Curt
Joined: Eons Ago
# Posts: 3736
|
Posted: 2007-Feb-18 09:24
I've created a perl script that checks the email for spam type words that might be submitted through it. When I test it, it will not send the spam to me if I type in certain words. However, spammers somehow are able to type in those exact same words and the script is not stopping emails containing the spam “stop” words.
Is there possibly something in a message (special characters that are hidden) that the perl script is not finding in a pattern match when the perl script examines an email for spam words? I'm a bit stumped because I cannot type those words and send email through the mail perl script. It always catches it when I do it. In fact I retyped in the exact spam and the perl script caught it and did not let the message get through. But, it allowed the spammer to send the same messsage to me.
|
 |
Prowler
Staff
Joined: Aug 14, 2000
# Posts: 1794
|
Posted: 2007-Feb-20 15:24
It is possible to contrive a "message" with the right escape characters to fool your regexp based script. It would be prudent to create a log file with all the original message people are sending for a short time. This log may throw light on the way the spammers are contriving the messages.
|
|
Curt
Joined: Eons Ago
# Posts: 3736
|
Posted: 2007-Feb-22 21:08
Do you mean they are using “%20” instead of “ ” (space chara.) or other ASCII equivalent to other characters? When I view the source of the email, it is in plain text, not ascii. If that is not what you mean, then please explain a little more.
NOTE: I suppose I could write out a log file of submissions w/form field content pairs sent via mail form before they are processed to get the exact characters typed into the form before they are converted to regular characters. The only thing is, the comparisons between stop words and the submitted info doesn't happen until after the form values are processed into it's final regular letters and such then the comparisons for stop words are examined for possible spamming words.
|
|
Prowler
Staff
Joined: Aug 14, 2000
# Posts: 1794
|
Posted: 2007-Feb-24 07:54
>> Do you mean they are using “%20” instead of ....
Yes. I have come across a Perl module to 'sanitize' input arising out of the use of such deliberate contrived message somewhere here:
http://apt.sw.be/redhat/9/en/i386/dag/repodata/repoview/P.group.html
It is not worth the trouble of reinventing the wheel.
|
|
Curt
Joined: Eons Ago
# Posts: 3736
|
Posted: 2007-Feb-26 19:13
Well, I went to that URL. There is such a huge list of modules listed that I have no idea of what to look for. I could spend days checking out all the URLs on that page. Another thing, I'm not familiar with the installation of perl modules on a server.
|
|
Dinkar
Staff
Joined: Aug 12, 2001
# Posts: 4391
|
Posted: 2007-Feb-26 19:21
If they are using “%20” instead of space chara., then it means they are using url encoding to encode the input. Decode it using url decoding and then process it further.
|
|
Curt
Joined: Eons Ago
# Posts: 3736
|
Posted: 2007-Feb-28 05:53
The “%20” was just an example I used for ASCII characters. Perhaps I won't know exactly what is being sent until I save the form results to a file before the name and value pairs are processed further.
I was wondering if some type of meta-character (don't know the actual name, but will call it a meta-character) is being submitted that is tricking the filter. It's like when the return character or line break character is used, it's there, but you don't see it. I was wondering if another such character could be inserted between letters without it showing up in the email. However, because the script does see the character, the word does not trip up the filters and thus the message gets through. Understand what I'm saying?
|
|
Hampstead
Joined: Feb 20, 2001
# Posts: 2015
|
Posted: 2007-Feb-28 06:48
Why don't you install a pictogram to sift out spammers?
|
|
g1smd
Staff
Joined: Jul 28, 2002
# Posts: 10438
|
Posted: 2007-Feb-28 14:47
You can have "invisible" characters, but then again, you can run a routine to sanitise the input before you feed it to the filters...
|
|
Prowler
Staff
Joined: Aug 14, 2000
# Posts: 1794
|
Posted: 2007-Feb-28 15:22
If you are using something like the following to process the submitted data from the form -
it may not be adequate. You will be better of to use CGI module to handle your form data - for starters.
You will need to strip out unsafe characters when you URLEncode and URLDecode. Check out the following page:
[link]
|
|
Curt
Joined: Eons Ago
# Posts: 3736
|
Posted: 2007-Mar-01 02:00
Hampstead said:
Why don't you install a pictogram to sift out spammers?
I'm assuming you are talking about some sort of validation number that is shown to actual people and they need to enter that number that is randomly picked into the validation form field. If that is what you are talking, I already have that solution in place and it does indeed stop the spambots from submitting crap via the mail form script.
