What is on Your Mind?

The Web-based contact form on my site has been under distributed spamming attacks for nearly a month already. Obviously, a spammer has tried to generate HTTP requests containing ads to male drugs and all sorts of similar stuff directly to the form mail processor script on my site using a robot, as I can see from my logs that dozens of them were being recorded nearly every hour.

Although I have programmed some trickeries with the form processor way back in 2006 that was sufficient to prevent those spam mail from actually being sent to my mailbox at all, the attacks are filling up my log files and I think I should do something to stop that, as they are also wasting my bandwidth and processing power having to serve them.

The spammer has apparently been able to attack hundreds of hosts and launch the attacks through them, as nearly all spam were originated from different IP addresses and thus far I have been able to capture several hundreds IP addresses of those initiating those requests over just a couple of weeks. However, the design of my form allows me to find out the original IP address from which the form used in the attacks was initially captured, which resolves to an IP address from a netblock owner in New Jersey, who captured the form in mid March 2007 which was then used in all attacks thereafter.

As I know you all are seasoned sysadmins, what should I do now? And have you all experienced similar issues, and how did you go about that?

I ended up doing a very basic "captcha" style implementation on my contact form - just to get the user to type in a word, in a certain case, otherwise the request fails validation - http://www.zazzybob.com/contact.html - this is an *extremely* basic form of validation - but it works - and I no longer get my daily Viagra and Rolex ads ;-)

Something like this may be more robust....

Cheers
ZB

Hi Zazzybob,

I have been able to block those requests from actually sending email with my present strategy. What I am interested to know, is that, as sysadmins whether you are hunting those frequent abusers down and report to the netblock owner concerned? Or put the question simply, what are your typical resolution for issues like that?

Yes, I'm doing this often. Usually it's coming from one IP, so it's not difficult to trace. Do a whois for the IP, and send full headers + log file to $abuse@ contact.

In order to avoid large log file you may do the following with apache :

Code:

SetEnvIf Request_Method ^your-pattern-here$ nofsckinglog

CustomLog "|xx /wwwlog/your-vhost/%Y-%m-%d/access.log" combined env=!nofsckinglog
ErrorLog "|xx /wwwlog/your-vhost/%Y-%m-%d/errors.log"

Code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^your-pattern-here
RewriteRule ^/ %{DOCUMENT_ROOT}/some-empty-file [F,L]

It's a shared Web hosting account. I have no access to such Apache directives, but the logs are accumulating and they are increasingly eating my quota (but I can't remove them, either). And the attacks were recorded from hundreds of hosts thus far with nearly no repeat, although I believe the attacks are coordinated by one party from behind, as shown by an identical cryptographic signature for all attacks. Apart from Apache logs, some logs are written by my site scripts that I can provision, but unless the source can be stopped those requests are still dragging down the server and leaving me lots of logs.

As for abuse report, do netblock owners typically entertain them?

The mod_rewrite trick should be allowed even on shared host. Just put this in .htaccess file at your server root and see if it works. As for the netblocks, every respected company / ISP should comply with regulations, namely, blocking whole /24 nets when a proven spammer is being detected - take a look at spamhaus' drop list