Request.Form abuse

[Mark Rae]

Hi,

Because all my public sites are hosted with a 3rd-party ISP and, therefore,
I don't have access to their server's EventLog etc, every error is emailed
to me.

Recently, I've been getting inundated with errors like the one below.
Obviously, spammers are trying to use a page on the site to send out Viagra
emails etc, but I was curious to know if anyone else is being hit like
this...

Mark

================================================

Error in: /web/default.aspx
Url: /web/default.aspx

Error Message: A potentially dangerous Request.Form value was detected from
the client (body="...ulsionism <a href="http://cial...").
Error Source: System.Web
Error Target Site: Void ValidateString(System.String, System.String,
System.String) Error Description: System.Web.HttpRequestValidationException:
A potentially dangerous Request.Form value was detected from the client
(body="...ulsionism <a href="http://cial...").
at System.Web.HttpRequest.ValidateString(String s, String valueName,
String collectionName)
at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
nvc, String collectionName)
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.get_HasForm()
at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
at System.Web.UI.Page.DeterminePostBackMode()
at System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.web_default_aspx.ProcessRequest(HttpContext context)
at
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously)

QueryString Data:
-----------------

Post Data:
----------
name: cialis
email: (e-mail address removed)
linkurl: http://cialis-store.blogspot.com
subject: cialis unanswerableness impotence medicine buy cialis
url_title: cialis
body: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

text: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

comment: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]
,saccharostarchy convulsionism <a href="http://cialis-store.blogspot.com">
cialis</a> comminative antihuff usucapion
cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

Comments: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

message: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

msg: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

msgtext: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

txtbody: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

description: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

piv_comment: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

commentText: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

comment_text: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

repText: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

reply: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

content: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

shout: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

guest_message: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

form_body: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

com: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

comment[body]: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

PostComment.ascx:tbComment: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

 

[Kevin Spencer]

Hi Mark,

Have you considered using Captcha?

http://en.wikipedia.org/wiki/Captcha
http://www.captcha.net/
http://www.w3.org/TR/turingtest/

--
HTH,

Kevin Spencer
Microsoft MVP
Short Order Coder
http://unclechutney.blogspot.com

What You Seek Is What You Get

Hi,

Because all my public sites are hosted with a 3rd-party ISP and,
therefore, I don't have access to their server's EventLog etc, every error
is emailed to me.

Recently, I've been getting inundated with errors like the one below.
Obviously, spammers are trying to use a page on the site to send out
Viagra emails etc, but I was curious to know if anyone else is being hit
like this...

Mark

================================================

Error in: /web/default.aspx
Url: /web/default.aspx

Error Message: A potentially dangerous Request.Form value was detected
from the client (body="...ulsionism <a href="http://cial...").
Error Source: System.Web
Error Target Site: Void ValidateString(System.String, System.String,
System.String) Error Description:
System.Web.HttpRequestValidationException: A potentially dangerous
Request.Form value was detected from the client (body="...ulsionism <a
href="http://cial...").
at System.Web.HttpRequest.ValidateString(String s, String valueName,
String collectionName)
at
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection
nvc, String collectionName)
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.get_HasForm()
at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
at System.Web.UI.Page.DeterminePostBackMode()
at System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.web_default_aspx.ProcessRequest(HttpContext context)
at
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously)

QueryString Data:
-----------------

Post Data:
----------
name: cialis
email: (e-mail address removed)
linkurl: http://cialis-store.blogspot.com
subject: cialis unanswerableness impotence medicine buy cialis
url_title: cialis
body: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

text: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

comment: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]
,saccharostarchy convulsionism <a href="http://cialis-store.blogspot.com">
cialis</a> comminative antihuff usucapion
cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

Comments: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

message: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

msg: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

msgtext: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

txtbody: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

description: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

piv_comment: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

commentText: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

comment_text: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

repText: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

reply: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

content: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

shout: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

guest_message: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

form_body: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

com: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

comment[body]: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

PostComment.ascx:tbComment: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"> cialis</a> comminative antihuff
usucapion cialis
[link=[URL]http://cialis-store.blogspot.com[/URL]] cialis[/link]

 

[Mark Rae]

Have you considered using Captcha?

There is no actual form to fill in on the page in question - it's just being
hijacked...

 

[Kevin Spencer]

Ah, so what you're saying is that a POST request is being sent with the
associated form fields in it, which don't correspond to any actual form
fields in the page. Interesting approach to SPAM. I guess the idea is that
some URL might have a form handler for the corresponding form fields, a sort
of "shotgun" approach of some sort. The only thing I can think of at this
point would be to either (1) configure the web server to not respond to
messages from the IP address of the client sending the requests, or (2)
build a mechanism into your app that ignores requests from a list of
configurable IP addresses which you can control. I mention that since you're
not hosting your own app here.

