[Mimedefang] OT: Email web form exploits

[Jan Pieter Cornet]

On Fri, Sep 09, 2005 at 01:58:56PM -0400, Chris Gauch wrote:
> > because chances are they'll contain probe addresses that might
> > be helpful for tracking down the spammers.
> 
> Yes, we are certainly doing that.  We log the REFERER information including
> remote IP addresses to a database and check it every so often (we're only
> doing this on 1 or 2 forms that we developed in hopes of tracking down the
> offenders).  So far, most of the offending IPs point to Eastern Europe and
> Asia...

You could possibly check against DNS blacklists like xbl.spamhaus.org,
and list.dsbl.org. If a remote machine is on one of those lists, you may
want to give an error instead. I haven't tested this myself, but I heard
claims this might help.

With your current database of offenders, it should be easy enough to
see if there is enough of a match with those blacklists.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet