Hallo zusammen, laaaaaaaaaaaaange nichts mehr gepostet...

Momentan habe ich ein großes Problem: meine info ät meinehomepage.de-eMail-Adresse (so heisst meine Seite natürlich nicht, aber ich will keine Werbung machen ) wird momentan massivst mit Spam bombardiert - pro Nacht sind es etwa 40 bis 100 Mails. Die sehen alle gleich aus:

PHP-Code:

:: Gesendet am Freitag, den 16.09.2005 - 03:26 Uhr ::
   
   :: PLZ/Ort ::
   goyauwk@meinehomepage.de
   
   :: textarea ::
   goyauwk@meinehomepage.de
   
   :: E-Mail ::
   goyauwk@meinehomepage.de
   
   :: Straße: ::
   goyauwk@meinehomepage.de
   
   :: telefon: ::
   goyauwk@meinehomepage.de
   
   :: Submit2 ::
   goyauwk@meinehomepage.de
   
   :: Firma ::
   goyauwk@meinehomepage.de
   
   :: Vorname ::
   goyauwk@meinehomepage.de
   
   :: Telefax ::
   goyauwk@meinehomepage.de
   
   :: senden ::
   goyauwk@meinehomepage.de
   
   :: Position ::
   goyauwk@meinehomepage.de
   Content-Type: multipart/mixed; boundary="===============0331108705=="
   MIME-Version: 1.0
   Subject: aaf1eb01
   To: goyauwk@meinehomepage.de
   bcc: PeiCanteenMc@aol.com
   From: goyauwk@meinehomepage.de
   
   This is a multi-part message in MIME format.
   
   --===============0331108705==
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   
   wfoipg
   --===============0331108705==--
   
   
   :: Name: ::
   goyauwk@meinehomepage.de
   
   :: Postfach;: ::
   goyauwk@meinehomepage.de 


Ich kenne mich wirklich gar nicht mit dem Thema aus - kann mir vielleicht jemand einen Schritt weiterhelfen, in welche Richtung ich jetzt gehen könnte? Einfach die info@ "verbrennen" und durch eine andere Adresse austauschen? Oder wie? Bin wirklich ratlos...

Grüße, Pana

Der Quelltext der E-mail sieht überaus sonderbar aus. Es fehlt der komplette Header, und stattdessen gibt es Einträge, die noch nie gesehen habe. Rufst Du diese Adresse denn über Webmail ab? Falls ja, bietet der Provider denn keinen Spamfilter an? Falls nein, installiere Dir einen solchen lokal. Vom "Verbrennen" der Adresse halte ich wenig, da der Spuk dann bei einer so öffentlichen Adresse nur auf's neue anfängt.

Cobra

Hallo Panasonic,

als mir der Spam zuviel wurde, habe ich die Klartext-Emailadresse verbrannt und stattdessen eine neue auf meine Seiten geschrieben, wobei ich diesmal das @ als @ maskierte.
Das scheint den allergrößten Teil der Spambots tatsächlich abzuwehren. Statt 30 bekomme ich nur noch knapp eine Spam-Mail pro Tag.
Als Email-Link scheint der Text weiterhin zu funktionieren.

Martin

Orlando, Florida, September 19th, 2005.

Email Injection TRAP

I am recording who these guys are, from where they
are coming from, they can't hurt me no more, and if they show up, I
put them to sleep for an hour.
Sounds good, doesn't it.

I am visited every 5 or 6 days, with the exception of August 31st and
September 1rst.
If someone is touched every day and can implement this script will
be awesome. Post the results. Thank you.

I am assuming..,
As Barbara from UK posted:
Barbara from UK
#275 | Wed, Sep 14, 2005 08:37 AM
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

That the spam-bot has the url address of my cgi script form handlers
and is injecting whatever he/she want exploiting the poor cgi programming
made. (For other will be PHP, or ASP, who knows)

THESE IS NOT A DEFINITIVE SOLUTIONS, IT IS JUST A WAY TO FIGHT BACK
WHEN THEY SHOWS UP. BETTER FORM HANDLERS IS WHAT WE NEED.

Here is what I made.

Hello, like many others on the internet I was hit
by these guys that deserve being in jail big time.

here are the records I have of total visits.

bergkoch8@aol.com Wed, 31 Aug 2005 21:06:24 -0400
Form processed at Wed Aug 31 21:06:24 EDT 2005
From IP: 146.83.216.207
TOTAL 45 EMAIL SPAM RECEIVED

jrubin3546@aol.com Thu, 1 Sep 2005 19:16:03 -0400
Form processed at Thu Sep 1 19:16:03 EDT 2005
From IP: 194.117.20.30
TOTAL 47 EMAIL SPAM RECEIVED

jrubin3546@aol.com Tue, 6 Sep 2005 06:54:54 -0400
Form processed at Tue Sep 6 06:54:54 EDT 2005
From IP: 82.67.11.110
TOTAL 48 EMAIL SPAM RECEIVED

jrubin3456@aol.com Mon, 12 Sep 2005 04:28:11 -0400
Form processed at Mon Sep 12 04:28:11 EDT 2005
From IP: 216.194.16.226
TOTAL 94 EMAIL SPAM RECEIVED

Homeiragtime@aol.com Sat, 17 Sep 2005 19:27:05
-0400
Form processed at Sat Sep 17 19:27:04 EDT 2005
From IP: 170.148.96.108
TOTAL 45 EMAIL SPAM RECEIVED

