://www.catalystorganizing.com/contact.php


Thanks!
Shoeless

Dandapani
11-21-2005, 08:37
Originally posted by aspartz
Is there a chance that people are using your server as a mail relay?

ARS

mail.catalystorganizing.com is the MX host for the server address and it tests as not allowing relays.

IDtheTarget
11-21-2005, 08:53
Originally posted by dmobrien2001
mail.catalystorganizing.com is the MX host for the server address and it tests as not allowing relays.

One tactic that spammers are using these days is to compromise a system, install a trojan, then close the hole that they used to get in. Then they use the trojan to send out the spam.

However, this isn't as common if the server is kept up to date.

What's more common is that a spammer will run a spider or use google to harvest real email addresses from websites, then use the website email address as the "from" address on the spam that they send out.

To determine which is the case, the next time you receive a complaint from somebody who's received one of these emails, ask them to set their email client so that it shows ALL of the headers, copy the entire message (with headers) to a text file, and email it to you. If you'll post it here (or email it to me if you like) we can analyze whether the email actually came from your server from the headers.

What operating systems are in use by your email and web server(s)? (Yes, I could determine that myself, but the tools I'd use are, um...frowned upon by my ISP. :) )

Shoeless
11-21-2005, 14:49
Originally posted by IDtheTarget
One tactic that spammers are using these days is to compromise a system, install a trojan, then close the hole that they used to get in. Then they use the trojan to send out the spam.

However, this isn't as common if the server is kept up to date.

What's more common is that a spammer will run a spider or use google to harvest real email addresses from websites, then use the website email address as the "from" address on the spam that they send out.

To determine which is the case, the next time you receive a complaint from somebody who's received one of these emails, ask them to set their email client so that it shows ALL of the headers, copy the entire message (with headers) to a text file, and email it to you. If you'll post it here (or email it to me if you like) we can analyze whether the email actually came from your server from the headers.

What operating systems are in use by your email and web server(s)? (Yes, I could determine that myself, but the tools I'd use are, um...frowned upon by my ISP. :) )

I am not sure what you mean by "what operating systems are in use by email and web servers." Sorry to be such a dolt.

I am emailing the latest lady who got a suspicious email from me to see if she saved it and will copy the headers so I can post them here.

Shoeless

Shoeless
11-21-2005, 15:10
Headers of the offending emails:

Subject: Online Information Request
Date: 11/19/2005 10:51:10 AM Central Standard Time
From: reasury@dedicated.tpstrategies.com
Reply To:
To: monica@catalystorganizing.com
Return-Path: <apache@dedicated.tpstrategies.com>
Received: from rly-xn01.mx.aol.com (rly-xn01.mail.aol.com [172.20.83.114]) by air-xn02.mail.aol.com (v108.30) with ESMTP id MAILINXN24-627437f57e551; Sat, 19 Nov 2005 11:51:10 -0500
Received: from dedicated.tpstrategies.com (207-36-201-140.ptr.primarydns.com [207.36.201.140]) by rly-xn01.mx.aol.com (v108.30) with ESMTP id MAILRELAYINXN15-627437f57e551; Sat, 19 Nov 2005 11:50:48 -0500
Received: from dedicated.tpstrategies.com (localhost.localdomain [127.0.0.1])
by dedicated.tpstrategies.com (8.12.10/8.12.10) with ESMTP id jAJGptct019039;
Sat, 19 Nov 2005 08:51:56 -0800
Received: (from apache@localhost)
by dedicated.tpstrategies.com (8.12.10/8.12.10/Submit) id jAJGpox1019029;
Sat, 19 Nov 2005 08:51:50 -0800
Date: Sat, 19 Nov 2005 08:51:50 -0800
Message-Id: <200511191651.jAJGpox1019029@dedicated.tpstrategies.com>
To: monica@catalystorganizing.com
Subject: Online Information Request
From: reasury@dedicated.tpstrategies.com
Content-Type: multipart/mixed; boundary=\"434e44e9c67b6efbdad7029c5c9dc211\"
MIME-Version: 1.0
X-AOL-IP: 207.36.201.140
X-AOL-SCOLL-SCORE: 0:2:416482791:9932111
X-AOL-SCOLL-URL_COUNT: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FYI, guys: TPStrategies is the name of my husband's company and it is HIS server where my web site is hosted.

