[Pro] Loads of SPAM :-(

Freeway
1

Hi Folks,
Suddenly hundreds of similar, empty replies come in from our website http://www.youngfocus.org … For days in a row now. They are all empty with a ‘noreply’ address.
Anti-Spam has been applied. Is there a way to stop it or prevent these mails coming in even better. Is CAPTCHA the only solution?

Thanks!

Paul

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

2

Are you using the latest version of the action and have you ticked the box to ‘Add a Spam Trap’? Or is that what you mean by ‘Anti-Spam has been applied’

David

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

3

Both David, I did add Spam Trap as well as the anti-spam action tp page/form.
Thanks for your reply!

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

4

Are you sure that they are due to multiple form submissions?

Can you post the content of an email including long headers or raw source

D

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

5

You mean, emails I am getting?
See below:

From: noreply@
Subject: YOUNG FOCUS Web site feedback
Date: March 13, 2011 5:43:04 PM GMT+08:00
To: email@hidden
Reply-To: noreply@

The following information was submitted from a form on www.youngfocus.org:

PLEASE NOTE: This is a message from the www.youngfocus.org web site
and has been sent from a machine and not a person.
Please do not reply to this e-mail as it will bounce.

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

6

I had a problem where a site I did was getting a bit of spam thru the form, or so it seemed. No matter what I set in the form Action, there was still spam coming. I noticed something odd about the spam that I could not put my finger on, but it gave me an idea.

I changed the name of the form page (and thus the php page that processes the submission), and the spam stopped.

I’m not exactly sure what happened, but it seems like somehow the spammers were faking out the processing page. Once they lost the connection to it, they were gone and haven’t been back.

It’s worth a shot, right?

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

7

It’s worth a shot, right?

I would certainly agree with Joe.

D

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

8

I changed the name of the form page (and thus the php page that processes the submission), and the spam stopped.

Joe could you expand on that; from what to what.

As an aside Pulsecms has a form that can be used which includes a ‘honeypot field’ for basic security.

thanks,

s

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

9

The latest versions of PHP Feedback Form include the honeypot as well.

What Joe was noticing was that it appeared to him as though someone
had come along and “scraped” his form, and was using their own version
of it to send the posts to his form handler. By changing the filename
of that handler to something else (which, when using PHPFF is as easy
as changing the filename of your contact page slightly, then
publishing again} he was able to cut out that entire set of fraudulent
entries.

Walter

On Mar 13, 2011, at 1:38 PM, seoras wrote:

I changed the name of the form page (and thus the php page that
processes the submission), and the spam stopped.

Joe could you expand on that; from what to what.

As an aside Pulsecms has a form that can be used which includes a
‘honeypot field’ for basic security.

thanks,

s

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

10

thanks for clarification Walter.
s

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

11

Wow, that is a simple, yet a great solution it seems!!! Gonna try that out straight away. Thanks folks!

Paul

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

12

OK all.
Yes, i changed the page name but no success… :frowning:
Every day more then 50 of this junk. GRRRRRRR…
What else can I do? Help!

Paul

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

13

I would still like to see one of these emails in its entirety.

If viewing in Mail then from the View Menu: View>Message>Raw Source

And copy paste it here using

4 ~~~~ Tildes

A return

Paste Message

Another Return

4 more ~~~~ Tildes

Another return

David

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

14

And have you enabled ‘Track IP Address’

D

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

15

Ah, didn’t know that info was there. Here we go (I have not enabled ‘Track IP Address’… I should I guess … :slight_smile:

