OT: Is this a phishing attempt?

Coursedesign wrote on 9/22/2008, 11:12 AM

I have a CGI script collect name, address, etc. for people who request info from one of my companies.

Once or twice a week for the last 2-3 months I have received the following:
==================
SendBrochure: ON

Name: wogayu

Title: wogayu

Organization: NPPSJkcbYIz

Address: 3PE3Nb <a href="http://bfdlfjftartg.com/">bfdlfjftartg</a>, ynjrzfxctswp, fsgzdoixqdtu, http://qwknvjhyghgw.com/

Email: yougrh@qouscl.com

Phone: 756043983

Fax: LlLpftIPDlrvbHSqmMH

============================

I checked all the domains referenced, but they seem to be all available (not in use).

Anyone else here seen this?

I couldn't help thinking that it might be a first attempt at SQL injection or something similar, but with the domains being nonsense, I don't get it.

(This is running on an Apache server.)

Comments

ChrisMN wrote on 9/22/2008, 12:06 PM

It could be. I used to get similar things from my site until I included a dropdown menu (without out a preselect value) in the form so that a human had to select an option as to what they were contacting us about. If they didn't, it invoked a javascript alert and/or didn't process the request on the server.

Chienworks wrote on 9/22/2008, 2:24 PM

Nope, not phishing. It's an advertising 'bot crawling the web looking for forms to fill out. It posts mostly random data, but also a few unique keywords as well. After a some time it will crawl the web looking to see if those keywords show up anywhere. If it finds them, it knows it can use your form to post an advertisement (most likely a link for porn or 'medications' and that it will then appear on the web to be seen.

One might think that these things are smart enough to realize that if they never got a response from filling out a certain form that they would give up trying, but one would be wrong. I've had some forms that have been hit with this stuff several times an hour for going on 5 or more years now.

musicvid10 wrote on 9/22/2008, 10:41 PM

These bots are a big problem to anyone with online form submission, message boards, blogs, almost any interactive exchange. With cheap capcha resolution, it's gotten more problematic. They run from hijacked servers or spoofed addresses, so they're almost impossible to track down. Of the hundreds I trap every month, most try to place links to garner ad revenue from hits or sell porn, etc.

To trap them, find out the commonalities -- duplicate registration names, keywords, urls (just trapping' http://' and 'href' took care of 95% of it for me), and write a little code into your cgi script to block the submission, or dump it to a log file. With the right filtering, I haven't had one slip through in about four months.

What CGI script are you using? If it's a FormMail script, there is an easy fix!

Chienworks wrote on 9/23/2008, 3:24 AM

Searching "href" in fields that shouldn't contain URLs is a good filter. The other one i just added to my submission scripts was to add up the total number of characters, the number of lower case characters, and the number of upper case characters. If both uppercase and lowercase accounted for more than 33% each of the total characters then i simply drop the submission without even logging it. That alone cut down the number i see from about 4000/day down to about 5/day.

Spammers = stoopid!

musicvid10 wrote on 9/23/2008, 7:01 AM

Hehe, I was just about to post my list of effective filters here, when I noticed that some of them contain such vulgar and offensive references as to be unmentionable in a public forum. That being said, here are the ones I can post (the ones with sexual connotation have bee left out):

@forbidden_strings=("viagr","vicod","ciali","casino","hgh",
"<embed","<iframe","<object","<h","<script",
"<!--","COMMENTS-START","href=","url=","Dan1oo","Ren67v","hardcore");

Coursedesign wrote on 9/23/2008, 9:37 AM

Thanks all, that is really good information!!!

I'm using FormToMail (PHP) nowadays.