Last week a spammer found a form on my website that he used to send spam. I got thousands of bounces and a few angry letters, so I found his IP address and put this at the top of the asp page that creates the email:



<%
dim sIP
sIP = Request.ServerVariables("REMOTE_ADDR")
if Instr(sIP, "xxx.xxx.xxx") > 0 then
Response.End
end if
%>


This worked until last night. I checked the server logs thinking he changed IP addresses but it's the same address. How is he getting around this? More importantly, how can I stop him? I think it's a spambot but I don't want to put in a captcha (I hate those things!).

Change to (note the addition of a 1 at the beginning of the function):

If InStr(1, sIP, "xxx.xxx.xxx") > 0 Then
Or if you are looking for the first three octets:

If Left(sIP, 11) = "xxx.xxx.xxx" Then
For the last three octets, just change LEFT to RIGHT, i.e.:

If Right(sIP, 11) = "xxx.xxx.xxx" Then

Also, this code would have to be on every page, not just the home page, as he could easily go directly to a page other than the home. If you have admin access to your web server, you can also set up the firewall or IIS filter to block that IP or range.

I don't have access to the server, but I can add or modify code on any of the webpages. I don't think I need to do this across the site because I can tell by the server logs which form he is using, and it is the only form on the site that is capable of being abused this way (I'm working on a more secure form but this one's tricky so it will take some time).

I will try your code, but I'm curious what the difference is, and why my code seems to stop me when I put my IP address, and seemed to stop the spammer temporarily (he must have found a workaround?)

Thanks for your help!

ASP? Isn't that obsolete now? For good reason it should be. Step up to ASP.net.
Trying to block by IP address via that method is about as useless as .. well you pick a cliche. It is very easy for anyone to use a proxy and consequently appear to your script to be coming from a plethora of IP addresses.

If you can run PHP on windows, you can stop him instantly with my spam form:
stop form spam (http://texxsmith.net/q)

Or you could rework your form handling codes that it will only send e-mails if the request from a web page from your servers IP Address or at least a url check ...
If you don't, someone else may just find you.

Perhaps it's time to move away from windows? LAMP servers are the standard.
LAMP= (Linux Apache MySQL PHP). MS server really aren't good for public web sites they're mostly just for intranets. Security always has been an issue, same with reliability, cost, performance, windows update, etc. etc.

His workaround was probably just to use a free proxy from somewhere.

In addition to using REMOTE_HOST, and parsing the posted form contents for SPAM strings, you could create a db table of blocked IPs, by populating with known proxy addresses.

Here is a solution is VB.NET, maybe you can apply this to your ASP code.

Dim conn As SqlConnection
Dim comm As SqlCommand
Dim connectionString As String = ConfigurationManager.ConnectionStrings("XXXConnectionString").ConnectionString
conn = New SqlConnection(connectionString)
comm = New SqlCommand("SELECT Country AS Hit FROM BlockedIPs WHERE(IP_From <= @IPNumber) AND (IP_To >= @IPNumber)", conn)

'convert users ip to a number
Dim arrDec() As String
Dim i As Integer
Dim intResult As Long
arrDec = Request.ServerVariables("remote_addr").Split(".")
For i = arrDec.Length - 1 To 0 Step -1
intResult = intResult + ((Int(arrDec(i)) Mod 256) * Math.Pow(256, 3 - i))
Next
'assign to the parameer
comm.Parameters.Add("@IPNumber", System.Data.SqlDbType.Int)
comm.Parameters("@IPNumber").Value = intResult
'open and test.
conn.Open()
Dim reader As SqlDataReader = comm.ExecuteReader()
While reader.Read()
If reader.Item("Hit") Is DBNull.Value Then
'do nothing
Else
'report the blocked IP address in a table
Reportblock()
'Redirect to the phoney error age
Response.Redirect("http://xxx.com/SystemErrors/Error504.htm?aspxerrorpath=/Index.aspx")
End If

End While
reader.Close()
conn.Close()

End Sub

Also, this code would have to be on every page, not just the home page, as he could easily go directly to a page other than the home. If you have admin access to your web server, you can also set up the firewall or IIS filter to block that IP or range. (I'm sure Dude's code is fine, it's the strategy I'm going to speak on. . .)

But this will do nothing to stop him or anyone else, as he can just use a free proxy or heck a paid proxy, they're cheap.

In my stop spam form I use a variable on the form page called "$token" and check for it on the form handler page to see if the user even visited the form. If they didn't (as your spammer probably isn't, I send them to page with a polite custom message instead sending their message. This allows for tracking of the number of attempts and the IP address of where they came from in case someone wants to sue.

Right. I just noticed a potential typo and told the OP about a fix. Of course if the code worked originally was never changed and the spammer is still getting through, then, as you've said, he's masquerading his IP through a proxy. I know the OP doesn't want to use a CAPTCHA, but it may help him in this case. You can use a CAPTCHA in ASP and don't need to go to .NET if he doesn't need to or want to at this time.

So are you guys saying that a proxy server would fool my asp script even though it didn't fool the server? I thought using the proxy server would mask the ip address to the server as well.

Yes, absolutely.

Sadly it's the nature of the internet these days, you simply must verify that it's a real human in some way before you process form input. ESPECIALLY on a MS server.

Did you know that microsoft even uses linux servers? 1 (http://ubuntu.igameilive.com/2009/03/microsoft-uses-linuxwhat.html), 2 (http://www.crn.com/news/applications-os/18839747/microsoft-uses-linux-to-publish-its-own-web-site.htm;jsessionid=NPW-w5o6rswiCgJNa1z0iA**.ecappj02), 3 (http://www.honeytechblog.com/breaking-news-microsoft-uses-linux-os/), etc. etc. Facebook is written in PHP etc. etc..

And yes, I'll stop with the "you should get off a MS server unless you want more problems" comments as of now.

Perhaps it's time to move away from windows? LAMP servers are the standard.
LAMP= (Linux Apache MySQL PHP). MS server really aren't good for public web sites they're mostly just for intranets. Security always has been an issue, same with reliability, cost, performance, windows update, etc. etc.

One of the worst posts i've ever read on webproworld.

I use either lamp or windows dependent on the requirements - advice to the initial poster would be not to try to stop individual ip addresses, but make the form more secure - must be a million tutorials out there.

One of the worst posts i've ever read on webproworld.

I use either lamp or windows dependent on the requirements - advice to the initial poster would be not to try to stop individual ip addresses, but make the form more secure - must be a million tutorials out there.

Couldn't agree more. As for the statement about MSSQL only being robust enough for Intranets, that couldn't be more false. Like mamola says, it all depends on the individual's or company's requirements. LAMP has its place (and there are quite a few of them!), but then again, so does M$.

Thanks to all for making me think twice about this. For now, I have removed the form entirely until I can replace it with a more secure form. texxs - I like your idea of checking to see if they even visited the page that submits to the form. I'll probably try to implement something like that, along with other security checks.

I won't move the site to a linux server any time soon, but eventually... probably...

Thanks again.

try this code


<%
Dim sBlockedIP
sBlockedIP = Request.ServerVariables("REMOTE_ADDR")
'check if the IP is the one that is blocked
If sBlockedIP = "32.454.42.12" Then
'if IP address is banned then redirect to no_access.asp
Response.Redirect "no_access.asp"
End If
%>