Hacker posting to my website [RESOLVED--well, sort of]
Posted: Sun Apr 07, 2013 9:55 pm
SITUATION:
I developed and have operated a website for my old U.S. Navy ship for over a decade, and one feature is an open bulletin board that allows old shipmates, or family members or friends, to post messages of interest to, or seek information about, other former crew members. I deliberately chose to not require logging in and not require a moderator to approve messages, for simplicity, but I did design a simple email notification to myself whenever anyone adds a new message (there is no provision for editing). The notification email contains the content of the message, the supposed email of the poster, the IP address from $_SERVER['REMOTE_ADDR'], and a link to a PHP script that allows me to delete any spurious message just by clicking on the link. Simple. It has worked well for more than a decade. Probably 2 or 3 times a year, I get a notification that is obviously spurious (spam or just gibberish), and I click on the link and it's gone. Until now!
PROBLEM:
A notorious IP address, as it turns out, began posting spurious messages 3 days ago at 40 minute intervals, with webmail addresses that I'm sure are phony, initially all from one IP address in St. Petersburg, Russia, but now I'm getting a couple of other IP addresses, too. The body of the message is different each time, but always with a lot of sexual references and links (which I have not followed). It's like a game of whack-a-mole, if I'm home, or even with my tablet, I get the notification email, click the link, and the message is deleted, but 40 minutes later (or just recently, much sooner, from different IP addresses) there's another one. My site doesn't get much traffic (there are only a few hundred of us former crew members still alive--the ship was decommissioned in 1955!), so I don't know why he even bothers.
WHAT I DID:
After the first day of this, I decided to add a simple IP blocking function to my script that displays the form. I know that he is using this script, because it's the one that sends the email notifications. I have tested my blocking function by putting in my own IP address, and sure enough, when I try to reach that page, it simply delivers a blank screen. But when I put in the several IP addresses he has used so far, they aren't blocking his entries!
MY QUESTION:
I'm not interested in advice that I should not have an open bulletin board system like this. I know how to set up a registered user system, and I operate several of those. What I can't figure out is why the method I described just above doesn't block him. Even if the IP address is being spoofed somehow, it's the one that's being returned by S_SERVER['REMOTE_ADDR'], so it identifies one of his attacks, so why isn't it killing the rest of the script that adds the record and sends me the notification email?
There! I just saw 2 more messages pop up in my email. Here I go to whack down the latest mole!
I'd sure appreciate it if one of you security gurus could help me understand how he's doing this. If you can suggest a method of blocking him, that would be even cooler! Of course, I can just shut down the script, at least temporarily (I only get a few legitimate posts a year, typically, so it's not a big deal).
[Edit: If someone is interested in the details of this, I'll be glad to PM you with my site URL, my code, the identification of the spammer, etc.]
I developed and have operated a website for my old U.S. Navy ship for over a decade, and one feature is an open bulletin board that allows old shipmates, or family members or friends, to post messages of interest to, or seek information about, other former crew members. I deliberately chose to not require logging in and not require a moderator to approve messages, for simplicity, but I did design a simple email notification to myself whenever anyone adds a new message (there is no provision for editing). The notification email contains the content of the message, the supposed email of the poster, the IP address from $_SERVER['REMOTE_ADDR'], and a link to a PHP script that allows me to delete any spurious message just by clicking on the link. Simple. It has worked well for more than a decade. Probably 2 or 3 times a year, I get a notification that is obviously spurious (spam or just gibberish), and I click on the link and it's gone. Until now!
PROBLEM:
A notorious IP address, as it turns out, began posting spurious messages 3 days ago at 40 minute intervals, with webmail addresses that I'm sure are phony, initially all from one IP address in St. Petersburg, Russia, but now I'm getting a couple of other IP addresses, too. The body of the message is different each time, but always with a lot of sexual references and links (which I have not followed). It's like a game of whack-a-mole, if I'm home, or even with my tablet, I get the notification email, click the link, and the message is deleted, but 40 minutes later (or just recently, much sooner, from different IP addresses) there's another one. My site doesn't get much traffic (there are only a few hundred of us former crew members still alive--the ship was decommissioned in 1955!), so I don't know why he even bothers.
WHAT I DID:
After the first day of this, I decided to add a simple IP blocking function to my script that displays the form. I know that he is using this script, because it's the one that sends the email notifications. I have tested my blocking function by putting in my own IP address, and sure enough, when I try to reach that page, it simply delivers a blank screen. But when I put in the several IP addresses he has used so far, they aren't blocking his entries!
MY QUESTION:
I'm not interested in advice that I should not have an open bulletin board system like this. I know how to set up a registered user system, and I operate several of those. What I can't figure out is why the method I described just above doesn't block him. Even if the IP address is being spoofed somehow, it's the one that's being returned by S_SERVER['REMOTE_ADDR'], so it identifies one of his attacks, so why isn't it killing the rest of the script that adds the record and sends me the notification email?
There! I just saw 2 more messages pop up in my email. Here I go to whack down the latest mole!
I'd sure appreciate it if one of you security gurus could help me understand how he's doing this. If you can suggest a method of blocking him, that would be even cooler! Of course, I can just shut down the script, at least temporarily (I only get a few legitimate posts a year, typically, so it's not a big deal).
[Edit: If someone is interested in the details of this, I'll be glad to PM you with my site URL, my code, the identification of the spammer, etc.]