I have a form on my asp.net website and I use c# code to form and send email based upon what the user enters on the form. This has been working great. Late last night I received 5 emails with the same timestamp but random information on them. I have included a sample of the email below. Has anyone seen anything like this before? Is this an indication that my web page has been hacked or is this an effort to try to hack it? I am new at this and would appreciate any information or suggestions. Thank You! This is a sample of the email based on the fields the user fills in. I fill in the To: with my email address and I fill in the Subject. -------------start of email ---------------------------------------------- From: Ella vYYpMumKdRBapjMio To: (I have my hard coded email address here) Cc: [email protected] Subject: Private Label Application ----------------------------------------------- Private Label Application Name : Ella vYYpMumKdRBapjMio Email : [email protected] Address - Street : wtIqtvnVUTzj Street : GXkhlcTFABtTBTIGpr City : New York, State : NY Zip Code : 11724, Country : United States of America Phone : 9721-30747838611 Private Label Information - Business Name : NzWMnMEeSArnlcpqs Web Address : jPvOgdSaCivfeGqoh Phone : 1256-76755262767 --------------------------------end of email---------------------------------- Below is some asp.net code from my webpage; I only included part of it. -------------------------------start of sample asp code---------------------- <h4>Please fill out this application for our "Private Label"</h4> First Name: Last Name:<br /> <asp:TextBox runat="server" id="FirstName" class="textbox"></asp:TextBox> <asp:TextBox id="LastName" runat="server" Width="200px" class="textbox"></asp:TextBox> <asp:RequiredFieldValidator id="RequiredFieldValidator11" runat="server" ControlToValidate="FirstName" Display="Dynamic" ErrorMessage="First Name is Required" ForeColor="Red"></asp:RequiredFieldValidator> <asp:RequiredFieldValidator id="RequiredFieldValidator1" runat="server" ControlToValidate="LastName" ErrorMessage="Last Name is Required" ForeColor="Red"></asp:RequiredFieldValidator> <br /> <br /> Email Address:<br /> <asp:TextBox id="Email" runat="server" Width="200px" class="textbox"></asp:TextBox> <asp:RequiredFieldValidator id="RequiredFieldValidator2" runat="server" ControlToValidate="Email" Display="Dynamic" ErrorMessage="Email Address is Required" ForeColor="Red"></asp:RequiredFieldValidator> <asp:RegularExpressionValidator id="RegularExpressionValidator1" runat="server" ControlToValidate="Email" ErrorMessage="Email Invalid" ValidationExpression="\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*" ForeColor="Red"></asp:RegularExpressionValidator> <br /> <br /> Please re-enter your Email address:<br /> <asp:TextBox id="ConfirmEmail" runat="server" Width="200px" class="textbox"></asp:TextBox> <asp:RequiredFieldValidator id="RequiredFieldValidator5" runat="server" ControlToValidate="ConfirmEmail" Display="Dynamic" ErrorMessage="Email Address is Required" ForeColor="Red"></asp:RequiredFieldValidator> <asp:RegularExpressionValidator id="RegularExpressionValidator2" runat="server" ControlToValidate="ConfirmEmail" ErrorMessage="Email Invalid" ValidationExpression="\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*" ForeColor="Red" Display="Dynamic"></asp:RegularExpressionValidator> <asp:CompareValidator id="CompareValidator1" runat="server" ControlToCompare="Email" ControlToValidate="ConfirmEmail" Display="Dynamic" ErrorMessage="Addresses Must Match" ForeColor="Red"></asp:CompareValidator> <br /> <br /> ----------------------------end of sample asp code------------------------------------
5 emails received generated from a html form within a short time interval and these emails contain complete garbage - yes it's definitely going to be a automated script spam / hack attempt. It happens all the time and is just an unfortunate consequence of enabling user input on a public facing website. It's not personal, it happens to all websites and it's a case of us against 'them'. It's not going to stop so the only thing you can do is be sure that your code is secure enough so your website isn't seriously hacked and compromised. My own recommendations include: Reduce the effectiveness of automated script attacks by introducing a captcha in your html form e.g. https://developers.google.com/recaptcha/docs/aspnet. It's not impossible for a script kiddie to get around captcha input but introducing one will make it just a little bit harder for them to try an exploit. Make sure all input to the form / page is validated. You should be getting this behaviour for free as long as your ASP.NET site and pages have not switched off request validation. It's worth checking. If your site uses a database, make sure all access to your database is using parameterized queries. This will help prevent SQL / XSS script injection attacks. There's loads of information specific to security and ASP.NET web applications available online - you won't to have Google much to end up landing on a variety of Microsoft msdn / www.asp.net pages or StackOverflow articles. OWASP over at https://www.owasp.org/index.php/Category:OWASP_.NET_Project is also a great security resource. If only everyone on the internet could just place nice we could do away with all of this lot.. ;-)
Really Really nice information CrystalCMS! If you leave your mail script wide open or make it possible for someone to exploit it... Trust me on this. Those people will have a field day with your email script. You have to locket it up and do what CrystalCMS stated.