You could also email the provider of the IP address, if they have an abuse
email address.

Da**ed SPAMmers...

--
HTH,

Kevin Spencer
Microsoft MVP
Short Order Coder
http://unclechutney.blogspot.com

What You Seek Is What You Get

 

[Mark Rae]

Ah, so what you're saying is that a POST request is being sent with the
associated form fields in it, which don't correspond to any actual form
fields in the page.
Yes.

Interesting approach to SPAM.

All too common, I'm sorry to say...

I guess the idea is that some URL might have a form handler for the
corresponding form fields, a sort of "shotgun" approach of some sort. The
only thing I can think of at this point would be to either (1) configure
the web server to not respond to messages from the IP address of the
client sending the requests, or (2) build a mechanism into your app that
ignores requests from a list of configurable IP addresses which you can
control. I mention that since you're not hosting your own app here.

S'OK - I can easily prevent it from getting any further thany my website - I
was just interested to know if anyone else was experiencing the same
thing...

You could also email the provider of the IP address, if they have an abuse
email address.

Tried that - no response so far...

 

[=?ISO-8859-1?Q?G=F6ran_Andersson?=]

Hi,

Because all my public sites are hosted with a 3rd-party ISP and, therefore,
I don't have access to their server's EventLog etc, every error is emailed
to me.

Recently, I've been getting inundated with errors like the one below.
Obviously, spammers are trying to use a page on the site to send out Viagra
emails etc, but I was curious to know if anyone else is being hit like
this...

Yes, that is common. If you have a form on a public web site, it will
frequently be hit by script robots that try to send spam mails or add
spam into guestbooks and such.

There are some things that you can to to filter out this spam:

:: Give the fields non-descriptive names, like "e28736482634" instead of
"email". That makes it harder for the spam script to determine the use
of the fields, thus easier for you to filter out the attempts.

:: Spam messages often try to put links on your page, hoping that you
don't html-encode the data before displaying it, or that you have a
special tag for links. Look for "<a href=" or "[url=" in the messages.

:: Log what's happening so that you can examine what is sent to the
form. You should quite easily find other patterns that you can use to
filter out most spam.

 

[Mark Rae]

Yes, that is common. If you have a form on a public web site, it will
frequently be hit by script robots that try to send spam mails or add spam
into guestbooks and such.

So it seems...

:: Give the fields non-descriptive names, like "e28736482634" instead of
"email". That makes it harder for the spam script to determine the use of
the fields, thus easier for you to filter out the attempts.

:: Spam messages often try to put links on your page, hoping that you
don't html-encode the data before displaying it, or that you have a
special tag for links. Look for "<a href=" or "[url=" in the messages.

There are loads of those - see my OP.

 

[Juan T. Llibre]

re:

There are no fields within the <form> tag of the page that's being hit - only text and
hyperlinks...

They aren't hitting that form.

They're hitting your PostComment User Control : PostComment.ascx

Adding Captcha code to that control should get rid of that problem.

So it seems...

There are no fields within the <form> tag of the page that's being hit - only text and
hyperlinks...

:: Spam messages often try to put links on your page, hoping that you don't html-encode the data
before displaying it, or that you have a special tag for links. Look for "<a href=" or "[url=" in
the messages.

There are loads of those - see my OP.

 

[Mark Rae]

They aren't hitting that form.

They're hitting your PostComment User Control : PostComment.ascx

Adding Captcha code to that control should get rid of that problem.

This doesn't happen often, but I haven't got a clue what you're talking
about here...

The page that's being hit (as evinced from the error messages and the web
logs) is:
http://www.markrae.com/web/default.aspx

There are no data-entry controls within the <form> tag - only text and
hyperlinks.

There are no User Controls anywhere in the entire site - I really can't
imagine where you have found PostComment.ascx...

How would adding Captcha code help? Where would I put it?

 

[Kevin Spencer]

Hi Mark,

S'OK - I can easily prevent it from getting any further thany my website -
I was just interested to know if anyone else was experiencing the same
thing...

I'm sure many people are experiencing the same thing. I'm very sorry.

--

Kevin Spencer
Microsoft MVP
Short Order Coder
http://unclechutney.blogspot.com

What You Seek Is What You Get

 

[Mark Rae]

I'm sure many people are experiencing the same thing.

I'm very fortunate in that my ISP (www.hostinguk.net) is extremely
responsive to such matters. As all the "attacks" (can't think of a better
word) came from the same IP address (66.79.163.226), my ISP has immediately
blocked that IP address in IIS, and has lodged a complaint with the owner of
the IP address in question.

 

[=?ISO-8859-1?Q?G=F6ran_Andersson?=]

There are no fields within the <form> tag of the page that's being hit -
only text and hyperlinks...

Why do you have a form on the page, then?

 

[Juan T. Llibre]

re:

There are no User Controls anywhere in the entire site - I really can't imagine where you have
found PostComment.ascx...

