SMTPsvg.Mailer error

[Mike H]

I'm using a block of ASP to allow a user to send a form via e-mail.
However, someone keeps sending me spam through this form
and they're using a bogus return address. I'm testing for a
successful send, which should fail if the return address is
not valid, but I'm still getting the junk.
The block looks like this:

Set Mailer = Server.CreateObject("SMTPsvg.Mailer")
Mailer.RemoteHost = "smtp.xxx.com"
Mailer.FromName = Request.QueryString ("Name")
Mailer.FromAddress = Request.QueryString ("Email")
Mailer.AddRecipient "Web Mail", "(e-mail address removed)"
Mailer.Subject = "P.C.T. E-mail"
Mailer.BodyText = UserString
if Mailer.SendMail then
Response.Write " - Sucessful - "
else
Response.Write " - Failed - "
Response.Write Mailer.Response
end if

Should this block be stopping bogus From addresses?
Or do I need to be doing something different?

 

[Daniel Crichton]

Mike wrote on Sat, 27 Jan 2007 12:13:00 -0800:

I'm using a block of ASP to allow a user to send a form via e-mail.
However, someone keeps sending me spam through this form
and they're using a bogus return address. I'm testing for a
successful send, which should fail if the return address is
not valid, but I'm still getting the junk.
The block looks like this:

Set Mailer = Server.CreateObject("SMTPsvg.Mailer")
Mailer.RemoteHost = "smtp.xxx.com"
Mailer.FromName = Request.QueryString ("Name")
Mailer.FromAddress = Request.QueryString ("Email")
Mailer.AddRecipient "Web Mail", "(e-mail address removed)"
Mailer.Subject = "P.C.T. E-mail"
Mailer.BodyText = UserString
if Mailer.SendMail then
Response.Write " - Sucessful - "
else
Response.Write " - Failed - "
Response.Write Mailer.Response
end if

Should this block be stopping bogus From addresses?
Or do I need to be doing something different?

That mailer component cannot verify if the from address is valid or not - to
do so would require it to connect to the destination server for that domain
and then determine if the address exists; either start a dummy SMTP
conversation sending to that address and looking for an error response, or
and use the verify command to ask if the address exists - although most
servers that support ESMTP should have the VRFY command disabled if they
have any sense, as it can be used to pull a list of valid addresses from a
server using a dictionary scan. What would happen if the server was down?
Would you want the message rejected? What if the message was legitimate, but
the person's ISP was having some mail server issues at the time?

There really is very little you can do to block someone spamming you this
way if they're persistent. You could look for specific strings in the
UserString variable and reject on that (such as web addresses, or certain
words). You could add a random number + check digit as hidden fields, and
have your code verify that they match before accepting the rest of the
data - this prevents direct use of the form from a script, but won't prevent
one that pulls the form HTML from the server prior to generating the
necessary POST data string to send back to ensure it's complete.

I've had problems with spam to a customer comment system on one of my own
sites in the past; luckily all comments require admin moderation before
being published to the site, so the spam never got displayed to the public -
I used a combination of variable inspection (rejecting all submissions that
had a URL in the title, which most of the spam ones did), and the random
number + check digit (which stopped the ones that didn't have a URL in the
title field, but were being posted from a script).

Dan

 

[Mike H]

Thanks for the reply.
I was considering the random number scheme previously,
but I don't know if the spammer is sitting at the keyboard
or if it's automated. Two months ago, he sent 30 messaged
in a single day (twice), and I don't know why an automated
system would do that, nor why someone at the keyboard
would waste that much time.
For the time being, I've disabled the mail handler page.

 

[Daniel Crichton]

Mike wrote on Mon, 29 Jan 2007 09:11:02 -0800:

Thanks for the reply.
I was considering the random number scheme previously,
but I don't know if the spammer is sitting at the keyboard
or if it's automated. Two months ago, he sent 30 messaged
in a single day (twice), and I don't know why an automated
system would do that, nor why someone at the keyboard
would waste that much time.
For the time being, I've disabled the mail handler page.

Do these comments get posted anywhere on a web page? If so, and the spam is
full of URLs, it's being done to increase the number of links back to the
URL, and in doing so will increase Google Page Rank. This is what was being
done on my site, and the random number field plus filtering on URLs stopped
it dead. It probably is automated, it's pretty easy to write a script that
navigates sites looking for forms that ask for a set of information (such as
"email address" and "comment"), and then post to them using the form data as
it was presented at the time the form HTML was retrieved. What you need to
be careful of is that even here the random number + check digit will allow
the form to be posted unless your random number and/or check digit
calculation is also site time dependent. For instance, factor in the current
date into the calculation somehow.

Dan

 

[Mike H]

Do these comments get posted anywhere on a web page? If so, and the spam is
full of URLs, it's being done to increase the number of links back to the
URL, and in doing so will increase Google Page Rank. This is what was being
done on my site, and the random number field plus filtering on URLs stopped
it dead. It probably is automated, it's pretty easy to write a script that
navigates sites looking for forms that ask for a set of information (such as
"email address" and "comment"), and then post to them using the form data as
it was presented at the time the form HTML was retrieved. What you need to
be careful of is that even here the random number + check digit will allow
the form to be posted unless your random number and/or check digit
calculation is also site time dependent. For instance, factor in the current
date into the calculation somehow.

The comments don't get posted anywhere, they're just e-mailed to me.
But they include links to porn and pills web sites, so I guess he thinks
they're posted somewhere. I wonder if changing form text and variable
to nonstandard wording would throw off his bot?