Why would a spammer do this?

I am not asking for advice on blocking spam, I have a pretty good idea how to do that but it is generally not a problem for me luckily. I occasionally get the usual ones - I have won the lottery, disaster relief, they have intimate photos of me, click on this link - you know the stuff - no problem.

But I quite frequently get very similar spams via a contact form that I assume are from a bot. Simply a fake email address and a single or short comment of random words like ‘reasons’ or ‘ultimate view’ or ‘wood’ or ‘total container’.

My question is - What is the point? There is no link, obviously spam, I couldn’t reply if I wanted because it is a false email address. I just delete. But my curiosity is roused, is there an ulterior motive I am missing, is there some hidden threat.

As far as I can see - no problem - but - why do it ?

1 Like

It could just be the kind of “failed Spam” we sometimes see here. We get posts which are clearly intended as Spam, but the poster has either forgotten to add the link, or malformed the link so it doesn’t work.

1 Like

Aaah OK, makes sense, it’s kind of the ultimate negative commendation really, bad enough to be a spammer - but a failed spammer - love to see that on their resume ! :smiley:

3 Likes

Perhaps the poster purchased thousands of links and any that bounced would be reported. These could be removed from to the list.

Good point !

Any email that you put submitted data into can contain html, css, javascript. If you didn’t apply htmlentities() to the values, that content will get executed if you are using a browser to read the email. At a minimum, this would give your ip address to someone (via request(s) to a 3rd party server to fetch an image or similar) and if you happen to be reading the email on the same domain as your web site, cross site scripting can read and send your web site’s cookie values too.

3 Likes

OK, getting more sinister… thanks for the info, didn’t know that !

Pretty much what happened here: https://news.softpedia.com/news/Webmail-Service-CEO-Hack-My-E-mail-Get-10-000-113478.shtml

:slight_smile:

1 Like

I once had a client who woke up one day with 39,000 viagra+soft porn spams added to their Wordpress comments. Good question though. The spams were pretty incoherent, certainly worthless from a commercial point of view. My guess is that it was some high school ‘script kiddie’s’ bot project that has been floating around the net for years… part of a botnet maybe. Some people have way too much time on their hands. Some defenses include a ‘captcha’ validator on the form. Also, some throttling on the HTTP Posts would help. No human can submit 39,000 form submissions in 10 seconds.

Well I guess I should just be thankful for the small amount I get. Just seems like such a sad pathetic waste of time

1 Like

Often these are encoded commands from a C&C server to a compromised machine within your network. I strongly suggest that you investigate the possibility of malware being present on one of the systems on your local network. It could be any host. There are variants of the malware available for Windows, OSX and Linux. It could even be present in an embedded device, such as an IoT device or router.

Here are a series of older, but enlightening papers on one of the many groups that operate this way
https://www.eset.com/afr/about/newsroom/press-releases-afr/research/dissection-of-sednit-espionage-group-1/

Many thanks, I really have a network as such, just a hosted site with email. But I will investigate your suggestions thank - you

In these cases, the bot’s intention is to check if there is a weakness in your “contact form”. It is not uncommon these forms do not protect against header injection, so “spammers” use bots that just spider websites and automatically try forms it locates.

When they locate one which they can exploit, they will use it to send out as many spam emails as they can until it is shut down.

If this happens, it usually means that the ip on the server and any domains attached to it will be blacklisted as sending spam and it can be quite difficult to sort out afterward.

With this in mind, if you only get one of these from time to time, your form is most probably secure. But if they keep filling your inbox, I would strongly recommend reviewing the form code.

2 Likes

Many thanks, I will review form code, any ideas what weaknesses I should be looking for, it is basically an html form that uses post to assign form variables to php variables then use php mail() there are no smptp details (server, user, pass etc) in the php script.

I must admit I don’t get many, about 10 - 20 a day but they all seem very similar. My form uses hidden fields using css which traps most but I have started recieving some that seem to detect and avoid the hidden fields. So I am worried.

I am posting in another comment on this thread the source of the latest spam email I recieved in the hopes someone can help me identify something to help me flag as spam, maybe you could have a look - thanks for your help mate - there are some sad people out there!

Hi
I have managed to block most spam but some are still getting through un-flagged I am posting the email source here, perhaps someone can help me identify something that I can detect to flag as spam.

