China won't stop spamming me!

[mrchetsteadman]

I have gotten over 1100 spam emails from China in the last 3 hours. I've tried to block the IP addresses but there are too many. How do I STOP China from sending spam emails to my website?

[+BudMan MVC]

Going to need a bit more info here, do you run your own email server. What server? What is the domain they are sending too, are they sending to 1 email address?

Can we see the headers of these emails, you say sending to your website - when you don't send mail to a website. You send email to an email server, for a specific address that that server accepts mail for, etc.

More than happy to help you - but we have nothing to work with here.

[mrchetsteadman]

Going to need a bit more info here, do you run your own email server. What server? What is the domain they are sending too, are they sending to 1 email address?

Can we see the headers of these emails, you say sending to your website - when you don't send mail to a website. You send email to an email server, for a specific address that that server accepts mail for, etc.

More than happy to help you - but we have nothing to work with here.

 

And that is why we have intelligent individuals like yourself, to tell me what I'm missing lol. Now when you say my own email server, I'm guessing yes. My website is hosted by StableHost and yes they are sending to one specific email address.

 

As far as the header of the email, where would I find that? Is this it?

Received: from chriscob by ssd10.stablehost.com with local (Exim 4.82)
    (envelope-from <chriscob@ssd10.stablehost.com>)
    id 1XBMnG-001O3h-G2
    for info@coburnconsultgroup.com; Sun, 27 Jul 2014 07:39:10 -0400
To: info@coburnconsultgroup.com
Subject: New inquiry from christian louboutin mistica 60 pumps
X-PHP-Script: coburnconsultgroup.com/ajax.php for 120.37.237.21
From: 'christian louboutin mistica 60 pumps' <jjkui778hgtf*@gmail.com>
Reply-To: 'christian louboutin mistica 60 pumps' <jjkui778hgtf*@gmail.com>
Message-Id: <E1XBMnG-001O3h-G2@ssd10.stablehost.com>
Date: Sun, 27 Jul 2014 07:39:10 -0400

Thanks for your help.

[Art_X]

depends on your email client/server and operating system

[+BudMan MVC]

That for sure is not the full headers, unless it looks like they sent it from script on your site?

IP that used your script

inetnum: 120.32.0.0 - 120.39.255.255

netname: CHINANET-FJ

descr: CHINANET FUJIAN PROVINCE NETWORK

Why don't you just block them at your webserver so they can not access that script, you host should be able to help you with that. Could be something as simple as .htaccess to that ajax.php script your using to send the email on the contact section of your website I would assume.

Looks like your running litespeed for your webserver. htaccess should be supported something along the lines of

Order Deny,Allow

Deny from 120.37.237.21

Should block them from your site. So does your hosting company give you access to firewall for your server/site - guessing its just a shared server not dedicated or yours only?

you could use say deny from 120. to block anything starting with 120.. You can look up country Ips, here is one resource not sure on how accurate it is http://www.nirsoft.net/countryip/

[Art_X]

expanding on what Budman said, this might help you

 

http://www.parkansky.com/china.htm

[Night Prowler]

expanding on what Budman said, this might help you

 

http://www.parkansky.com/china.htm

 

Not sure how that is going to help him with mail spam

[Art_X]

add the ips to filter in his mail server

[+John Teacake MVC]

I know it sounds daft but just file an abuse report with their ISP? Should have the details on the WHOIS.

 

Report it to the FBI?

 

http://www.fbi.gov/report-threats-and-crime

[n_K]

The first thing I do on all my VMs is use iptables to block all chinese and russian IPs... Obviously not all are covered by the online lists, but it covers a lot and you can just add subnets of any that get around it.

 

Do that and watch as you stop getting spam.

[+BudMan MVC]

There is not really a mail server involved here, this traffic from the headers is not being sent via smtp.. They seem to be accessing a script that sends the mail to him. So yeah the ArtistX stuff should help - looks to be info an crafting htaccess files to block netblocks. Exactly what the OP should be looking to do to prevent unwanted countries from access his contact me script. Which is what this looks to be using to send the mail

X-PHP-Script: coburnconsultgroup.com/ajax.php for 120.37.237.21

[TAZMINATOR]

If you have webmail or form on your web pages, you can add the filters as other said that you can block IPs so they  can not access or email.

