[Mimedefang] OT: Email web form exploits

Jan Pieter Cornet johnpc at xs4all.nl
Fri Sep 9 16:24:03 EDT 2005

On Fri, Sep 09, 2005 at 01:58:56PM -0400, Chris Gauch wrote:
> > because chances are they'll contain probe addresses that might
> > be helpful for tracking down the spammers.
> Yes, we are certainly doing that.  We log the REFERER information including
> remote IP addresses to a database and check it every so often (we're only
> doing this on 1 or 2 forms that we developed in hopes of tracking down the
> offenders).  So far, most of the offending IPs point to Eastern Europe and
> Asia...

You could possibly check against DNS blacklists like xbl.spamhaus.org,
and list.dsbl.org. If a remote machine is on one of those lists, you may
want to give an error instead. I haven't tested this myself, but I heard
claims this might help.

With your current database of offenders, it should be easy enough to
see if there is enough of a match with those blacklists.

#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet

More information about the MIMEDefang mailing list