It's mentioned in your original post's error message.
It may be, though, just the system spitting back what they are POSTing to.

What's going on is that the attackers are POSTing to your "default.aspx" page.

I see you have a form named "aspnetForm" with ID "aspnetForm" in default.aspx :

<form name="aspnetForm" method="post" action="default.aspx" id="aspnetForm">

....but it doesn't have a runat="server" property,
which means that anybody can POST to it using HTML.

Maybe, if you don't need the capacity to POST to that page,
you could do without the <form name="aspnetForm"...> tag ?

Alternately, you could add the runat="server" property...and let the server manage the security.
The ASP.NET server should reject any POSTs to non-existent fields.

Try either, or both, and see if one of them stops the bleeding.

 

[Juan T. Llibre]

re:

Why do you have a form on the page, then?

Exactly.

Il welcome your comments on the two solutions I outlined in my previous post, Göran.

 

[Mark Rae]

It's mentioned in your original post's error message.
It may be, though, just the system spitting back what they are POSTing to.

Ah - now I understand - yes, I'm sure you're right about that...

What's going on is that the attackers are POSTing to your "default.aspx"
page.
Yes.

I see you have a form named "aspnetForm" with ID "aspnetForm" in
default.aspx :

<form name="aspnetForm" method="post" action="default.aspx"
id="aspnetForm">

...but it doesn't have a runat="server" property,
which means that anybody can POST to it using HTML.

If you're looking at the source HTML, you're never going to see the runat
tag in any attribute...

The page is a ContentPage - the MasterPage has the <form> tag as follows:

<form id="frmDefault" runat="server">
<!-- header stuff - logo etc -->
<asp:Menu ID="mnuMenu" runat="server" Orientation="Horizontal" >
<%-- the menu items --%>
</asp:Menu>
<br />
<asp:ContentPlaceHolder ID="cphContent" runat="server" />
</form>

As you know, "aspnetForm" is the name MasterPages give the default form when
the HTML is rendered...

Maybe, if you don't need the capacity to POST to that page,
you could do without the <form name="aspnetForm"...> tag ?

If I do that, the whole site will stop working e.g. the <asp:Menu> etc...
"Control 'mpDefault_mnuMenu' of type 'Menu' must be placed inside a form tag
with runat=server."

Alternately, you could add the runat="server" property...

See above...

 

[Mark Rae]

Why do you have a form on the page, then?

???

Because none of the web controls would work if I didn't... e.g. <asp:Menu>
etc

"Control 'mpDefault_mnuMenu' of type 'Menu' must be placed inside a form tag
with runat=server."

 

[Juan T. Llibre]

re:

"aspnetForm" is the name MasterPages give the default form when the HTML is rendered...

I totally bypassed that. I should have remembered.

Aargh!

You're up a creek and I'm fresh out of suggestions.

Sorry.

 

[Mark Rae]

You're up a creek and I'm fresh out of suggestions.

I'm really not up a creek at all - as I mentioned in a previous reply, my
ISP has blocked the offending IP address, and filed an abuse report etc. As
far as I'm concerned, the attacks have stopped - they may, of course, be
continuing - but I'll ever know about it...

My initial post was just an attempt to see how commonplace this sort of
"attack" was amongst the newsgroup, and it seems to have turned into a bit
of a critique of form design - not that that's necessarily a bad thing, of
course... All discussion is good.

 

[Juan T. Llibre]

re:

I'm really not up a creek at all

Actually, we all are up a creek.

You may have a sympathetic ISP. Not everybody does.
The rest of us would have to deal with this in code or in IIS security.

*That* is the "creek" I alluded to.

Blocking an IP is an ineffective solution.
The perpetrators could change their IP very easily, or spoof it.

Then you'd have to get your ISP to block their new IP, ad infinitum.

What we need is a way to prevent unwanted POSTs from occurring.

re:
"it seems to have turned into a bit of a critique of form design"

Indeed. Maybe it would be worthwhile for you to file a bug at :

http://connect.microsoft.com/feedback/default.aspx?SiteID=210

 

[Mark Rae]

Actually, we all are up a creek.

You may have a sympathetic ISP. Not everybody does.

That's true enough...

The rest of us would have to deal with this in code or in IIS security.

*That* is the "creek" I alluded to.
OK.

Blocking an IP is an ineffective solution.
The perpetrators could change their IP very easily, or spoof it.

Then you'd have to get your ISP to block their new IP, ad infinitum.

Yes, that's also true...

What we need is a way to prevent unwanted POSTs from occurring.

Yes, that would indeed be a good security feature...

re:
"it seems to have turned into a bit of a critique of form design"

Indeed. Maybe it would be worthwhile for you to file a bug at :

http://connect.microsoft.com/feedback/default.aspx?SiteID=210

I'll do that.