Thursday, August 24, 2006

Inhoster Spammer Hits My Unprotected Contact Form

To allow visitors to let me know that my bot blocker MIGHT be making a mistake, which has happened now and then as it evolved, I had to leave one email contact form unprotected and wide open to potential bot abuse.

This has never been a problem for a long time and suddenly some jerk hosted on Inhoster started fucking with me which has actually been quite interesting.

85.255.117.253 [85.255.117.253-xbox.dedi.inhoster.com]
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Of course my page requires a POST method and isn't abused by the simple GETs, and for my own reasons I didn't think a CAPTCHA was appropriate on this page as I wanted feedback without making it too hard for people.

I was breaking my own anti-spam rules on this page just because I didn't want to reject any legit posts by accident as I was trying to collect all the information I could, but now I'm implementing a few of the filters.

This first thing I did after the spambot started messing with the form was to simply start rejecting all posts with specific HTML tags. To further filter the spam, I'm rejecting any post that is nothing more than a pile of links as they were dumping a bunch of links per post, but still allowing people to send me a link or two as long as it falls within my framework of what legit content looks like.

This seems to be bouncing them at the moment and I'm not sure what the purpose would be for them to continue to spam my form if I don't allow them to dump links, but we'll see what happens.

One added benefit discovered when I was testing was it even bounced a couple of those spammy "link request" emails because they have too many links in them.

Sweet.

Try the javascript trick...

A really cute trick to play on spammers is to make the form submit activate javascript that includes additional data fields that wouldn't be submitted unless they run the javascript as another way to verify human vs. bot without using a CAPTCHA.

The only drawback to this trick, which is inconsequential IMO, is that the Google and Yahoo translation proxies bust this all to hell as they replace all of your links with links back to their translation proxy, which of course doesn't send the data through the proxy properly.

4 comments:

Anonymous said...

That bot, is it the same spammer I'm on the trail of here? http://spamhuntress.com/2006/08/24/redirect-to-spamcop/
This one uses that IP number as a bot.

Olliver said...

Most likely it is, as Inhoster usually only rents dedicated boxes to spammers, exploiters and botnet herders. They don't offer services to legitimate customers which is why the entire 85.255.112.0/20 range is widely blocked.

Anonymous said...

I get that crap all the time in my inbox. I simple delete it and block the sender.

Anonymous said...

Could you tell some more about the capcha javascript trick?

Can this be downloaded and used on any site (we use html - Perl contact form)?

Thanks