We have several forms on our website that send emails to various users in our organization. I didn't create these but am only the sys admin for the server.
One user is being pestered by spam that seems to be generated by one particular form.
The form has a few radio buttons, Name, address, phone number and comment fields.
The set up of our forms is this:
myForm.html gets filled out by users.
When the submit is clicked, it executes a myForm.cgi.
This myForm.cgi calls a compiled c++ program myForm_comp.cgi which parses the information from the form and sends it using a mail package to the user. The user's email address is hardcoded in the compiled coded.
This set up is the same for all our forms however this user is the only one who gets the spam. We have several forms (separate cgi compiles) that get sent to different users depending on topic. All simple forms with similar fields.
In reviewing the Apache logs, we see, for example, what appears to be a bot (same IP, hundreds of lines in a 30 second window) hitting all our webpages and especially hitting two of our forms. One being myForm.cgi the other being otherForm.cgi.
The apache log shows 11 GETS of the myForm.html and then hundreds of GET/POST for myForm.cgi.
The user reported she got 10 spam emails.
The same pattern shows for the otherForm.html but no spam emails arrived.
We think it must be a bot that reads the html, fills it in (it's always the same information) and sends it off. The "Return Path" in the message source is our webserver as is also the "Received From" as reported by our mail server. But can this be spoofed right?
Many Questions. Let's start with three:
1. If it is spoofed, how did they get the user's email which is only in the compiled program?
2. Why doesn't the otherForm.cgi user get spam? The otherForm.html has mostly radio buttons and only two text fields...email and comments. Easy fill!
3. Why does the user actually gets the spam several hours after the apache logs log myForm.cgi getting hit? The emails show they are created at the time the apache logged the hits, but it doesn't come through our mail server until several hours later. The latest batch arrived in her inbox 12 hours later.
Thank you for educating me and hopefully pointing me to some answers.
BTW...I have followed the technique in this link of adding a hidden field to the html form that, if filled out, the CGI rejects it. I am waiting for approval by the developer to put it into production. https://www.lifewire.com/solutions-to-protect-web-forms-from-spam-3467469