I discovered that about 8 cgi script in my site are
potentially evolved in the risk of been hijacked and
used as source of spam. Really they are very poor in
programming security. (Usually called on the "action" field
in a form)
Beside these I have more script that must be fixed
ASAP.
example:

http://www.mywebsite.com/cgi-bin/script-1.cgi
http://www.mywebsite.com/cgi-bin/script-2.cgi
http://www.mywebsite.com/cgi-bin/script-3.cgi
http://www.mywebsite.com/cgi-bin/script-4.cgi
http://www.mywebsite.com/cgi-bin/script-5.cgi
http://www.mywebsite.com/cgi-bin/script-6.cgi
http://www.mywebsite.com/cgi-bin/script-7.cgi
http://www.mywebsite.com/cgi-bin/script-8.cgi


First thing I made was change script's names and, of
Course, I changed also the call's name from my html forms.

Then I Used the Mod_Rewrite Apache Directive to
redirect whoever is looking for my scripts names
(the old names) to a script that will log visitors
http environment) information and put them to sleep for
an hour or so.

Please if you don't understand what it's going on
here, call somebody who does.

[File created]
.htaccess (Write this file in Pure ascii, notepad is ok)

RewriteEngine on
Options +FollowSymlinks
RewriteBase /
RewriteRule ^\old-script-1.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-2.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-3.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-4.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-5.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-6.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-7.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-8.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}

As you can see all the requests are re-directed
(Internally, trough Apache system)
to a script called death-meat.cgi (sample name, you can use anything you want)
##############################################################################
# NOTE, DO THIS AT YOUR RISK:
# Upload the file to your cgi-bin directory, Please be careful, don't
# make any mistake, check with your web master or ISP before uploading
# this file, if you are already using .htaccess file, just add the above lines.
# do it wrong and your site will disappear from the web until your ISP delete
# or replace the .htaccess file. (I know it for my own past experience).
##############################################################################
The following script is not my creation, I just
modified one I am using for other purposes.

Those who have access to the features below will be
able to help in the capture of these bastards or at least make
their brilliant ideas more difficult to implement.

My site is stored under Linux OS, Apache webserver.
I have access to cgi scripts, I can write the
.htaccess file and upload it.
and obviously I can run CGI scripts.

Upload the file below to your cgi-bin directory in
ascii (text) only Use a simple text editor, notepad is fine, after
uploaded change chdmod 755

Create a folder inside cgi-bin, stats >chdmod 777,
and inside stats the file igotyou.log (I don’t know if
it will be created
automatically)

[death-meat.cgi file name]

#!/usr/bin/perl
# If required, adjust line above to point to Perl 5.
######################################################
# THIS IS WHAT IS GOING TO HAPPEND,
# AFTER THIS SCRIPT COLLECT SOME VISITOR'S INFORMATION
# WHICH IT MAY BE USEFULL OR NOT, DEPENDING IF THEY DO NOT
# MAKE ANY MISTAKE AND ALLWAYS SEND THE BOT TROUGH A ANONIMUS PROXY
# OTHERWISE WE GOT THE REAL PHISICAL ADDRESS.
# THE SCRIPT WILL PUT THE VISITOR TO SLEEP FOR ABOUT AN HOUR
#
$stats_dir = "stats";
$log_file = "igotyou.log";

$sleeptime = 3600;

$remote_host = "$ENV{'REMOTE_HOST'}";
$remote_addr = "$ENV{'REMOTE_ADDR'}";
$user_agent = "$ENV{'HTTP_USER_AGENT'}";
$referer = "$ENV{'HTTP_REFERER'}";
$document_name = "$ENV{'QUERY_STRING'}";

&get_date;

&log_hits
("$date $remote_host $remote_addr $user_agent $referer
$document_name\n");

print "Content-type: text/plain\n\n";
print @TEXT;

######## THE SPIDER-BOT OR THE BROWSER GET TRAPPED HERE FOR AN HOUR
sleep ($sleeptime);
######## WAITING..., WAITING...,WAITING....
exit;

sub get_date {
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst)=localtime();
$mon++;
$sec = sprintf ("%02d", $sec);
$min = sprintf ("%02d", $min);
$hour = sprintf ("%02d", $hour);
$mday = sprintf ("%02d", $mday);
$mon = sprintf ("%02d", $mon);
$year = scalar localtime;
$year =~ s/.*?(\d{4})/$1/;
$date="$year-$mon-$mday, $hour:$min:$sec";
}

sub log_hits {
open (HITS, ">>$stats_dir/$log_file");
print HITS @_;
close (HITS);
}

############################################

I am testing the urls trying to reach the cgi script
and it work perfectly.

I hope somebody else can try it and post the results.

Good Luck,

Hector Gonzalo
hector2561@yahoo.com

Habe auch eine zeitlang pro Tag so um die 50 Spams bekommen die alle in meinem Spamfilter gelandet sind aber nervig ist es irgendwie doch.
Seit einigen Wochen erhalte ich aber sehr wenig Spam. Entweder hat mein Webspace Anbieter was verändert oder ich werde einfach nur verschont jetzt

Wo ich allerdings ein Riesen Problem habe ist bei dem Gästebuch auf meiner I-Net Seite. Das musste ich jetzt komplett abschalten weil ich täglich so um die 5 Einträge von irgendwelchem Online Casinos und Online Apotheken drin hatte.

Weiß nicht wie ich dagegen vorgehen soll.....