Two items in the code that I notice are:-

Line 9 - Received: from localhost (unknown [127.0.0.1])
and
several other lines that reference recieved from smtp servers @ local host - by localhost (smtp-out-sh2.livemail.co.uk [127.0.0.1]) (amavisd-new, port 10024)

but I don’t know if this is my hosted server being seen as localhost or someone 'localhost

any help would be appreciated

Please note I have changed all references to my email address and domain to my-email@my-domain.com

Return-Path: <csh1833093@smtp-out-hp3.livemail.co.uk>
Delivered-To: my-email@my-domain.com
Received: from dovecot-director-03.cmp.livemail.co.uk ([10.44.165.6])
	by dovecot-backend-03.cmp.livemail.co.uk with LMTP id gFCtNuJoal+ZKAAAjvpZ+w
	for <my-email@my-domain.com>; Tue, 22 Sep 2020 22:13:06 +0100
Received: from amavis-36.cmp.livemail.co.uk ([10.44.166.241])
	by dovecot-director-03.cmp.livemail.co.uk with LMTP id 0N6hNuJoal9ftAAAykd/fQ
	; Tue, 22 Sep 2020 22:13:06 +0100
Received: from localhost (unknown [127.0.0.1])
	by amavis-36.cmp.livemail.co.uk (Postfix) with ESMTP id DE0C2B07FA
	for <my-email@my-domain.com>; Tue, 22 Sep 2020 21:13:06 +0000 (UTC)
X-Virus-Scanned: amavisd-new at amavis-36.cmp.livemail.co.uk
X-Spam-Flag: NO
X-Spam-Score: 3.699
X-Spam-Level: ***
X-Spam-Status: No, score=3.699 tagged_above=-999 required=5
	tests=[DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FORGED_FROMDOMAIN=0.248,
	FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
	NML_ADSP_CUSTOM_MED=1.2, RCVD_IN_MSPIKE_H3=0.001,
	RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPOOFED_FREEMAIL=1.997]
	autolearn=disabled
Received: from amavis-36.cmp.livemail.co.uk ([127.0.0.1])
	by localhost (amavis-36.cmp.livemail.co.uk [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP for <my-email@my-domain.com>;
	Tue, 22 Sep 2020 22:13:06 +0100 (BST)
Received: from mailserver.cmp.livemail.co.uk (smtpin-04.cmp.livemail.co.uk [10.44.166.67])
	by amavis-36.cmp.livemail.co.uk (Postfix) with ESMTP id 8090FB07EE
	for <my-email@my-domain.com>; Tue, 22 Sep 2020 22:13:06 +0100 (BST)
Received: from smtp-out-sh.livemail.co.uk (smtp-out-sh.livemail.co.uk [213.171.216.91])
	by mailserver.cmp.livemail.co.uk (Postfix) with ESMTPS id 6FB0B9E087
	for <my-email@my-domain.com>; Tue, 22 Sep 2020 22:13:06 +0100 (BST)
Received: from localhost (unknown [127.0.0.1])
	by smtp-out-sh.livemail.co.uk (Postfix) with ESMTP id 5C137200BA
	for <my-email@my-domain.com>; Tue, 22 Sep 2020 21:13:06 +0000 (UTC)
X-Virus-Scanned: amavisd-new at smtp-out-sh2.livemail.co.uk
Received: from smtp-out-sh.livemail.co.uk ([127.0.0.1])
	by localhost (smtp-out-sh2.livemail.co.uk [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id uBiSOoUPOS-B for <my-email@my-domain.com>;
	Tue, 22 Sep 2020 22:13:05 +0100 (BST)
Received: from smtp-out-hp3.livemail.co.uk (web-out28-hp3.livemail.co.uk [77.68.64.28])
	by smtp-out-sh.livemail.co.uk (Postfix) with ESMTP id 93209200AF
	for <my-email@my-domain.com>; Tue, 22 Sep 2020 22:13:05 +0100 (BST)
Received: by smtp-out-hp3.livemail.co.uk (Postfix, from userid 1645170)
	id 59F4144024F; Tue, 22 Sep 2020 22:13:05 +0100 (BST)
To: my-email@my-domain.com
Subject: Handmade Fresh Bike
From:keithsim704@gmail.com
Message-Id: <20200922211305.59F4144024F@smtp-out-hp3.livemail.co.uk>
Date: Tue, 22 Sep 2020 22:13:05 +0100 (BST)
X-Antivirus: AVG (VPS 200923-0, 09/23/2020), Inbound message
X-Antivirus-Status: Clean

Source :- Main Site Contact Form
Name :- Nicola Rutherford Jr.
Sender :- keithsim704@gmail.com
Message :- initiatives

I use layers of captcha to stop bots getting through my forms, and it seems to work well.
The most common trigger that gets tripped is a timer that measures how long it takes to fill in the form, from loading the page, to form submission. If it’s too fast, it gets blocked.
There are other checks like this you can make, that find bots without inconveniencing users, and using a few can be quite robust, but I find the timer catches the most.

1 Like

If I am being spammed by a bot, what weaknesses could they exploit - I mean they can’t get my smtp user / pass. Could they use sql injection - I am not linking to a database, just a mail funtion

@SamA74 I am guessing a timer could not really be implemented in PHP so probably JavaScript, Do you have a sample script or link please?

It can, that’s what I use.

Anything client-side is too easy to hack, keep security server-side.

On loading the form, get the current timestamp and save to the session.
On form processing get the current timestamp, and the time from the session and calculate the difference.
Then compare the difference against your set minimum time.
If it’s less than the minimum time, throw it out.

They don’t know that.

How long do you set the time difference, squire?