Return-Path: email@hidden
X-Original-To: email@hidden
Delivered-To: email@hidden
Received: from se06.mail.pcextreme.nl (se06.mail.pcextreme.nl [109.72.87.156])
by smtp01.mail.pcextreme.nl (Postfix) with ESMTPS id 6D7A576221
for email@hidden; Thu, 17 Mar 2011 02:45:34 +0100 (CET)
Received: from se10.mail.pcextreme.nl ([178.63.8.141])
by se06.mail.pcextreme.nl with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.72)
(envelope-from email@hidden)
id 1Q02GI-00013K-Cj
for email@hidden; Thu, 17 Mar 2011 02:45:22 +0100
Received: from [109.72.87.249] (helo=vhosting-relay.mail.pcextreme.nl)
by se10.mail.pcextreme.nl with esmtpa (Exim 4.72)
(envelope-from email@hidden)
id 1Q02GF-0005TH-0A
for email@hidden; Thu, 17 Mar 2011 02:44:26 +0100
Received: from web02.vhosting.pcextreme.nl (unknown [10.0.12.2])
by vhosting-relay.mail.pcextreme.nl (Postfix) with ESMTP id E1C71FE04
for email@hidden; Thu, 17 Mar 2011 02:44:22 +0100 (CET)
Received: by web02.vhosting.pcextreme.nl (Postfix, from userid 23775)
id E36CF10090D; Thu, 17 Mar 2011 02:44:22 +0100 (CET)
To: email@hidden
Subject: YOUNG FOCUS Web site feedback
X-PHP-Originating-Script: 23775:form-go.php
From: <noreply@>
MIME-Version: 1.0
Content-type: text/plain; charset=“ISO-8859-1”
Content-transfer-encoding: 7bit
Reply-To: noreply@
Message-Id: email@hidden
Date: Thu, 17 Mar 2011 02:44:22 +0100 (CET)
X-Warning: web02.vhosting.pcextreme.nl has no MX records
X-Filter-ID: XtLePq6GTMn8G68F0EmQvTj8kXb3KgOMBAzB+peKwQYZHmnVkCaJ2pJnIVf3j1BpeOTH7N0tQy/M
0A+pl7jTdySd94uDt2R4g+V/+yPCloC6nU9sNryyfNj417PMn2R1+eBuL9646DE2zjIRIJGfI7Qi
jy7eMklMJynNf3VO/1KpygCY7MhiLG+2E0Owt9G5HHASJNUmoOHSoqgqxfHmWcyq3SEz93Cvv4hR
Kz6sWTy59fTB504R361GJXVOiWRFeS7bGHbspHrTF7oHg6JoWu9B4dwbI7n1m+D/TejwdZAFJlLl
zHRNw0jGo5StYoE5g8CBO1Snvm6qXHQp7O9kdZkxxee+epjXqyt2nLrkDr+AwBuwkqgccilKWP5a
zdk5ASJFC/49WOPBr5nlEUI4xMccCJrM9mP5kvsGOaYBqKVn7TCUul1Fic6SqOIerRBXUqpScM45
IW5TaoP6faMp/FtnaagrkS4yIfbbxXrFSQs=
X-Spampanel-Outgoing-Class: unsure;
X-Spampanel-Outgoing-Score: 0.180226698232
X-Spampanel-Outgoing-Evidence: ‘ole’: 0.50; ‘crm114’: 0.50; ‘direct’: 0.50;
‘spambayes.global_tokens’: 0.05; ‘pyzor’: 0.50; ‘sa’: 0.03; ‘dkim’: 0.50;
‘dnsbl’: 0.75; ‘sender’: 0.70
X-Spampanel-Outgoing-Thermostat: —
X-Originating-IP: 109.72.87.249
X-OLS-BogusWarn: No x-mailer header
X-Fake-Warning: OK - 1500 points
X-Sender-Warning: No verifiable sender address in message headers
X-Filter-ID: XtLePq6GTMn8G68F0EmQvTj8kXb3KgOMBAzB+peKwQYZHmnVkCaJ2pJnIVf3j1BpeOTH7N0tQy/M
0A+pl7jTdySd94uDt2R4g+V/+yPCloA02l+JLfXU87vtFtobaic8OPVn7GSsvGfPh6kfjrDGssdv
TAmSpNjmOkUWSefNH6wTC/p7JtTAGfoKC0dtu5MhMaBuZrIZ6tMjvY4Vxa1s0bKd32kdAey+MpsH
jma0fr18zGUhxjfWz3jrlRjswzVlC0WjvSENtsh6szbQCpatPX6m+UeFXprlCOm3BAEbJtBDRiP7
OGvraa/BFnQFliO/qv6LjxE5I783xgyMpd/ziZzmtJgVOzgQ/sdF9GtzCJtmzGrWLBAq0DJpO+aj
F7ihZl2Unaid7X+RySWeazsRquAZqq4n1KldkPth72G5+k5XvbXXZzNV8NoUdboiK7vafgtZxCbF
6q785N+jZyxZvkpYEvMoj4Oc4NhkogsnU6BX7VZFiC/gDSidldHqUeiL
X-Spampanel-Class: ham;
X-Spampanel-Score: 0.0307818356975
X-Spampanel-Evidence: ‘ole’: 0.50; ‘crm114’: 0.50; ‘direct’: 0.50;
‘spambayes.global_tokens’: 0.02; ‘pyzor’: 0.50; ‘sa’: 0.23; ‘os’: 0.40;
‘dkim’: 0.50; ‘dnsbl’: 0.58; ‘sender’: 0.60
X-Spampanel-Thermostat: -----

The following information was submitted from a form on www.youngfocus.org:

PLEASE NOTE: This is a message from the www.youngfocus.org web site
and has been sent from a machine and not a person.
Please do not reply to this e-mail as it will bounce.

