Request.Form abuse

Hi,

Because all my public sites are hosted with a 3rd-party ISP and,
therefore, I don't have access to their server's EventLog etc, every error
is emailed to me.

Recently, I've been getting inundated with errors like the one below.
Obviously, spammers are trying to use a page on the site to send out
Viagra emails etc, but I was curious to know if anyone else is being hit
like this...

Mark

================================================

Error in: /web/default.aspx
Url: /web/default.aspx

Error Message: A potentially dangerous Request.Form value was detected
from the client (body="...ulsionism <a href="http://cial...").
Error Source: System.Web
Error Target Site: Void ValidateString(System.String, System.String,
System.String) Error Description:
System.Web.HttpRequestValidationException: A potentially dangerous
Request.Form value was detected from the client (body="...ulsionism <a
href="http://cial...").
at System.Web.HttpRequest.ValidateString(String s, String valueName,
String collectionName)
at
System.Web.HttpRequest.ValidateNameValueCollection (NameValueCollection
nvc, String collectionName)
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.get_HasForm()
at System.Web.UI.Page.GetCollectionBasedOnMethod(Bool ean dontReturnNull)
at System.Web.UI.Page.DeterminePostBackMode()
at System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequestWithNoAssert(Http Context context)
at System.Web.UI.Page.ProcessRequest(HttpContext context)
at ASP.web_default_aspx.ProcessRequest(HttpContext context)
at
System.Web.HttpApplication.CallHandlerExecutionSte p.System.Web.HttpApplication.IExecutionStep.Execut e()
at System.Web.HttpApplication.ExecuteStep(IExecutionS tep step, Boolean&
completedSynchronously)

QueryString Data:
-----------------

Post Data:
----------
name: cialis
email: no****************@donotmail.com
linkurl: http://cialis-store.blogspot.com
subject: cialis unanswerableness impotence medicine buy cialis
url_title: cialis
body: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

text: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

comment: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]
,saccharostarchy convulsionism <a href="http://cialis-store.blogspot.com">
cialis</acomminative antihuff usucapion
cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

Comments: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

message: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

msg: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

msgtext: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

txtbody: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

description: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

piv_comment: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

commentText: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

comment_text: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

repText: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

reply: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

content: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

shout: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

guest_message: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

form_body: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

com: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

comment[body]: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

PostComment.ascx:tbComment: saccharostarchy convulsionism <a
href="http://cialis-store.blogspot.com"cialis</acomminative antihuff
usucapion cialis
[link=http://cialis-store.blogspot.com] cialis[/link]

Have you considered using Captcha?

"Kevin Spencer" <sp**@uce.govwrote in message
news:OM**************@TK2MSFTNGP04.phx.gbl...

>Have you considered using Captcha?

There is no actual form to fill in on the page in question - it's just
being hijacked...

Ah, so what you're saying is that a POST request is being sent with the
associated form fields in it, which don't correspond to any actual form
fields in the page.

Interesting approach to SPAM.

I guess the idea is that some URL might have a form handler for the
corresponding form fields, a sort of "shotgun" approach of some sort. The
only thing I can think of at this point would be to either (1) configure
the web server to not respond to messages from the IP address of the
client sending the requests, or (2) build a mechanism into your app that
ignores requests from a list of configurable IP addresses which you can
control. I mention that since you're not hosting your own app here.

You could also email the provider of the IP address, if they have an abuse
email address.

Hi,

Because all my public sites are hosted with a 3rd-party ISP and, therefore,
I don't have access to their server's EventLog etc, every error is emailed
to me.

Recently, I've been getting inundated with errors like the one below.
Obviously, spammers are trying to use a page on the site to send out Viagra
emails etc, but I was curious to know if anyone else is being hit like
this...

Yes, that is common. If you have a form on a public web site, it will
frequently be hit by script robots that try to send spam mails or add spam
into guestbooks and such.

