Spammed tickets

[spectrum]

Hello I have used TTX for many years on my own personal sites with excellent results. So I finally get to install on my employees site (the dreaded day job) and with in 1 week im getting spammed tickets. TTX ver 2.24 (my favorite) flat file no mods. I have the captcha turned on and is working. I get the same style of spammed tickets in a batch of 5 or 6 with a period of 1-2 mins
-------
New ticket #25 from Gundosbrz (uaeynb@gmail.com),
Location: Off Site
Aloha!vajn! bvuet kwyro ocklo agrft auvms jdgmb idxdf qjsgn ivxop yyldw
----or---
New ticket #26 from Gundosfpe (brpdoz@gmail.com),
Location: echo-TL
swbv! URL=http://fevdfp.com]gifwd gxkxx URL=http://wbotbs.com knbxf ewjzv  URL=http://duevlp.com]ruyjd rebts URL=ttp://iitqmp.com]iahal hgqgu URL=http://tnetqw.com]paiqu nknem
----------
always with gmail account. I read that if captcha is on then only a human can submit a ticket. Is this true??? I don't thnk so. Can I block all gmail accounts from placing tickets?

[Sparky]

I am unaware of an automated process that can fool Captcha.  This is probably coming from a real person.

You don't want to block all Gmail accounts... it's a very popular service with millions of perfectly legitimate users.  Besides, this is NOT coming from Gmail anyway.  The message itself is coming from your installation of TTX and it's being initiated by somebody sitting at a computer who can type any random address for the email.  (you can enter anything in the email box as long as it's formatted like an email address)

Just check your server log for the individual IP address and permanently block him from your site.  If you're on Apache Linux, you can block an IP address with the htaccess file.  You can do something similar with Windows Server but I cannot advise.

For the htaccess file in your www root...

order allow,deny
deny from 72.235.88.28
allow from all

That will block anyone at 72.135.88.28 from even being able to see your site.

Instead, using "72.135.88." will block all IP addresses from 72.135.88.0 to 72.135.88.255

For more than one, you can list them like this...

order allow,deny
deny from 72.235.88.28
deny from 75.158.78.16
allow from all

[spectrum]

Hello Thanks you for the reply, I will check the logs and get back to you. I believe you but its hard to imagine 5 tickets withing 2 mins and all giberish. What would the motivation be? planting a "bomb"

[Sparky]

Hello Thanks you for the reply, I will check the logs and get back to you. I believe you but its hard to imagine 5 tickets withing 2 mins and all giberish. What would the motivation be? planting a "bomb"

First of all, 2 minutes is plenty of time to hit the button only 5 times... he's not typing them out, just cut & paste.  5 within 2 seconds from the same IP address could mean 5 people at 5 computers on the same LAN hitting the button at the same time.

Secondly, it's just a scumbag spammer.  They just like seeing what they can get away with.

If you find out this came from a country foreign to you and a worldwide audience is unimportant, you can just block the entire range of IP addresses for that country and pretty much shut down any possibility of this coming back.

This happens to me occasionally... when you accept data through a public submission form, there's not much you can do besides make sure your servers are secure.  If you're on shared hosting then this isn't even something you can do.  Just block IP addresses as they come.

[spectrum]

Very cool, I just checked the logs I have about 30 consective hits to cgi/ttx/ttx.cgi from 67.215.238.210 at EXACTLY THE TIME THE TICKETS WERE MADE. BTW the Ip is Pacifice rack in Santa Ana, CA. not a foreign country. How dissapointing.

So all i need to do is create an .htaccess file like this:

order allow,deny
deny from 67.215.238.210
allow from all

and put it in /var/www/html  (the root of the public folder)?

Thanks Sparky
CASE CLOSED!!

[Sparky]

Test it with your own IP address and you should see a 401 error or similar when you visit the web page.

I believe you can also just put the .htaccess file in the directory containing TTX thereby limiting the block to only those pages.  (Putting it in the www root will affect your whole site).

Again, be sure to thoroughly test it.

.htaccess tinkering is powerful stuff.

And don't accidently overwrite your existing .htaccess stuff... it could be important... just add those IP blocking lines.

[spectrum]

ahh excellent suggestion, I will try in the ttx directory and test it

[Sparky]

ahh excellent suggestion, I will try in the ttx directory and test it

Remember TTX pages are dynamically generated so it would have to go into the same directory as the ttx.cgi script(s), not where the ttx templates are located.

[spectrum]

    

So i put it in the TTX root folder with blocking the spammer and my IP also as a test
Here is the results:

Forbidden
You don't have permission to access /cgi/ttx/ttx.cgi on this server.

HOT DOG!!

Thanks again!!!!!!!!!!!!!!!!!!!!!!!!!!!

[Sparky]

I would suggest browsing Google, StackOverflow, or SitePoint regarding .htaccess files.

There are all kinds of things you can do with them.  Endless fun.

[kathleenec]

Have had the same problem last week. The spammers are still hitting at random. I did not know the solution is so simple! Thanks a bunch Sparky.

how to cure diarrhea[/url]
back ache[/url]
[iurl=#]how to get rid of bronchitis[/url]
[iurl=#]do it yourself carpet cleaning[/url]

EDIT by Sparky:  You are also a spammer.   Ironic.