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

16

I don’t see any spam prevention in the code. Do you have the latest version of the Action? Download it from ActionsForge and ,make sure you have the “Add a spam trap?” option in the Advanced section checked.

Joe

On 17 Mar 2011, at 01:54, paulvw wrote:

Ah, didn’t know that info was there. Here we go (I have not enabled ‘Track IP Address’… I should I guess … :slight_smile:

Return-Path: email@hidden
X-Original-To: email@hidden
Delivered-To: email@hidden
Received: from se06.mail.pcextreme.nl (se06.mail.pcextreme.nl [109.72.87.156])
by smtp01.mail.pcextreme.nl (Postfix) with ESMTPS id 6D7A576221
for email@hidden; Thu, 17 Mar 2011 02:45:34 +0100 (CET)
Received: from se10.mail.pcextreme.nl ([178.63.8.141])
by se06.mail.pcextreme.nl with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.72)
(envelope-from email@hidden)
id 1Q02GI-00013K-Cj
for email@hidden; Thu, 17 Mar 2011 02:45:22 +0100
Received: from [109.72.87.249] (helo=vhosting-relay.mail.pcextreme.nl)
by se10.mail.pcextreme.nl with esmtpa (Exim 4.72)
(envelope-from email@hidden)
id 1Q02GF-0005TH-0A
for email@hidden; Thu, 17 Mar 2011 02:44:26 +0100
Received: from web02.vhosting.pcextreme.nl (unknown [10.0.12.2])
by vhosting-relay.mail.pcextreme.nl (Postfix) with ESMTP id E1C71FE04
for email@hidden; Thu, 17 Mar 2011 02:44:22 +0100 (CET)
Received: by web02.vhosting.pcextreme.nl (Postfix, from userid 23775)
id E36CF10090D; Thu, 17 Mar 2011 02:44:22 +0100 (CET)
To: email@hidden
Subject: YOUNG FOCUS Web site feedback
X-PHP-Originating-Script: 23775:form-go.php
From: <noreply@>
MIME-Version: 1.0
Content-type: text/plain; charset=“ISO-8859-1”
Content-transfer-encoding: 7bit
Reply-To: noreply@
Message-Id: email@hidden
Date: Thu, 17 Mar 2011 02:44:22 +0100 (CET)
X-Warning: web02.vhosting.pcextreme.nl has no MX records
X-Filter-ID: XtLePq6GTMn8G68F0EmQvTj8kXb3KgOMBAzB+peKwQYZHmnVkCaJ2pJnIVf3j1BpeOTH7N0tQy/M
0A+pl7jTdySd94uDt2R4g+V/+yPCloC6nU9sNryyfNj417PMn2R1+eBuL9646DE2zjIRIJGfI7Qi
jy7eMklMJynNf3VO/1KpygCY7MhiLG+2E0Owt9G5HHASJNUmoOHSoqgqxfHmWcyq3SEz93Cvv4hR
Kz6sWTy59fTB504R361GJXVOiWRFeS7bGHbspHrTF7oHg6JoWu9B4dwbI7n1m+D/TejwdZAFJlLl
zHRNw0jGo5StYoE5g8CBO1Snvm6qXHQp7O9kdZkxxee+epjXqyt2nLrkDr+AwBuwkqgccilKWP5a
zdk5ASJFC/49WOPBr5nlEUI4xMccCJrM9mP5kvsGOaYBqKVn7TCUul1Fic6SqOIerRBXUqpScM45
IW5TaoP6faMp/FtnaagrkS4yIfbbxXrFSQs=
X-Spampanel-Outgoing-Class: unsure;
X-Spampanel-Outgoing-Score: 0.180226698232
X-Spampanel-Outgoing-Evidence: ‘ole’: 0.50; ‘crm114’: 0.50; ‘direct’: 0.50;
‘spambayes.global_tokens’: 0.05; ‘pyzor’: 0.50; ‘sa’: 0.03; ‘dkim’: 0.50;
‘dnsbl’: 0.75; ‘sender’: 0.70
X-Spampanel-Outgoing-Thermostat: —
X-Originating-IP: 109.72.87.249
X-OLS-BogusWarn: No x-mailer header
X-Fake-Warning: OK - 1500 points
X-Sender-Warning: No verifiable sender address in message headers
X-Filter-ID: XtLePq6GTMn8G68F0EmQvTj8kXb3KgOMBAzB+peKwQYZHmnVkCaJ2pJnIVf3j1BpeOTH7N0tQy/M
0A+pl7jTdySd94uDt2R4g+V/+yPCloA02l+JLfXU87vtFtobaic8OPVn7GSsvGfPh6kfjrDGssdv
TAmSpNjmOkUWSefNH6wTC/p7JtTAGfoKC0dtu5MhMaBuZrIZ6tMjvY4Vxa1s0bKd32kdAey+MpsH
jma0fr18zGUhxjfWz3jrlRjswzVlC0WjvSENtsh6szbQCpatPX6m+UeFXprlCOm3BAEbJtBDRiP7
OGvraa/BFnQFliO/qv6LjxE5I783xgyMpd/ziZzmtJgVOzgQ/sdF9GtzCJtmzGrWLBAq0DJpO+aj
F7ihZl2Unaid7X+RySWeazsRquAZqq4n1KldkPth72G5+k5XvbXXZzNV8NoUdboiK7vafgtZxCbF
6q785N+jZyxZvkpYEvMoj4Oc4NhkogsnU6BX7VZFiC/gDSidldHqUeiL
X-Spampanel-Class: ham;
X-Spampanel-Score: 0.0307818356975
X-Spampanel-Evidence: ‘ole’: 0.50; ‘crm114’: 0.50; ‘direct’: 0.50;
‘spambayes.global_tokens’: 0.02; ‘pyzor’: 0.50; ‘sa’: 0.23; ‘os’: 0.40;
‘dkim’: 0.50; ‘dnsbl’: 0.58; ‘sender’: 0.60
X-Spampanel-Thermostat: -----

