weird spam from forms module

[thomaswhiteeagl]

I'm getting a weird spam in my forms module on a regular basis. Might be a bot or some sort of hack. Its the same on a couple of sites using the form. What I don't understand is that on both cases I am requiring an email address. The spam is completing all of the fields including the email address but not an actual email address meaning no [email protected] but just some garbage letters. Yet If I try to duplicate the spam it won't let me send the form because I am obviously not inputting an @ sign in the email field.

How is this possible for this form to go through yet I cannot duplicate it???

Here is a copy of the form as received by me:

First name: fYRXMpMcXjfJGxFrDb
Last name: SqzzfFNIn
E-mail: pdSvhBAsthld
Account Login Name: HNMfOxRQAr
Web Address: QmbjcLxZAYAb
Comments: FXi2xz <a href="http://axolmijukncg.com/">axolmijukncg</a>, wndhzbtvqxqt, [link=http://iejxlzwxguek.com/]iejxlzwxguek[/link], http://uulbpsetclvp.com/


Would be nicer to have captcha in this module, hint.

 

[Dmitry Frantsev]

Actaully, as a spam protection in feedback form module there is half an hour delay built-in between two form submissions from one IP address. Do you get a lot of spam messages or this is hapenning quite rarely?

 

[thomaswhiteeagl]

spam

It happens frequently. And how do you explain them getting around the required email address? And why would they just spam the form with garbage characters sounds like some sort of probing or something.

 

[Dmitry Frantsev]

Could you please provide link to your website form? I will try to check it from my side.

 

[thomaswhiteeagl]

weird spam in voting module

Could you please provide link to your website form? I will try to check it from my side.

yes here is the link I am getting it from:

http://www.website-made-simple.com/web-design-support.php

Notice I have now added an integer requirement to see if that makes any difference at all snice it will require the user to enter a number in the field. Sort of a workaround captcha.

and now one of my clients has sent me the same message received in their form at:

http://www.ingersplace.com/contact-ingers-butikk.php

This leads me to believe that in consideration of that they are getting past having to input the required fields properly and also hitting other sites on the server that are using sitebuilder they are getting in at the server level somehow and they are targeting the module specifically.

 

[thomaswhiteeagl]

it's obviously some sort of bot. And it is accessing the module directly from the server level somehow. How I can tell is I have placed real time tracking codes on the web pages and it is not hitting the web page directly so that I can detect it from there. For example I know when you accessed my site to send me the two test messages you made at 12:53am from Novosibirsk from ip 84.237.120.254. Actually still showing you on the site so you must have left it in your browser.
Also as per the message copied below from the site best-website-for-free.com/contact-us.php you can see the integer entered is neither a 0 or a 1 which is the request. Most everyone will enter a 0 or 1. In fact, everyone will enter a 0 or 1 or assume the form wont validate because that is the instruction. The only reason it is different is this is obviously a bot that is simply reading the value of needing to enter an integer because it did enter the integer in this case 37. One could argue that it is reading the html code where it says:
field.appendValidator('isInt','Please provide a valid integer number.');
And thus knows to enter an integer but in such case it would register a hit on the web analytics program and I would capture the ip address. I suppose I will have to sift through the actual server logs to maybe uncover where it is coming from but even that might not be helpful.
What I don't understand is the purpose unless it is some sort of hack allowing it to use the module to send spam emails with some sort of cross scripting or something beyond my comprehension or perhaps even an attempt to hack into the server through the module. Nor do I understand how it is getting past the requirement of having to have the @ sign in the email field because I cannot duplicate this. Even if I enter all of the below information directly into the form as seen below the form will not validate because I have not enter the @ sign in the email field. This tells me there is some sort of flaw perhaps in the module at the server level where it is accessing the module?

First name: EkFDTaAUNMhJzKz
Last name: GaSLiXdpzghrwhe
E-mail: XqFTrqWmXKuvgrMFdkZ
Comments: CS1HPV <a href="http://qrxlbbombphw.com/">qrxlbbombphw</a>, musswhowrbhm, [link=http://pxkcyauzpjqk.com/]pxkcyauzpjqk[/link], http://esboixssbtso.com/
To help avoid spam please enter a 0 or 1:: 37

 

[Dmitry Frantsev]

Thank you for providing detailed information. I have already passed this info to Sitebuilder developers. They will think about some workaround for current version. As for capcha, it should be added into next version. Anyway, as soon as I get any news I will post it here.

 

[thomaswhiteeagl]

I appreciate you taking a look into it. Hopefully it will be figured out what is going on there because it is a little disconcerting to say the least.

 

[thomaswhiteeagl]

another spam

Here's another one and it even circumvented the requirment of needng to enter an integer:

First name: lRYnHLQctrwuBvbRXH
Last name: iVKgqSQd
E-mail: XNHvjbcuBBbfePnG
Comments: UvFMwq <a href="http://nigjsaloqfzr.com/">nigjsaloqfzr</a>, lowgmdidlksx, [link=http://ubirhsagvpdv.com/]ubirhsagvpdv[/link], http://gtjcudglnqxl.com/
To help avoid spam please enter a 0 or 1:: pcXsIIcuFAHlRefAH

 

[Dmitry Frantsev]

As I know adding spam protection to feedback form is planned for v.4.2.2 which should be released in the beginning of the summer. But I can not say for sure right now, as there is no exactly date yet.

 

[thomaswhiteeagl]

spam protection

I don't see how spam protection is going to solve this since it seems the bot is not entering data at the webpage but somehow circumventing it and exploiting something at the module level on the server or there is some sort of hole in the code but it isnt obvious to me if that is the case..