Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 226
  • Last Modified:

Stop third party running ASP mail script. IIS7

I have a customer with a classic ASP page with CDO mail script embedded in it.

The problem is that hackers are targeting the script and running it with a bogus call to the webpage and using it to spam the company with rubbish mail.

The calls to the script are being disguised as the companies own domain and IP address!

Is there an accepted way of securing an ASP script to stop it being run by outside sources (certificate, Windows Authorisation etc.)?

We are on Win 2012 with IIS7

Regards,
0
splanton
Asked:
splanton
1 Solution
 
KimputerCommented:
If it's meant for humans to be interacted with, add some form of CAPTCHA. If you can't integrate it yourself, here's some explanation.
Along with the page (probably input fields), add a field for the CAPTCHA answer. Generate a random picture along with it. Along with the picture belongs a correct answer (use internal table, or logic).
Only when picture and answer match, should the script be executed.
If it's automated (no human interaction), and the script is meant to be run from one location, set IP security on that file (only allow that IP, or IP range to execute it).
0
 
splantonAuthor Commented:
CAPTCHA will only stop bots submitting a form. It will not stop the POST URL from being run. The spammers in this case are supplying their own POST fields and then running the customers submission form.

The spammers are also disguising their IP address as the Customers as well as the HTTP header so the request looks like it is legitimate.

It's a real nasty one!
0
 
splantonAuthor Commented:
The real point here is that the spammers are Spoofing both the IP and domain URL to look like the genuine article.

I can probably fix this programmatically, but if there is an accepted solution using IIS and security settings/certificates then I would rather go down that route.

Kind Regards,
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Dave BaldwinFixer of ProblemsCommented:
No, a proper CAPTCHA checks the CAPTCHA when fields are POSTed.  The 'answer' to the CAPTCHA is stored in the Session data on the server.  And the CAPTCHA question is generated when the form page is requested.  While it will not stop them from posting to the URL, it will reject their data as being from an unacceptable source and not pass it on.  I've done CAPTCHAs in both ASP and PHP and they work well to stop direct POSTs to your form page.
0
 
splantonAuthor Commented:
Thanks David,
I was under the misconception that CAPTCHA was only to stop unsolicited submission rather than POST.

Kind regards
0
 
Dave BaldwinFixer of ProblemsCommented:
You're welcome, glad to help.  Here's the reCAPTCHA web site:  http://www.google.com/recaptcha/intro/index.html  And here http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_9849-Making-CAPTCHA-Friendlier-with-PHP-Image-Manipulation.html is an E-E article.  It's written for PHP but it shouldn't be too hard to translate into ASP.
0
 
Wayne BarronCommented:
For those that are looking for an ASP Solution, have a look here.
http://www.cffcs.com/Main.asp?Entry=25

Good Luck
Wayne
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now