Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Stop third party running ASP mail script. IIS7

Posted on 2014-10-10
7
Medium Priority
?
221 Views
Last Modified: 2015-01-21
I have a customer with a classic ASP page with CDO mail script embedded in it.

The problem is that hackers are targeting the script and running it with a bogus call to the webpage and using it to spam the company with rubbish mail.

The calls to the script are being disguised as the companies own domain and IP address!

Is there an accepted way of securing an ASP script to stop it being run by outside sources (certificate, Windows Authorisation etc.)?

We are on Win 2012 with IIS7

Regards,
0
Comment
Question by:splanton
7 Comments
 
LVL 37

Expert Comment

by:Kimputer
ID: 40372587
If it's meant for humans to be interacted with, add some form of CAPTCHA. If you can't integrate it yourself, here's some explanation.
Along with the page (probably input fields), add a field for the CAPTCHA answer. Generate a random picture along with it. Along with the picture belongs a correct answer (use internal table, or logic).
Only when picture and answer match, should the script be executed.
If it's automated (no human interaction), and the script is meant to be run from one location, set IP security on that file (only allow that IP, or IP range to execute it).
0
 
LVL 2

Author Comment

by:splanton
ID: 40372630
CAPTCHA will only stop bots submitting a form. It will not stop the POST URL from being run. The spammers in this case are supplying their own POST fields and then running the customers submission form.

The spammers are also disguising their IP address as the Customers as well as the HTTP header so the request looks like it is legitimate.

It's a real nasty one!
0
 
LVL 2

Author Comment

by:splanton
ID: 40372633
The real point here is that the spammers are Spoofing both the IP and domain URL to look like the genuine article.

I can probably fix this programmatically, but if there is an accepted solution using IIS and security settings/certificates then I would rather go down that route.

Kind Regards,
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 2000 total points
ID: 40372693
No, a proper CAPTCHA checks the CAPTCHA when fields are POSTed.  The 'answer' to the CAPTCHA is stored in the Session data on the server.  And the CAPTCHA question is generated when the form page is requested.  While it will not stop them from posting to the URL, it will reject their data as being from an unacceptable source and not pass it on.  I've done CAPTCHAs in both ASP and PHP and they work well to stop direct POSTs to your form page.
0
 
LVL 2

Author Closing Comment

by:splanton
ID: 40372780
Thanks David,
I was under the misconception that CAPTCHA was only to stop unsolicited submission rather than POST.

Kind regards
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40373832
You're welcome, glad to help.  Here's the reCAPTCHA web site:  http://www.google.com/recaptcha/intro/index.html  And here http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html is an E-E article.  It's written for PHP but it shouldn't be too hard to translate into ASP.
0
 
LVL 31

Expert Comment

by:Wayne Barron
ID: 40562484
For those that are looking for an ASP Solution, have a look here.
http://www.cffcs.com/Main.asp?Entry=25

Good Luck
Wayne
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Screencast - Getting to Know the Pipeline

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question