There are many posts concerning scripting attacks and spam, but I could not find a comprehensive posting concerning how to minimise spam. The answer therefore is to attempt to write such a post and have the more knowledgeable members of the Bluehost community fill in the blanks and point out glaring errors and omissions.

A universal drop in the quality of service as a result of spam

This concerns both spam received by email addresses on my site and spam sent through various exploits on my sites hosted at Bluehost. Spam has reached the volume whereby it seriously affects the quality of service experienced by everyone with a site hosted by Bluehost. And it is not a pleasant experience to have your websites continuously exploited by hackers in cross-site scripting exploits or to receive literally thousands of messages stating that 'email message could not be delivered' when you check your own email.

Fortunately there are a number of steps that can be taken to minimise the risk and inconvenience caused by SPAM. While SPAM and scripting attacks are reduced to manageable proportions, none of these steps offer anything approaching a comprehensive solution however.

Multiple crimes are being committed

What especially ires me is that many of these 'Spamming' efforts being propagated from my website are in fact criminal acts. If someone uses a cross-site scripting attack on my Drupal-based website in order to send email messages touting stock picks for penny-shares, at least two criminal acts are committed. Firstly, cyber-trespassing is being executed and the resources of my website and hosting company are being maliciously misused in order to propagate this attack. Secondly an act of fraud is committed in touting a penny share to millions of email addresses as a 'good stock pick'.

The reality is that these perpetrators have taken positions on the stock concerned and are now touting this stock in anticipation of an upwards price surge whereupon they will sell the shares they have accumulated at a lower price. Again, since there is no fundamental support for the price surge the share price will drop, and the perpetrators will again take a position in the market on the basis that there will be a dramatic price drop in the share price. Since there is a record of positions taken on shares as well as the record of the fraudulent emails sent and a clear trail of the cyber-crimes taken in order to send those emails, this crime could be investigated. Is this being done and are such crimes being reported however? To whom can I report this?

The cost of spam

Furthermore, we all suffer as result of these attacks. My websites are blacklisted as sources of spam and my legitimate emails do not arrive at their intended recipients since my domains are now listed as 'originating sources of spam' by the spam blocking services. Even the Bluehost shared IP is often blacklisted as a source of spam. It costs time and resources to get the blocks lifted from legitimate domains and the blocks will be re-imposed at the next successful scripting attack. This decreases the profitability and viability of my websites significantly and consumes a vast amount of my personal time and resources.

The unprecedented level op spam affects the quality of service that is offered by all websites being hosted on Bluehost. The web traffic is congested and the Bluehost web servers have a considerably higher workload as result of this SPAM-Flood. Furthermore it cannot be denied that the quality of customer support have dropped considerably at Bluehost and many channels of support offered by Bluehost appears to have been discontinued such as email support, the chat option and Skype phonecalls. This causes a delay of several days on a critical issue that could have been attended to in an hour or less. If someone complains about the response time of their shared hosting on Bluehost, or their website being too CPU intensive and cutting out, both issues are probably caused by the spam flood.

Mainly there are two types of messages referred to as SPAM:


Messages originating from elsewhere on the web addressed to a valid email recipient on a given domain.

Messages either originating from your own domain through a malicious attack or messages using a 'spoofed' header to appear to originate from your domain.


(Steps to combat spam are posted as comments below)

Although I have occasionally been harsh against Bluehost in this post, I shoulder a large portion of the blame through not following the steps outlined below! It is my experience that the support services at Bluehost are experiencing a state of near meltdown, and I blame the 'Spam Flood' for that. Every Bluehost customer shares a hosting environment with every other Bluehost customer. Thus to some extent the travails or misfortunes of one customer would effect every other customer in many different ways. There is a limit to the resources that can ultimately be thrown at the Spam problem and in fact it could have exactly the opposite result - getting more bandwidth in order to reduce the impact of spam would only encourage spammers to target domains hosted at Bluehost since the spam-throughput is theoretically greater. We all fight the battle against spam together and I sincerely hope that this post could lead to a better shared environment for all. Feel free to contribute and to fill in the blanks and be merciless with my faults and assumptions - I am no expert, but this post is the result of my experience over the past months.

Finally, it would still have been very useful to have a report stating amount of emails sent by which email address on a daily basis...

(The Steps In Order To Combat Spam are posted as comments to this post, since I am limited in how long this post may be.)

Steps in order to combat spam

Update your sources.

Not running the latest, secure and stable source code on your website means that hackers can employ techniques such as cross-site scripting, SQL injection attempts and buffer overflows in order to send spam messages originating from your own website. On a daily basis nearly every web-form on my domains are being subjected to some sort of test for an exploit. And the moment I let my guard down, they pounced and used that exploit to the full to send spam world-wide. This is the most serious form of SPAM, since it originates from your own website though through the exploit of third parties!

If you use a CMS or anything written in PHP code, then run the latest stable code! Lamentally the Fantastico Installer deployed by Bluehost installs code that is a couple of versions older than the current available code for every package that I have investigated. There is a continuous process of updates and security enhancements by the developers of web based applications. All good packages have mailing lists with alerts concerning the latest exploits and patches for countering those exploits. My not inconsiderable contribution to the Spam Flood at Bluehost was due to not maintaining the latest sources on all my sites! I cannot stress this enough: Make sure that you run the latest sources (and ditch Fantastico.) And yes, I deserve a lot of blame for not applying the latest security fixes, but at the same token it is suicidal for Bluehost to sanction the installation of older code through Fantastico. And there is a performance liability on every domain hosted in a shared-hosting environment due to your neighbours lapsed code base.

