Spam abusing/bypassing the {contact_form} tag
Posted: Fri Aug 29, 2008 3:56 pm
Hi,
I posted the following in "The Lounge" as I thought that was the appropriate place but got no answer so am trying here now.
I have a site running with the following details:-
CMS 1.4.1
CMS Mailer 1.73.14
PHPIDS 1.4.7
Album 0.9.3
Captcha 0.3.1
VisitorStats 0.1.1
and am using the built-in tag {contact_form} in a "Contact Us" page.
That worked well, but we were getting spam through the page (looking in the logs, you could see the IP address scanning the whole Menu system, each page in turn without a referring URL, usually for less than a second per page until it got to the "Contact Us" page, then it called it again, and left the site. The times and IP address used matched the spam exactly.
I recently added the modules "Captcha" and "PHPIDS" but the spam messages seem to be bypassing the Captcha routine but being caught by PHPIDS. The IP Address is using the "POST" command and the advice email from PHPIDS says:
- - - - - - - - - - - - - - - - -
The following attack has been detected by PHPIDS
IP: xx.xx.xxx.xxx
Date: 2008-08-24T23:09:15+01:00
Impact: 24
Affected tags: xss csrf sqli id lfi
Affected parameters: POST.message=Extraordinarity%3A+%2C+%3Ca+href%3D%22http%3A%2F%2.....
Request URI: %2Findex.php%3Fpage%3Dcontact
- - - - - - - - - - - - - - - -
Yet if I try the "Contact Us" page and not enter the CAPTCHA text, my message gets rejected by the "Contact Us" page. If I try again, and this time enter the CAPTCHA text, my message (the content of which was pasted from a previous rejected spam message) gets through without being rejected by PHPIDS.
So, it looks like the spammers are somehow abusing the {contact_form} tag by bypassing the CAPTCHA routine. How? That's my question? I want to stop the b***ards in the first place, not block them after they have posted their message with PHPIDS (which it seems to do quite well)!
Any help/explanation would be much appreciated. I really like CMSMS but this is getting me down.
Thanks
Quethiock
I posted the following in "The Lounge" as I thought that was the appropriate place but got no answer so am trying here now.
I have a site running with the following details:-
CMS 1.4.1
CMS Mailer 1.73.14
PHPIDS 1.4.7
Album 0.9.3
Captcha 0.3.1
VisitorStats 0.1.1
and am using the built-in tag {contact_form} in a "Contact Us" page.
That worked well, but we were getting spam through the page (looking in the logs, you could see the IP address scanning the whole Menu system, each page in turn without a referring URL, usually for less than a second per page until it got to the "Contact Us" page, then it called it again, and left the site. The times and IP address used matched the spam exactly.
I recently added the modules "Captcha" and "PHPIDS" but the spam messages seem to be bypassing the Captcha routine but being caught by PHPIDS. The IP Address is using the "POST" command and the advice email from PHPIDS says:
- - - - - - - - - - - - - - - - -
The following attack has been detected by PHPIDS
IP: xx.xx.xxx.xxx
Date: 2008-08-24T23:09:15+01:00
Impact: 24
Affected tags: xss csrf sqli id lfi
Affected parameters: POST.message=Extraordinarity%3A+%2C+%3Ca+href%3D%22http%3A%2F%2.....
Request URI: %2Findex.php%3Fpage%3Dcontact
- - - - - - - - - - - - - - - -
Yet if I try the "Contact Us" page and not enter the CAPTCHA text, my message gets rejected by the "Contact Us" page. If I try again, and this time enter the CAPTCHA text, my message (the content of which was pasted from a previous rejected spam message) gets through without being rejected by PHPIDS.
So, it looks like the spammers are somehow abusing the {contact_form} tag by bypassing the CAPTCHA routine. How? That's my question? I want to stop the b***ards in the first place, not block them after they have posted their message with PHPIDS (which it seems to do quite well)!
Any help/explanation would be much appreciated. I really like CMSMS but this is getting me down.
Thanks
Quethiock
