Spent my evening looking into spam messages my wife's website is receiving via the contact form. The good thing is that there doesn't seem to be anything that is hazardous, but simply annoying random typing.
Currently I cannot just simply remove the form as for the most part it is needed for some women to contact the midwife practice and request a call back.
So I've taken some steps ...
#Investigation #StopSpam #infosecNoob
I was pretty sure that it was coming from the contact form, and to check this, I started having the ip address for the request to be injected into the message.
Finally after a month or so (thinking I was lucky and they stopped), we received another message and it had a simple IP4 address. So using this information I looked up the address on the RIPE database and found a name an email, that uses a range of this address.
Apparently there is a site that uses the entire 4th octet (0 - 255) of the address from which the request was made. I checked the site out and it looks to be some sort of "Privacy Focused Infrastructure Provider". So I'm pretty sure the abuse email address will do diddly squat if I sent them a message telling them to stop. The good thing it seems is that the website is ran by a German.
Even better, this is a lawful German, meaning he has posted a proper "Impressium" on his site, which gives me his name, and address as well as his telephone number.
Funny enough he's only a few towns away. Now I need to think of what I or my wife's practice will do about this guy.
For now, I've blocked his entire IP range from sending messages to the contact form. It's not that he can't attempt to send the form, but it will be ignored but provide him the same feedback as if it was successful.
If it continues I might advise my wife to send him an email that his IP addresses are being used to abuse our site, or if she wants she's good friends with a couple of lawyers (including a prosecutor) and maybe that will get things fixed. We will see.
@jrsofty Don’t ignore the abuse address from the RIPE registration. Often that address will actually go to an upstream provider rather than the active miscreant using the address space.
But beyond that there’s probably not much to be done.
@grumpybozo yeah after further investigation and other offending IP addresses it seems the person who is actually abusing the contact form is using TOR.
I attempted to use a TOR detection tool, but it requires a fsocket call in PHP which Hetzner currently blocks.
Jason Reed
🆘Bill Cole 🇺🇦