SMTPsvg.Mailer error

Discussion in 'ASP General' started by Mike H, Jan 27, 2007.

  1. Mike H

    Mike H Guest

    I'm using a block of ASP to allow a user to send a form via e-mail.
    However, someone keeps sending me spam through this form
    and they're using a bogus return address. I'm testing for a
    successful send, which should fail if the return address is
    not valid, but I'm still getting the junk.
    The block looks like this:

    Set Mailer = Server.CreateObject("SMTPsvg.Mailer")
    Mailer.RemoteHost = "smtp.xxx.com"
    Mailer.FromName = Request.QueryString ("Name")
    Mailer.FromAddress = Request.QueryString ("Email")
    Mailer.AddRecipient "Web Mail", ""
    Mailer.Subject = "P.C.T. E-mail"
    Mailer.BodyText = UserString
    if Mailer.SendMail then
    Response.Write " - Sucessful - "
    else
    Response.Write " - Failed - "
    Response.Write Mailer.Response
    end if

    Should this block be stopping bogus From addresses?
    Or do I need to be doing something different?
     
    Mike H, Jan 27, 2007
    #1
    1. Advertising

  2. Mike wrote on Sat, 27 Jan 2007 12:13:00 -0800:

    > I'm using a block of ASP to allow a user to send a form via e-mail.
    > However, someone keeps sending me spam through this form
    > and they're using a bogus return address. I'm testing for a
    > successful send, which should fail if the return address is
    > not valid, but I'm still getting the junk.
    > The block looks like this:
    >
    > Set Mailer = Server.CreateObject("SMTPsvg.Mailer")
    > Mailer.RemoteHost = "smtp.xxx.com"
    > Mailer.FromName = Request.QueryString ("Name")
    > Mailer.FromAddress = Request.QueryString ("Email")
    > Mailer.AddRecipient "Web Mail", ""
    > Mailer.Subject = "P.C.T. E-mail"
    > Mailer.BodyText = UserString
    > if Mailer.SendMail then
    > Response.Write " - Sucessful - "
    > else
    > Response.Write " - Failed - "
    > Response.Write Mailer.Response
    > end if
    >
    > Should this block be stopping bogus From addresses?
    > Or do I need to be doing something different?


    That mailer component cannot verify if the from address is valid or not - to
    do so would require it to connect to the destination server for that domain
    and then determine if the address exists; either start a dummy SMTP
    conversation sending to that address and looking for an error response, or
    and use the verify command to ask if the address exists - although most
    servers that support ESMTP should have the VRFY command disabled if they
    have any sense, as it can be used to pull a list of valid addresses from a
    server using a dictionary scan. What would happen if the server was down?
    Would you want the message rejected? What if the message was legitimate, but
    the person's ISP was having some mail server issues at the time?

    There really is very little you can do to block someone spamming you this
    way if they're persistent. You could look for specific strings in the
    UserString variable and reject on that (such as web addresses, or certain
    words). You could add a random number + check digit as hidden fields, and
    have your code verify that they match before accepting the rest of the
    data - this prevents direct use of the form from a script, but won't prevent
    one that pulls the form HTML from the server prior to generating the
    necessary POST data string to send back to ensure it's complete.

    I've had problems with spam to a customer comment system on one of my own
    sites in the past; luckily all comments require admin moderation before
    being published to the site, so the spam never got displayed to the public -
    I used a combination of variable inspection (rejecting all submissions that
    had a URL in the title, which most of the spam ones did), and the random
    number + check digit (which stopped the ones that didn't have a URL in the
    title field, but were being posted from a script).

    Dan
     
    Daniel Crichton, Jan 29, 2007
    #2
    1. Advertising

  3. Mike H

    Mike H Guest

    Thanks for the reply.
    I was considering the random number scheme previously,
    but I don't know if the spammer is sitting at the keyboard
    or if it's automated. Two months ago, he sent 30 messaged
    in a single day (twice), and I don't know why an automated
    system would do that, nor why someone at the keyboard
    would waste that much time.
    For the time being, I've disabled the mail handler page.
     
    Mike H, Jan 29, 2007
    #3
  4. Mike wrote on Mon, 29 Jan 2007 09:11:02 -0800:

    > Thanks for the reply.
    > I was considering the random number scheme previously,
    > but I don't know if the spammer is sitting at the keyboard
    > or if it's automated. Two months ago, he sent 30 messaged
    > in a single day (twice), and I don't know why an automated
    > system would do that, nor why someone at the keyboard
    > would waste that much time.
    > For the time being, I've disabled the mail handler page.



    Do these comments get posted anywhere on a web page? If so, and the spam is
    full of URLs, it's being done to increase the number of links back to the
    URL, and in doing so will increase Google Page Rank. This is what was being
    done on my site, and the random number field plus filtering on URLs stopped
    it dead. It probably is automated, it's pretty easy to write a script that
    navigates sites looking for forms that ask for a set of information (such as
    "email address" and "comment"), and then post to them using the form data as
    it was presented at the time the form HTML was retrieved. What you need to
    be careful of is that even here the random number + check digit will allow
    the form to be posted unless your random number and/or check digit
    calculation is also site time dependent. For instance, factor in the current
    date into the calculation somehow.

    Dan
     
    Daniel Crichton, Jan 30, 2007
    #4
  5. Mike H

    Mike H Guest

    > "Daniel Crichton" wrote:
    > Do these comments get posted anywhere on a web page? If so, and the spam is
    > full of URLs, it's being done to increase the number of links back to the
    > URL, and in doing so will increase Google Page Rank. This is what was being
    > done on my site, and the random number field plus filtering on URLs stopped
    > it dead. It probably is automated, it's pretty easy to write a script that
    > navigates sites looking for forms that ask for a set of information (such as
    > "email address" and "comment"), and then post to them using the form data as
    > it was presented at the time the form HTML was retrieved. What you need to
    > be careful of is that even here the random number + check digit will allow
    > the form to be posted unless your random number and/or check digit
    > calculation is also site time dependent. For instance, factor in the current
    > date into the calculation somehow.


    The comments don't get posted anywhere, they're just e-mailed to me.
    But they include links to porn and pills web sites, so I guess he thinks
    they're posted somewhere. I wonder if changing form text and variable
    to nonstandard wording would throw off his bot?
     
    Mike H, Jan 30, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sunil

    Auto mailer

    Sunil, Dec 27, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    579
    Sunil
    Dec 30, 2003
  2. =?Utf-8?B?Sm9l?=

    Mailer, Newsletter script in asp/asp.net

    =?Utf-8?B?Sm9l?=, Feb 22, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    923
    Juan T. Llibre
    Feb 23, 2005
  3. Sparky Arbuckle

    Brinkster Form Mailer Problem

    Sparky Arbuckle, Feb 27, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    489
    Sparky Arbuckle
    Feb 27, 2005
  4. Andrzej Adam Filip
    Replies:
    0
    Views:
    4,152
    Andrzej Adam Filip
    Mar 31, 2008
  5. Prabhat Nath

    SMTPsvg.Mailer

    Prabhat Nath, Jul 22, 2005, in forum: ASP General
    Replies:
    4
    Views:
    141
    Prabhat Nath
    Jul 25, 2005
Loading...

Share This Page