:: Give the fields non-descriptive names, like "e28736482634" instead of
"email". That makes it harder for the spam script to determine the use of
the fields, thus easier for you to filter out the attempts.

There are no fields within the <formtag of the page that's being hit - only text and
hyperlinks...

"Göran Andersson" <gu***@guffa.comwrote in message news:OK**************@TK2MSFTNGP02.phx.gbl...

>Yes, that is common. If you have a form on a public web site, it will frequently be hit by script
robots that try to send spam mails or add spam into guestbooks and such.

So it seems...

>:: Give the fields non-descriptive names, like "e28736482634" instead of "email". That makes it
harder for the spam script to determine the use of the fields, thus easier for you to filter out
the attempts.

There are no fields within the <formtag of the page that's being hit - only text and
hyperlinks...

>:: Spam messages often try to put links on your page, hoping that you don't html-encode the data
before displaying it, or that you have a special tag for links. Look for "<a href=" or "[url=" in
the messages.[/QUOTE]

There are loads of those - see my OP.

>There are no fields within the <formtag of the page that's being hit -
only text and hyperlinks...

They aren't hitting that form.

They're hitting your PostComment User Control : PostComment.ascx

Adding Captcha code to that control should get rid of that problem.

S'OK - I can easily prevent it from getting any further thany my website -
I was just interested to know if anyone else was experiencing the same
thing...

"Kevin Spencer" <sp**@uce.govwrote in message
news:eL**************@TK2MSFTNGP04.phx.gbl...

>

I'm sure many people are experiencing the same thing.

There are no fields within the <formtag of the page that's being hit -
only text and hyperlinks...

There are no User Controls anywhere in the entire site - I really can't imagine where you have
found PostComment.ascx...

"Juan T. Llibre" <no***********@nowhere.comwrote in message
news:Oy**************@TK2MSFTNGP04.phx.gbl...

>>There are no fields within the <formtag of the page that's being hit - only text and
hyperlinks...

They aren't hitting that form.

They're hitting your PostComment User Control : PostComment.ascx

Adding Captcha code to that control should get rid of that problem.

This doesn't happen often, but I haven't got a clue what you're talking about here...

The page that's being hit (as evinced from the error messages and the web logs) is:
http://www.markrae.com/web/default.aspx

There are no data-entry controls within the <formtag - only text and hyperlinks.

There are no User Controls anywhere in the entire site - I really can't imagine where you have
found PostComment.ascx...

How would adding Captcha code help? Where would I put it?

Why do you have a form on the page, then?

Mark Rae wrote:

>There are no fields within the <formtag of the page that's being hit - only text and
hyperlinks...

Why do you have a form on the page, then?

>There are no User Controls anywhere in the entire site - I really can't
imagine where you have found PostComment.ascx...

It's mentioned in your original post's error message.
It may be, though, just the system spitting back what they are POSTing to.

What's going on is that the attackers are POSTing to your "default.aspx"
page.

I see you have a form named "aspnetForm" with ID "aspnetForm" in
default.aspx :

<form name="aspnetForm" method="post" action="default.aspx"
id="aspnetForm">

...but it doesn't have a runat="server" property,
which means that anybody can POST to it using HTML.

Maybe, if you don't need the capacity to POST to that page,
you could do without the <form name="aspnetForm"...tag ?

Alternately, you could add the runat="server" property...

Why do you have a form on the page, then?

"aspnetForm" is the name MasterPages give the default form when the HTML is rendered...

"Juan T. Llibre" <no***********@nowhere.comwrote in message
news:el**************@TK2MSFTNGP05.phx.gbl...

>>There are no User Controls anywhere in the entire site - I really can't imagine where you have
found PostComment.ascx...

It's mentioned in your original post's error message.
It may be, though, just the system spitting back what they are POSTing to.

Ah - now I understand - yes, I'm sure you're right about that...

>What's going on is that the attackers are POSTing to your "default.aspx" page.

Yes.