I also recommend looking into SiteLock. It is a 3rd party security company that we partnered with to help monitor and identify any malicious files in a website and will help identify any potential weaknesses and exploit in the website. Normally SiteLock will sell there service for about $99/year for the basic plan and $299/Year for their Premium plan. We have made a deal with them to sell it to our customer base for $25/Year for the Basic plan and $50/year for the Premium plan.
Well, that's part of our current problem, isn't it. The Internet was designed with the assumption that everyone would play nice. Clearly that was a bit shortsighted. But then I don't think anyone back in the day predicted widespread public use. But still. And Raymond is right about SiteLock, that's not just a sales pitch. If you're unsure whether you have any potential trouble spots, the SiteLock scan can point them out for you. Then you have to fix them, of course, which is the hard part for some of us.
Thank you raymondp and mjp; I was wondering if SiteLock would help in this case. I will look into it. The inputs on my form are being validated and I am looking into adding captcha per CrystalCMS suggestion. You are all extremely helpful!
I implemented all of CrystalCMS's suggestions; I even signed up for SiteLock. I have not gotten any more emails with the same timestamp, but I did get the following email where they filled in the message field with the text on my web form. ------------------------------------------------------------ This is the email: From: perezchica alonso <[email protected]> To: (my email address is here) Subject: Website Contact (I hard code the subject line) Message: (The message if filled with a couple of lines of text taken from my web form (repeated) until it reaches my character limit for the message field.) ----------------------------------------------------------------- I guess they can still get around the captcha.
Having put in place spam prevention and security improvement methods you've implemented so far, questions you can now ask yourself are: Is there any marked improvement / do I see a reduction in hack attempts since I strengthened the security on my website? If there's still an annoying level of hack attempts getting past my site security, what more can I do to further improve the strength of security on my website? A captcha intends to reduce the number of automated attacks against a html form by requiring a human to be present to make sense of the required input. As I mentioned in my 1st post it's probably not impossible for a hacker to develop an automated script that has the ability to successfully navigate a captcha input. The good news is that the introduction of a captcha is one of a number of measures that can be introduced (and a captcha is one of the easier ones to introduce) to make a hackers life just a little more difficult. Of course a captcha can do absolutely nothing to deter a human from entering garbage into your html form. Is this perhaps what you've seen in the last case you described? Is this a human (perhaps hacker) that's come to your site maybe to find out why his previously working automated script has stopped working due to the introduction of your security measures? Is this is a human probing for any residual weaknesses in this html form? Possibly. For (2) above, there certainly are other things you could do if necessary. In addition to that, now that you have SiteLock support you might be able to use that as an 'official' support channel to verify any more work you do in this area.
CrystalCMS, thanks again. I believe that you have saved me a lot of grief. Hopefully your suggestions will help others, as well.
