Solved

Stop third party running ASP mail script. IIS7

Posted on 2014-10-10
7
200 Views
Last Modified: 2015-01-21
I have a customer with a classic ASP page with CDO mail script embedded in it.

The problem is that hackers are targeting the script and running it with a bogus call to the webpage and using it to spam the company with rubbish mail.

The calls to the script are being disguised as the companies own domain and IP address!

Is there an accepted way of securing an ASP script to stop it being run by outside sources (certificate, Windows Authorisation etc.)?

We are on Win 2012 with IIS7

Regards,
0
Comment
Question by:splanton
7 Comments
 
LVL 35

Expert Comment

by:Kimputer
Comment Utility
If it's meant for humans to be interacted with, add some form of CAPTCHA. If you can't integrate it yourself, here's some explanation.
Along with the page (probably input fields), add a field for the CAPTCHA answer. Generate a random picture along with it. Along with the picture belongs a correct answer (use internal table, or logic).
Only when picture and answer match, should the script be executed.
If it's automated (no human interaction), and the script is meant to be run from one location, set IP security on that file (only allow that IP, or IP range to execute it).
0
 
LVL 2

Author Comment

by:splanton
Comment Utility
CAPTCHA will only stop bots submitting a form. It will not stop the POST URL from being run. The spammers in this case are supplying their own POST fields and then running the customers submission form.

The spammers are also disguising their IP address as the Customers as well as the HTTP header so the request looks like it is legitimate.

It's a real nasty one!
0
 
LVL 2

Author Comment

by:splanton
Comment Utility
The real point here is that the spammers are Spoofing both the IP and domain URL to look like the genuine article.

I can probably fix this programmatically, but if there is an accepted solution using IIS and security settings/certificates then I would rather go down that route.

Kind Regards,
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 500 total points
Comment Utility
No, a proper CAPTCHA checks the CAPTCHA when fields are POSTed.  The 'answer' to the CAPTCHA is stored in the Session data on the server.  And the CAPTCHA question is generated when the form page is requested.  While it will not stop them from posting to the URL, it will reject their data as being from an unacceptable source and not pass it on.  I've done CAPTCHAs in both ASP and PHP and they work well to stop direct POSTs to your form page.
0
 
LVL 2

Author Closing Comment

by:splanton
Comment Utility
Thanks David,
I was under the misconception that CAPTCHA was only to stop unsolicited submission rather than POST.

Kind regards
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
You're welcome, glad to help.  Here's the reCAPTCHA web site:  http://www.google.com/recaptcha/intro/index.html  And here http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html is an E-E article.  It's written for PHP but it shouldn't be too hard to translate into ASP.
0
 
LVL 30

Expert Comment

by:Wayne Barron
Comment Utility
For those that are looking for an ASP Solution, have a look here.
http://www.cffcs.com/Main.asp?Entry=25

Good Luck
Wayne
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now