>I see you have a form named "aspnetForm" with ID "aspnetForm" in default.aspx :

<form name="aspnetForm" method="post" action="default.aspx" id="aspnetForm">

...but it doesn't have a runat="server" property,
which means that anybody can POST to it using HTML.

If you're looking at the source HTML, you're never going to see the runat tag in any attribute...

The page is a ContentPage - the MasterPage has the <formtag as follows:

<form id="frmDefault" runat="server">
<!-- header stuff - logo etc -->
<asp:Menu ID="mnuMenu" runat="server" Orientation="Horizontal" >
<%-- the menu items --%>
</asp:Menu>
<br />
<asp:ContentPlaceHolder ID="cphContent" runat="server" />
</form>

As you know, "aspnetForm" is the name MasterPages give the default form when the HTML is
rendered...

>Maybe, if you don't need the capacity to POST to that page,
you could do without the <form name="aspnetForm"...tag ?

If I do that, the whole site will stop working e.g. the <asp:Menuetc...
"Control 'mpDefault_mnuMenu' of type 'Menu' must be placed inside a form tag with runat=server."

>Alternately, you could add the runat="server" property...

See above...

You're up a creek and I'm fresh out of suggestions.

I'm really not up a creek at all

"Juan T. Llibre" <no***********@nowhere.comwrote in message
news:eR**************@TK2MSFTNGP03.phx.gbl...

>You're up a creek and I'm fresh out of suggestions.

I'm really not up a creek at all - as I mentioned in a previous reply, my ISP has blocked the
offending IP address, and filed an abuse report etc. As far as I'm concerned, the attacks have
stopped - they may, of course, be continuing - but I'll ever know about it...

My initial post was just an attempt to see how commonplace this sort of "attack" was amongst the
newsgroup, and it seems to have turned into a bit of a critique of form design - not that that's
necessarily a bad thing, of course... :-) All discussion is good.

Actually, we all are up a creek.

You may have a sympathetic ISP. Not everybody does.

The rest of us would have to deal with this in code or in IIS security.

*That* is the "creek" I alluded to.

Blocking an IP is an ineffective solution.
The perpetrators could change their IP very easily, or spoof it.

Then you'd have to get your ISP to block their new IP, ad infinitum.

What we need is a way to prevent unwanted POSTs from occurring.

re:
"it seems to have turned into a bit of a critique of form design"

Indeed. Maybe it would be worthwhile for you to file a bug at :

http://connect.microsoft.com/feedbac...spx?SiteID=210

"Juan T. Llibre" <no***********@nowhere.comwrote in message
news:%2********************@TK2MSFTNGP04.phx.gbl.. .

>Actually, we all are up a creek.

You may have a sympathetic ISP. Not everybody does.

That's true enough...

>The rest of us would have to deal with this in code or in IIS security.

*That* is the "creek" I alluded to.

OK.

>Blocking an IP is an ineffective solution.
The perpetrators could change their IP very easily, or spoof it.

Then you'd have to get your ISP to block their new IP, ad infinitum.

Yes, that's also true...

>What we need is a way to prevent unwanted POSTs from occurring.

Yes, that would indeed be a good security feature...

>re:
"it seems to have turned into a bit of a critique of form design"

Indeed. Maybe it would be worthwhile for you to file a bug at :

http://connect.microsoft.com/feedbac...spx?SiteID=210

I'll do that.

One solution to the "unwanted POSTs" would be to have a property on a
WebForm that indicates whether it is *only* for PostBack (true by default,
but configurable), which would have any client POST request which is not
from the URL of the page itself would be ignored.

That's certainly worth investingating...

"Mark Rae" <ma**@markNOSPAMrae.comwrote in message
news:uh**************@TK2MSFTNGP05.phx.gbl...

>That's certainly worth investingating...

Especially since the bastard spammers have just changed / spoofed the IP
address that they were using, as Juan predicted they would...!

I hesitate to call them a bunch of f***ing c**ts because f***ing c**ts is
something that I enjoy very much, but they are total scum who will be
first against the wall when the revolution comes...