Solved

Stop third party running ASP mail script. IIS7

Posted on 2014-10-10
7
206 Views
Last Modified: 2015-01-21
I have a customer with a classic ASP page with CDO mail script embedded in it.

The problem is that hackers are targeting the script and running it with a bogus call to the webpage and using it to spam the company with rubbish mail.

The calls to the script are being disguised as the companies own domain and IP address!

Is there an accepted way of securing an ASP script to stop it being run by outside sources (certificate, Windows Authorisation etc.)?

We are on Win 2012 with IIS7

Regards,
0
Comment
Question by:splanton
7 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 40372587
If it's meant for humans to be interacted with, add some form of CAPTCHA. If you can't integrate it yourself, here's some explanation.
Along with the page (probably input fields), add a field for the CAPTCHA answer. Generate a random picture along with it. Along with the picture belongs a correct answer (use internal table, or logic).
Only when picture and answer match, should the script be executed.
If it's automated (no human interaction), and the script is meant to be run from one location, set IP security on that file (only allow that IP, or IP range to execute it).
0
 
LVL 2

Author Comment

by:splanton
ID: 40372630
CAPTCHA will only stop bots submitting a form. It will not stop the POST URL from being run. The spammers in this case are supplying their own POST fields and then running the customers submission form.

The spammers are also disguising their IP address as the Customers as well as the HTTP header so the request looks like it is legitimate.

It's a real nasty one!
0
 
LVL 2

Author Comment

by:splanton
ID: 40372633
The real point here is that the spammers are Spoofing both the IP and domain URL to look like the genuine article.

I can probably fix this programmatically, but if there is an accepted solution using IIS and security settings/certificates then I would rather go down that route.

Kind Regards,
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40372693
No, a proper CAPTCHA checks the CAPTCHA when fields are POSTed.  The 'answer' to the CAPTCHA is stored in the Session data on the server.  And the CAPTCHA question is generated when the form page is requested.  While it will not stop them from posting to the URL, it will reject their data as being from an unacceptable source and not pass it on.  I've done CAPTCHAs in both ASP and PHP and they work well to stop direct POSTs to your form page.
0
 
LVL 2

Author Closing Comment

by:splanton
ID: 40372780
Thanks David,
I was under the misconception that CAPTCHA was only to stop unsolicited submission rather than POST.

Kind regards
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40373832
You're welcome, glad to help.  Here's the reCAPTCHA web site:  http://www.google.com/recaptcha/intro/index.html  And here http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html is an E-E article.  It's written for PHP but it shouldn't be too hard to translate into ASP.
0
 
LVL 30

Expert Comment

by:Wayne Barron
ID: 40562484
For those that are looking for an ASP Solution, have a look here.
http://www.cffcs.com/Main.asp?Entry=25

Good Luck
Wayne
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question