The following information was submitted from a form on www.youngfocus.org:

PLEASE NOTE: This is a message from the www.youngfocus.org web site
and has been sent from a machine and not a person.
Please do not reply to this e-mail as it will bounce.

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

17

Yes!!! The latest version is installed and also SPAM TRAP activated!! That is weird that this is not visible in this code :frowning:
Somehow the action is not active then?!

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

18

This is a long shot but, since there are no other forms on the page, try removing the Action from the item it’s applied to and applying it to the page (and then setting all the settings back to the way they were before).

Joe

On 17 Mar 2011, at 07:49, paulvw wrote:

Yes!!! The latest version is installed and also SPAM TRAP activated!! That is weird that this is not visible in this code :frowning:
Somehow the action is not active then?!

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

19

I’ll give that a try then!
if applied to both does that conflict one way or the other?

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options

20

Hi Paul,
Just to clarify a few things here. The code you posted was the raw source for the received email and not anything that the Action has generated. If you enable the spam trap feature in the Action it will add a hidden text field to the form and, assuming this is filled in, will reject the user as a spammer. You’ll be able to see the code that runs this if you open up the -go.php file that the Action creates and is used to process the form data. It won’t show up in the received email source.

I’d suggest turning on the IP tracking feature which should log the IP address of all users of the PHP file. If you are getting these blank emails from a single or cluster of IP addresses then consider blocking them by using an .htaccess file. Here’s a good overview on how to do this; http://blamcast.net/articles/block-bots-hotlinking-ban-ip-htaccess

Place the .htaccess file in the same directory as the feedback form and, if working, it will simply block users from these addresses.
I hope this helps.
Regards,
Tim.

On 17 Mar 2011, at 07:49, paulvw wrote:

Yes!!! The latest version is installed and also SPAM TRAP activated!! That is weird that this is not visible in this code :frowning:
Somehow the action is not active then?!

FreewayActions.com - Freeware and commercial actions for Freeway Express & Pro.

Protect your mailto links from being harvested by spambots with Anti Spam.
Only available at FreewayActions.com

http://www.freewayactions.com

freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options