Kill Web Form SPAM

Kill SPAMSomewhere in Tehran, the terrorist sits in the dark staring at the glow of a large CRT circa 2002 in a nondescript rundown building. Even though it’s a mild 70F outside, he still wears the dirty lime green t-shirt and faded desert camouflage fatigues. His wife patrols the streets in a black chador from a military jeep brandishing an AK-47. It may be exotic Persia, but poverty reigns and he idly remembers something about a new thief to be hung from the crane down the street today.

The monitor is so large that there is barely enough room for the keyboard and a large ashtray overflowing with Marlboro cigarette butts. He knows more than enough to be dangerous, but is actually running a nearly 20-year-old script to connect directly to a website script code that e-mails bogus contact information, along with some gibberish comments sprinkled with links to ads or malicious sites. A third of the time, Johnny Jihad has a 10-year-old beauty of a program that can actually traverse web forms and submit the fake information. Since the posts only go to the website owners, the goal is simply to harass infidels and clog the networks of web hosts and ISPs. If the pampered and morally corrupt enemies are stupid enough to also carbon the supposed prospect, then stolen lists of actual e-mail addresses may be used for the open relay. If just half of 1% of the links are clicked from the millions of messages sent every day, the ad revenue balloons to over $20,000 per day. Also daily, another one thousand or so personal computers are compromised to gather sensitive information or enslave in other zombie denial of service attacks. The favorites are currently Macs and iPhones/iPads with the arrogance of no thought toward security while trojans gather more private information in the last year than in the previous 30.

Can you tell I just saw Argo? All fiction aside, web form SPAM is becoming a hassle like our airport security and I wanted to share my experience and hopefully help others. Nearly 5 years ago, we moved several of our websites to Network Solutions – no plug as it could have been anybody such as GoDaddy or whoever, but our external DNS was managed there and it made sense. For the 5 bucks per month with 300GB of space, you just could no longer justify a server with the surrounding maintenance, upgrades, and security issues. Somewhere along the way we created a web form on our contact page and it remained largely intact when we converted all sites to HTML 5 at the beginning of this year.

Unless you purchase premium web development packages, Network Solutions is fairly secretive about their SMTP server and only provides you a limit of 5 standard CGI scripts from like 1989 for web forms. The look definitely seems from that era and we took the relevant code and placed it in a modern contact page. An old-school CGI script was required, but no account names or passwords were listed and who would take the time to SPAM just us through a contact form right? Well, the SPAM started a couple of months ago at first just a few a day. Then to our other sites and we began to get dozens from each site per day.

For some, you’re probably thinking “You idiot. It’s called Captcha”. The problem with Captcha is that it is a poor solution and a deterrent for users. No one can really read the funny looking numbers and letters to type them back. If you click on a Captch audio link, you just hear some alien animal noises from another dimension between the thumping of broken heavy metal speakers. So we added a pulldown field that bots couldn’t possibly select. We quickly found that if we changed the fields, the terrorist was simply accessing the script directly and could send any fields that he chose.

As usually happens, the world has changed and what was formerly hardly ever used is now seen as the norm to enter information in a landing page for a give-get exchange for an eBook or similar giveaway. To get in the ballgame and not be limited to 5 forms, we decided to convert our contact pages from HTML 5 to ASPX  and utilize validation instead of Captcha. The short story is that Network Solutions uses no authentication and localhost for SMTP. We deal with organizations and not consumers which is why we qualify a person’s role, want to know how many employees, and review the website. Formatting must be correct for things like phone or e-mail and you’ve got to select something from pulldown lists and cannot simply hit enter. If necessary, we can also add dynamic simple SPAM questions and answers like “Is ice hot or cold?” to further deter bots. After the form is posted, we acknowledge and thank you for the submittal, along with offering the ability to follow on social media. The only way to return to the form is by clicking the Reset button.

