spammers reading my perlscripts?

loki · 25th November 2003, 11:09 PM

i've been bombarded with spam since sunday to a webmaster2@domain.com address. this address is used in a perlscript form that also sends t 2 other accounts, so i was pretty sure it was lifted from an email generated bu the form.

the addys are NOT on the html page, only in the script.

i changed my addy to webmaster@domain.com and within 12 hours started getting spam to that new address, plus the other 2.

maybe i'm wrong, but this would seem to point at a programme that is reading my serverside perlscripts.

is that possible? if so, what is the next step against hiding addys from nasty bots?

leafish_paul · 26th November 2003, 12:06 AM

I shouldn't think bots can scan through Perl scripts and PHP source... they are just agents which can only retrieve what the web server is spitting out - ie HTML... I could be wrong there, though. Perhaps they can scan the cgi-bin folder if its publically accessible or something? Not sure... anyone?

You could try encoding the e-mail addresses outputted to pages using HTML entities (using something like this), but a lot of the bots get around this easily.

A better plan, if you can find/compile a decent list of email harvesters and other nasty spiders and bots, is blocking em completely using .htaccess.

There's a (very!) short discussion here.

Hope it helps.

loki · 26th November 2003, 10:58 AM

the problem i see with both of these ideas is that you only need to miss one bot, and you're knackered. the list might be current today but tomorrow?

i not a tech, but i am surprised that these spam bots can not only get into my cgi-bin, but also update their database within hours. doesn't really make sense so i suspect there's something else at work here.

and thanks.

leafish_paul · 26th November 2003, 12:31 PM

Quote:

Originally posted by loki
the problem i see with both of these ideas is that you only need to miss one bot, and you're knackered. the list might be current today but tomorrow?

You're totally right there... trying to keep a list like this updated is a pain. I've given up: its far too time consuming! On another downer, I've just been told a lot pf the more sophisticated bots use random strings for the User-Agent string... perhaps we should all just revert back to the old school 'email at yourdomain dot com' stylee... ;)

(If anyone wants to implement something like this anyway - it keeps some of em away - there's some good examples at http://www.searchengineworld.com/sitesearch/index.cgi - just search for "perfect .htaccess" - cheers D for that...)

Quote:

Originally posted by loki
...but i am surprised that these spam bots can not only get into my cgi-bin,

This should not be possible on a sensible set up of Apache... which I am certain UH have...

Just a thought - are you sure of the integrity of all the e-mail addresses you are sending mail to?

loki · 26th November 2003, 12:45 PM

that's the thing...

i rarely had used webmaster2@ in the past and had never used webmaster@, not even once.

(the spam header went from one to the other in 12 hours.)

maybe it bounced on them and they took a lucky guess but i can't imagine spammers spending much time analising bounced email addys. now there's a picture!

one note, the .pl file is not in my cgi-bin. but in my perl directory, as per UH instructions.

UH-Matt · 26th November 2003, 12:56 PM

They are not "getting in" to your cgi-bin or any other area of the account. They are getting these email addresses from somewhere visible to a client/browser.

leafish_paul · 26th November 2003, 01:11 PM

Didn't think so!

Here's a nice article on stopping bad bots from the peeps at evolt.org.

loki · 26th November 2003, 01:41 PM

mat,

i know just enough about servers to know that i don't know what i'm talking about. in any case, i believe you know what you are doing.

my question is not how did they get hold of webmaster2@ (was using the %40 trick on a few contact pages so it may have come from there), but how the hell did they get webmaster@ ?

i hadn't had time to change the %40 addys and they picked up on my change to my perlscript within 12 hours...

loki · 26th November 2003, 01:52 PM

in response to the article linked by leafish_paul

even if i were prepared to spend the time configging mod-rewrite and monitoring my log files every month for the rest of my life(i'm not), the problem is that it is retrospective.

by the time i identify and ban a spiderbot, it's already got me.

UH-Matt · 26th November 2003, 01:53 PM

webmaster@ could be random.

We get emails to all sorts of addresses at our domains, half of them are email addresses which have never even been used.

Its logical for a spammer to try webmaster@ a domain, as its a logical address which would "probably" be active.

loki · 26th November 2003, 02:27 PM

let's go back to the beginning of the thread.

starting on the weekend i was getting massive spam from one jerk in particular to <francois@whatever.com>; <jpoch@whatever.com>; <webmaster2@whatever.com>;

i changed this last addy in my perlscript to <webmaster@whatever.com>; on sunday night.

moday morning i was getting the same crap to
<francois@whatever.com>; <jpoch@whatever.com>; <webmaster@whatever.com>;

way too much of a coincidence to be your scenario.

Patch · 26th November 2003, 02:27 PM

Addresses such as webmaster@domain.com are used by spammers simply because its such a common email address: as Matt says, its random, and also unlikely to be redirected to the bin !

Likewise for addresses such as enquiries@domain.com and sales@domain.com

regards

Patch

loki · 26th November 2003, 02:36 PM

i understand you, it seems you don't understand me.

these 3 addys are together in the to: line

you really think it's a coincidence that they were sending to

<francois@whatever.com>; <jpoch@whatever.com>; <webmaster2@whatever.com

and then for the hell of it decided to send to

<francois@whatever.com>; <jpoch@whatever.com>; <webmaster@whatever.com

precisely when i changed my script?

leafish_paul · 27th November 2003, 03:42 PM

Quote:

Originally posted by loki
even if i were prepared to spend the time configging mod-rewrite and monitoring my log files every month for the rest of my life(i'm not), the problem is that it is retrospective.

by the time i identify and ban a spiderbot, it's already got me.

This is true, but by spending a little time setting up a decent .htaccess for a new domain using existing spider lists and threads/articles posted on this and other sites/forums, you can minimise a lot of the crap you would otherwise get as a result of these spiders harvesting e-mails from your site. Checking a regularly updated list and amending your .htaccess say once a month would take 5 minutes, tops.

Admittedly it doesn't solve your initial problem, but hey. I am inclined to think that sending to 'webmaster' is purely down to a script 'guessing' common e-mail addresses, as UH-Matt and Patch have already mentioned. Other random e-mail addresses will also come into your catch-all account too, regardless of whether they exist or not.

Spam is a problem that is only battled and never won: filter the buggers into your Trash and be done with it.

ps when you say 'one jerk in particular', how can you tell? Spammers almost always fake the from/reply-to header.

Edit: perhaps if you posted your Perl script some of the peeps on here could take a look and see if there's anyway the e-mail in question could be outputted to an agent/browser? You could also try changing the address in there once more to a completely random e-mail with crazy characters to confirm if your suspicions are correct.