Thanks!!

Shoeless

IDtheTarget
11-22-2005, 07:21
Shoeless,

There are a couple of odd things in the headers as posted, but before I say something that I'll regret later ( ;) ), could you please post the headers from a valid entry? Say, if you were to do a dummy form entry yourself?

Thanks!

Shoeless
11-22-2005, 17:21
Originally posted by IDtheTarget
Shoeless,

There are a couple of odd things in the headers as posted, but before I say something that I'll regret later ( ;) ), could you please post the headers from a valid entry? Say, if you were to do a dummy form entry yourself?

Thanks!
This is one of the forms that came back today from my web site. Bear in mind that I have two problems...

1. The form on my site is being filled out and emailed. (see below)
2. Something is emailing random strangers using my server name (as in the post above)

To: monica@catalystorganizing.com
Subject: Online Information Request
From: "feda@hotmail.com" <>


Name: 折扣券
EMail: feda@hotmail.com
Day Phone: 020-78907890
Night Phone: 020-78907890


Address:

Address2: 券
券,


Prior Help: yes


Comments: 优惠信息、折扣信息非常丰富。

IDtheTarget
11-30-2005, 11:32
Shoeless,

Okay, Sorry about the long time to respond. I've been dealing with multiple issues and I'm afraid I haven't had a whole lot of time. :(

First of all, looking at your headers again, they look legit (assuming that the person receiving the email has an AOL account). I think I was wrong about the bad headers in my previous post.

It looks like your husband's server is running Sendmail 8.10.12 on a linux machine, though it would have been unfriendly of me to do an OS fingerprint to determine exactly which version and whether or it's up to date on their patches.

One thing that immediately comes to mind is using Apache as a mail proxy. That's been a problem in the past.

I can't find out much more about your server without going into "grey" area stuff, which would jeopardize my civilian and national guard jobs. And without knowing more (OS, patch levels, etc) I can't do too much more.

I PM'd you with my cell number if you need additional help. I'm not a stalker or anything. :) I work for a state law enforcement agency. cmu7999321 can verify, I bought a laptop from him and he's shipping it to me at work.

There are a few things that you can do to check out the server, but most of them entail taking the server down. Not something most people like to do.

One thing would be to boot from a rescue CD version of linux and run chkrootkit (http://www.chkrootkit.org) to ensure that your box hasn't been rooted. A pretty good liveCD security distro is Knoppix-STD (which stands for Security Tool Distribution, not the other thing! :) ) at http://www.knoppix-std.org . Again, the problem there is that to do it right, you have to boot from the CD. Otherwise, if you try to scan and the box has been rooted, the scan won't detect the root kit.

I'm pretty full through the weekend, but I'd be happy to help out one evening next week, or during the day Tuesday if you guys could use the help.

Ben

darth_rifle
12-01-2005, 22:20
My short suggestion:

Have someone with even minimal web design skills add a simple (pseudo-random) math question to the form, and ask the user to provide the answer. Use a server-side check.

E.g.:
Your Comments: [textarea]

3 + 3 = [answer]

This method will defeat most (if not all) post bots.

HTH,

- D. Rifle

HVAC-TEK
12-06-2005, 09:04
Many forms now come with a picture or image of a word/phrase they require you to type in the phrase so as to prove your human. You see, bots or automated form fillers can抰 READ pictures, so it can抰 compute an answer.

Look, most people here are forgetting that the company is hosting your site. I take it to mean that the server equipment doesn抰 belong to you. There is not much that you personally can do. I recommend talking to the network Administrator about your problem, pointing out the possibility that his server is compromised should get his attention. I抦 not unix/linux certified, so I can抰 help you here. However I recommend removing the form and going with a basic page listing contact information and an email address. Any advantages your company gains from having the form will not overcome the negative publicity you抮e doing to your potential clients.

I receive junk mail all the time that bounces from site to site in such a way that it can not be blocked. I feel this is underhanded and although it抯 a product I purchase, I will not purchase from THAT Company. I do not do business with underhanded people.

Do you really want people thinking that way about your company?

KIM