WARNING ALL TERRORISTS: I don’t care if you’re Johnny Jihad, Red Menace, Mafia, or Hillbilly Joe that can’t get enough of Honey Boo Boo. We also get your IP address. Don’t motivate us further. Spoof all you like. We’ll find you. Oh don’t worry as we won’t download the code to scramble hard drives and then pop BIOS to brick your machines. We’ll watch, listen, and learn. The authorities and relevant commercial entities will be quite pleased with the information. Getting outted on Reddit or Facebook will also help your cause.

This solution assumes ASPX with VB format and is specific to Network Solutions. While not shown in this example, if you must supply an e-mail address and password for an SMTP server, put that information in web.config as it cannot be viewed like other pages. Change formatting and fields as desired. Enjoy!

CSS:

/* Styles for Contact */
#contact-l {
width: 450px;
margin: 0;
padding: 0;
float: left;
}
input {
margin: 5px;
width: 180px;
}
select {
margin: 6px;
width: 185px;
}
textarea {
width: 300px;
height: 150px;
margin-left: 5px;
}
.button {
width: 100px;
margin-top:10px;
margin-left: 150px;
}
.label {
display: block;
width: 70px;
float: left;
text-align: right;
margin-right: 10px;
margin-top: 5px;
}
#contact-l form {
padding: 10px;
margin: 10px;
width: 430px;
}

Form code example from CONTACT.ASPX:

<div id=”contact-l”>

<form runat=”server”>
<asp:MultiView ID=”MyForm” runat=”server” ActiveViewIndex=”0″>     

<asp:TextBox id=”Company” runat=”server” TabIndex=”1″>

<asp:TextBox id=”Name” runat=”server” TabIndex=”2″>

<asp:TextBox id=”Phone” runat=”server” TabIndex=”3″>

<asp:TextBox id=”Email” runat=”server” TabIndex=”4″>

<asp:Label id=”websitelbl” cssclass=”label” runat=”server” Text=”Website”></asp:Label><asp:TextBox id=”Website” runat=”server” TabIndex=”5″></asp:TextBox><asp:RegularExpressionValidator id=”RegularExpressionValidator3″ ControlToValidate=”Website” runat=”server” ErrorMessage=”Invalid” ValidationExpression=”([\w-]+\.)+[\w-]+(/[\w- ./?%&amp;=]*)?”></asp:RegularExpressionValidator><br>

<asp:DropDownList id=”Role” runat=”server” TabIndex=”6″>
<asp:ListItem>- Please Select -
<asp:ListItem Value=”CEO/President”>
<asp:ListItem Value=”Accounting/CFO”>
<asp:ListItem Value=”Operations/Administration”>
<asp:ListItem Value=”Sales/Marketing”>
DropDownList>

<asp:DropDownList id=”Employees” runat=”server” TabIndex=”7″>
<asp:ListItem>- Please Select -</asp:ListItem>
<asp:ListItem Value=”1 – 10″></asp:ListItem>
<asp:ListItem Value=”11 – 25″></asp:ListItem>
<asp:ListItem Value=”26 – 250″></asp:ListItem>
<asp:ListItem Value=”251 – 1,000″></asp:ListItem>
<asp:ListItem Value=”1,000+”></asp:ListItem>
</asp:DropDownList>    <asp:RequiredFieldValidator id=”RequiredFieldValidator7″ runat=”server” ControlToValidate=”Employees” ErrorMessage=”Required” InitialValue=”- Please Select -“></asp:RequiredFieldValidator><br>

<asp:Label id=”commentlbl” runat=”server” cssclass=”label” Text=”Comment”></asp:Label><asp:TextBox id=”Comment” runat=”server” columns=”45″ rows=”10″ TabIndex=”8″ TextMode=”MultiLine”></asp:TextBox><asp:RequiredFieldValidator id=”RequiredFieldValidator5″ runat=”server” ControlToValidate=”Comment” ErrorMessage=”Required”></asp:RequiredFieldValidator><br>

<asp:ValidationSummary ID=”ValidationSummary1″ runat=”server” CssClass=”ValidateMessage” ForeColor=”” ShowMessageBox=”True” ShowSummary=”False” />