However, there are real people that send me crap that is promoting some site and the emails always contain certain words. I finally decided to stop those sorts of emails from getting through by setting up a stop words filter. As I said, the filter stops me when I use those stop words in an email message (when I tested it on myself), but for some reason it is not stopping a particular user or users from getting their messages through that contain those stop words.
g1smd said:
You can have "invisible" characters, but then again, you can run a routine to sanitise the input before you feed it to the filters...
Is there a list of invisible characters listed somewhere on the net so that I can check for them? That would be very helpful. URL please if you can, thanks 
Prowler, thanks for your insights. Much appreciated
|
|
Curt
Joined: Eons Ago
# Posts: 3736
|
Posted: 2007-Mar-01 02:30
More on invisible characters...
Suppose we have the word “viagra”. Is it possible to submit that word via a mail form and have an invisible character between the letters “a” and “g” but still show the word intact when I read the email in Mozilla? We would have it represented here as “via[invisible character]gra”, but mozilla thunderbird would display the word as “viagra”. What characters would do that? I don't know of any. If I knew all of those chacters, I could do a search and replace so they don't trick the filters.
|
|
costin_trifan
Joined: Feb 26, 2007
# Posts: 42
|
Posted: 2007-Apr-11 20:38
First of all, I suppose you have a contact page within your web site. Users can send you their e-mails using your form. Right?
If so, do you really think a spammer would visit your site every time he wants to send you a spam e-mail?? (I wouldn't)
I would make sure, instead, that I get your e-mail address and use my e-mail program to spam you.
Believe me, I have such a program
This is the only way a spammer can avoid your perl script from your page.
|
|
Dinkar
Staff
Joined: Aug 12, 2001
# Posts: 4391
|
Posted: 2007-Apr-11 21:15
costin, you can't get his email address unless you use his perl script and he replied or send "thank you" email to you. His email address is not on HTML page so your program can't collect it for you.
|
|
costin_trifan
Joined: Feb 26, 2007
# Posts: 42
|
Posted: 2007-Apr-12 20:29
But what if it is??
I was refering to that situation when the email adress is visible.
Some people do show their email address, by mistake, on other pages within their web site...
If you're right and there is no posibility of getting his email address then how spammers are sending him those emails??
Isn't that curious?
|
|
costin_trifan
Joined: Feb 26, 2007
# Posts: 42
|
Posted: 2007-Apr-12 20:33
One more thing.
I didn't said that I have a program that collects email addresses from web sites.
I just have a program, written by me in VB, that sends emails. I use it to send emails instead of using Yahoo! or Google or Hotmail. It's more handy 
If it's used by some people, it could be considered a spamming tool. But it isn't.
Cheers!
|
|
Curt
Joined: Eons Ago
# Posts: 3736
|
Posted: 2007-Apr-12 23:27
There is no visible email address with which to contact me directly. And when the form cgi sends back a reply with copy of the sent email back to the sender, the email address shown is just a black hole with autoresponder. Email sent to the black hole never gets to my inbox.
At any rate, either the recent mods I've made have been successful at thwarting this spammer or the spammer has decided to not spam me anymore. I'm still not exactly clear how this certain spam was getting past a certain filter. Oh well—it's stopped for now and hopefully forever .
|
|
costin_trifan
Joined: Feb 26, 2007
# Posts: 42
|
Posted: 2007-Apr-16 07:54
Remember what I said about collecting e-mails from web sites?
This is just an example: [link]
On the left hand side you can see the link send e-mail. Hover that link with your mouse and then look at the status bar! (You'll see the mail address)
|
|
Hampstead
Joined: Feb 20, 2001
# Posts: 2015
|
Posted: 2007-Apr-16 14:21
Costin,
That's standard procedure and quite normal.
|
|
Curt
Joined: Eons Ago
# Posts: 3736
|
Posted: 2007-Apr-20 15:51
costin_trifan said:
Remember what I said about collecting e-mails from web sites? ... On the left hand side you can see the link send e-mail. Hover that link with your mouse and then look at the status bar! (You'll see the mail address)
As I said, there is no email address in any form (that includes mouseovers, JavaScript generated, html, and all other methods). Any trace of email addresses were removed long ago and since this email address is new, there's no way a spammer could have gotten it.
Besides, the spam that got through was sent to me in the same layout fashion as the script sends it so somehow the script filters were circumvented. The only way they could have been circumvented was to send me an email with words containing invisible characters as was mentioned. It was a peculiarity at the time. But as I said, the spam as stopped since then and hopefully will not return. Thanks for your thoughts anyway, appreciated
|
|
Inbox
