Solved

Stop third party running ASP mail script. IIS7

Posted on 2014-10-10
7
204 Views
Last Modified: 2015-01-21
I have a customer with a classic ASP page with CDO mail script embedded in it.

The problem is that hackers are targeting the script and running it with a bogus call to the webpage and using it to spam the company with rubbish mail.

The calls to the script are being disguised as the companies own domain and IP address!

Is there an accepted way of securing an ASP script to stop it being run by outside sources (certificate, Windows Authorisation etc.)?

We are on Win 2012 with IIS7

Regards,
0
Comment
Question by:splanton
7 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 40372587
If it's meant for humans to be interacted with, add some form of CAPTCHA. If you can't integrate it yourself, here's some explanation.
Along with the page (probably input fields), add a field for the CAPTCHA answer. Generate a random picture along with it. Along with the picture belongs a correct answer (use internal table, or logic).
Only when picture and answer match, should the script be executed.
If it's automated (no human interaction), and the script is meant to be run from one location, set IP security on that file (only allow that IP, or IP range to execute it).
0
 
LVL 2

Author Comment

by:splanton
ID: 40372630
CAPTCHA will only stop bots submitting a form. It will not stop the POST URL from being run. The spammers in this case are supplying their own POST fields and then running the customers submission form.

The spammers are also disguising their IP address as the Customers as well as the HTTP header so the request looks like it is legitimate.

It's a real nasty one!
0
 
LVL 2

Author Comment

by:splanton
ID: 40372633
The real point here is that the spammers are Spoofing both the IP and domain URL to look like the genuine article.

I can probably fix this programmatically, but if there is an accepted solution using IIS and security settings/certificates then I would rather go down that route.

Kind Regards,
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40372693
No, a proper CAPTCHA checks the CAPTCHA when fields are POSTed.  The 'answer' to the CAPTCHA is stored in the Session data on the server.  And the CAPTCHA question is generated when the form page is requested.  While it will not stop them from posting to the URL, it will reject their data as being from an unacceptable source and not pass it on.  I've done CAPTCHAs in both ASP and PHP and they work well to stop direct POSTs to your form page.
0
 
LVL 2

Author Closing Comment

by:splanton
ID: 40372780
Thanks David,
I was under the misconception that CAPTCHA was only to stop unsolicited submission rather than POST.

Kind regards
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40373832
You're welcome, glad to help.  Here's the reCAPTCHA web site:  http://www.google.com/recaptcha/intro/index.html  And here http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html is an E-E article.  It's written for PHP but it shouldn't be too hard to translate into ASP.
0
 
LVL 30

Expert Comment

by:Wayne Barron
ID: 40562484
For those that are looking for an ASP Solution, have a look here.
http://www.cffcs.com/Main.asp?Entry=25

Good Luck
Wayne
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now