<asp:View ID=”FormConfirmationMessage” runat=”server”><p>Your message has been sent. <strong>Thank you</strong> for contacting us. View <a href=”terms.htm”>terms</a>  for our privacy policy.</p><p>Keep up with the latest business trends and technology:</p>
<ul><li><p><a href=”http://blog.matrixforce.com” target=”_blank”>Managed Services Blog</a></p></li>
<li><p><a href=”http://twitter.com/matrixforce” target=”_blank”> Matrixforce Twitter Feed</a></p></li>
<li><p><a href=”http://www.linkedin.com/company/matrixforce-corporation” target=”_blank”>Matrixforce LinkedIn Profile</a></p></li>
<li><p><a href=”http://www.youtube.com/user/matrixforce” target=”_blank”>Matrixforce YouTube Channel</a></p></li></ul>    <asp:Button id=”Reset” cssclass=”button” runat=”server” OnClick=”ResetFormClick” Text=”Reset” />    </asp:View>

<asp:View ID=”FormErrorMessage” runat=”server”>    Due to technical difficulty, your message may NOT have been sent.</asp:View>

<asp:View ID=”FormSpamMessage” runat=”server”>    You did not correctly answer the anti-spam question. Please go back and try again.</asp:View>

</asp:MultiView>
</form>

<script runat=”server”>
Protected Sub ResetFormClick(ByVal sender As Object, ByVal e As System.EventArgs)
Response.Redirect(“contact.aspx”)
End Sub
</script>

<script runat=”server”>
Protected Sub SubmitFormClick(ByVal sender As Object, ByVal e As System.EventArgs)
If Not Page.IsValid Then Exit Sub
Dim SendResultsTo As String = “lead@virtualcio.com
Dim smtpMailServer As String = “localhost”
Dim MailSubject As String = “Virtual CIO Contact Results”
Try
Dim FromEmail As String = “noreply@networksolutions.com
Dim msgBody As StringBuilder = New StringBuilder()
For Each c As Control In Me.FormContent.Controls
Select Case c.GetType.ToString
Case “System.Web.UI.WebControls.TextBox”
Dim txt As TextBox = CType(c, TextBox)
msgBody.Append(txt.ID & “: ” & txt.Text & vbCrLf & vbCrLf)
Case “System.Web.UI.WebControls.CheckBox”
Dim chk As CheckBox = CType(c, CheckBox)
msgBody.Append(chk.ID & “: ” & chk.Checked & vbCrLf & vbCrLf)
Case “System.Web.UI.WebControls.RadioButton”
Dim rad As RadioButton = CType(c, RadioButton)
msgBody.Append(rad.ID & “: ” & rad.Checked & vbCrLf & vbCrLf)
Case “System.Web.UI.WebControls.DropDownList”
Dim ddl As DropDownList = CType(c, DropDownList)
msgBody.Append(ddl.ID & “: ” & ddl.SelectedValue & vbCrLf & vbCrLf)
End Select
Next
msgBody.AppendLine()
msgBody.Append(“Browser: ” & Request.UserAgent & vbCrLf & vbCrLf)              msgBody.Append(“IP Address: ” & Request.UserHostAddress & vbCrLf & vbCrLf)
msgBody.Append(“Server Date & Time: ” & DateTime.Now & vbCrLf & vbCrLf)
Dim myMessage As System.Net.Mail.MailMessage = New System.Net.Mail.MailMessage()
myMessage.To.Add(SendResultsTo)
myMessage.From = New System.Net.Mail.MailAddress(FromEmail)              myMessage.Subject = MailSubject
myMessage.Body = msgBody.ToString
myMessage.IsBodyHtml = False
Dim MailObj As New System.Net.Mail.SmtpClient(smtpMailServer)
MailObj.UseDefaultCredentials = true
MailObj.Send(myMessage)
Me.MyForm.ActiveViewIndex = 1
Catch
Me.MyForm.ActiveViewIndex = 2
End Try
End Sub
</script>
</div>

About these ads

3 thoughts on “Kill Web Form SPAM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s