 

Or you can add captcha to the form or webmail login.

 

You can do both if you want.

Edited July 27, 2014 by Walid W.
Edited wemail to webmail

[Dick Montage]

As Budman said, they are using a PHP script on your site to email you.  Look at:

 

1) Catcha

2) Time delays between multiple emails from ip addresses

3) On the script, check that it only receives input from your site

 

There are more but these are 3 easy ones.

[MikeChipshop Member]

Get a honeypot set up on your site. They've discovered a form they can easily manipulate and they are. It's an automated bot.

[Hussam Al-tayeb]

You may also want to take a look at cloudflare. It blocks a lot of a web based attacks.

It obfuscates email addresses on websites so they don't show for bots.

The amount of spammers getting to your 'email forms' or 'contact me' forms will be much less.

 

What happened in your case is a bot crawled your website. It saw the email address and the contact form.

Add a captcha to the contact form.

[mrchetsteadman]

Been sleeping since I posted this, thanks guys for all the responses. I tried the .htaccess but it didn't seem to work. I've tried blocking the ips and again, no dice. I'm going to apply this advice and see what results I get. Again, I appreciate all the help, you guys are better than Google, no jokes.

[farmeunit]

We block whole countries using .htaccess or our site, and also Honeypot modules as well.

It's stopped all spam so far that I've seen.

Here is a generator:

http://www.ip2location.com/blockvisitorsbycountry.aspx

If you're blocking one IP at a time, you might as well give up. They'll use proxies to get around that.

If you don't need people outside the US to see your site, I would block most countries. That's how we did it. If you need people outside the US to see it, then be more selective, but block that one countries range at least.

[+BudMan MVC]

As to why its not working - that was not the whole code I posted, just a piece that would set deny first then allow and the IP to block that you listed. You would have to incorporate that into your existing .htacess file? If you are using them? I show your site using litespeed which I do believe uses htaccess but there might be some changes to the syntax? I have not worked with that httpd before so not sure.

Where did you place the .htacess file, are they enabled in litespeed by default? Your going to have to ask someone that has direct experience with using litespeed - sorry.

[Night Prowler]

I'm not sure what is happening, as it appears China is hitting my site for a lot of bandwidth usage.

 

Note:  Everything was fine 2 months ago, just before switching to Invision Power board.

 

                                     Pages  Hits       Bandwidth

  United States - us 18,273  51,083  5.34 GB  
  China - cn               3,782  10,258  191.03 GB  

 

AWstas is showing the below bandwidth usage being attributed to ONE .zip file being downloaded.

 

Note: Before switching to Invision Power Board (in May) China used less than 3GB of bandwidth for the same file.

 

Hits     206 Hits  Bandwidth  Average size

3,049  157         201.22GB   64.27    

 

I log my downloads in stats on the website and is only shows 265 downloads for this file  from users on the website.

 

The file is located in the /data/files/ folder in the root of my website

 

I have my .htaccess file located in the /data/files/ folder.

# File: $Id$
# ----------------------------------------------------------------------
# Purpose of file: block any hot linking of .zip or .exe or .msi files
#                stored under the /data/files/ directory
# ----------------------------------------------------------------------
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mysite.com [NC]
RewriteRule \.(zip|exe|msi)$ http://www.mysite.com [NC,R,L]

Is there something I'm doing wrong?
 

[Krome]

I never knew Honeypot was for Apache... they have the script to work with Apache server now?  I have not run Apache server for a couple years now...

[Hum]

I have gotten over 1100 spam emails from China in the last 3 hours. I've tried to block the IP addresses but there are too many. How do I STOP China from sending spam emails to my website?

Launch your nukes.

[Steven P. Administrators]

We use HoneyPot/StopForumSpam too, it's very good but can't stop everything. It does save our mods a bunch of headaches though.