Steps in order to combat spam

Spoofed emails and your catch-all account

Spoofed emails are email messages that appears to originate from your domain while they actually originate from a different domain. On the face of it they don't bother you. However, the blocked and returned emails will be returned to your (the 'spoofed') domain. A few weeks ago I received 4,800 such emails in my inbox that were sent out over a period of hours. You try downloading 5,000 emails from a POP account and see how long it takes!

There is a solution and that is by disabling the catch-all mail address on your domain. In the Bluehost control >> Site Management >> Email Manager >> Forwarders click on the option stating "If you wish to set your default address or "catch-all", please click here to be taken to the Default Address setup page." Use the "Set Default Address" option to have all unrouted mail to your domain returned with a ":fail: No SPAM Allowed Here" message.

Denying unrouted emails will significantly reduce the impact upon Bluehost since the mail messages no longer have to be accepted, routed, stored and downloaded. This is probably one of the most vital steps, yet it was never communicated anywhere!

Another potential problem concerning spoofed originating addresses is that it may get your domain blacklisted on the anti-spamming lists. If this happens it should be easier to correct though, since it is easily proven that the email did in fact not originate from you by examining the email header.

Steps in order to combat spam

Use secure forms

Your web forms could be the most insecure part of your website! I am in the process of developing a total mistrust in PHP based forms since it appears that the majority of exploits have yet to be discovered. PHP forms delivers a rich harvest to malicious exploiters! On many of my sites I am replacing all email and contact forms with the more secure Bluemail CGI form. It can be found under Bluehost Control Panel >> Add ons / Plugins >> CGI Center >> Bluemail. This form is well documented and secure. And in the event that an exploit is discovered, it can be easily corrected immediately and centrally by Bluehost!

There are many resources on PHP security and methods for sanitising the output from PHP forms before it is passed to email or to the SQL server. In my experience however, new exploits are discovered on a daily basis and the methods I have today of sanitising PHP output will no longer be secure a few months from now. And if I used the same code on hundreds of different forms and multiple domains, then I have to revisit and edit each and every one of those php source files in order to apply the latest security update. Alternately it is easier to use the Bluemail form and be done once and for all!

Steps in order to combat spam

Validate and Check

Validate your own forms. MEA CULPA! I never did and I got burned. Go to your email forms and insert extra cc addresses etc in your fields and see what happens. Ask other developers to validate your forms. Stay up to date with the latest exploits and methods for countering those exploits! And yes, our dearest hosting company should really have a Bluehost Security newsletter alerting us and informing us of the lates exploits and preventions! Alas...

Steps in order to combat spam

Consider a honeypot

Malicious visitors continuously search for exploits. I would like to know when they do. Place at least one form prominently on your website with the simple purpose of capturing the acts of persons searching form exploits. Fore-warned is fore-armed! In fact, if anyone knows of such a PHP-based security-trap, please let me know! My own efforts are rudimentary and an embarassment to the noble art of programming but they are somewhat effective and the results they produce are both alarming and very informative!

Steps in order to combat spam

Use a Spamfilter

A spamfilter is effective against the traditional form of spam whereby unrequested emails are sent to your email address from elsewhere on the net. They cut down on the number of spams you receive and makes the inbox easier to read with less spam being received. Bluehost offers a good spamfilter for a monthly cost of close to $2 per domain. Be aware however that spamfilters are not (and never will be) 100% effective, but they will reduce the 50 spam emails to possibly 5 spam emails per day. Strangely, this form of spam is the least of my worries at the moment.

Steps in order to combat spam

Get a (FREE) GMail Account

I cannot advise this strongly enough. Get a GMAIL Account! Google's GMAIL service offers a generous 4Gb space for emails and their inherent spam filtering ability is about as strong as it gets. Since it is web-based, emails are not downloaded onto your own PC and emails can be read from anywhere on the Internet. There are many more excellent reasons to get GMail, but for spam-filtering alone it is worth it. I have set up forwarders on every one of my web services and domains to my GMail address and I use Gmail as a catch-all to collect all my mail and to serve as my primary email account.

PS A GMail account is free!

Steps in order to combat spam

Protect email addresses from Spam harvesting

There are methods of protecting the email addresses on your websites from the spambots that harvest email addresses on the Internet. Some websites don't publish email addresses at all anymore and other websites use the wording 'myname at domain dot com' to hide the address from spambots. Again, lately this type of spam is the least of my Spam worries and publishing your email address on your website is a logical step towards effective communication. I believe the battle against Spam should be fought elsewhere rather than making life more difficult for visitors to your website.

Steps in order to combat spam

Audit your own website

There are security tools that can traverse all links and forms on a website while searching for known exploits. One such tool is Nessus which runs on the Linux platform. Presently I don't employ such a tool but I do plan to install Nessus and to evaluate it IRO doing security audits on my domains.

Steps in order to combat spam

Reduce POP Emails to a minimum

Bluehost offers a couple of thousand POP email addresses with their packages. I believe that they might as well not have bothered and we would all be better served if the cumulative email addresses per Bluehost account are limited to 10 or 20, with more issued on request. The reason is that the majority of PC's running Windows are infected with malware such as spyware or malicious programs. The biggest source of spam are exactly those zombie-PC's running Windows with the malware on those PC's pumping out Spam over the POP email account that was awarded to a user. Of course users can apply virus checkers and anti-spyware programs on their PC's but it is both an unreliable and a very temporary solution at best.

Since Bluehost cannot furnish me with a report listing emails sent per mail address over a given period of time, I have taken two steps to reduce this problem. Firstly I have reduced the number of POP email accounts to an absolute minimum. Secondly I have given invites to GMail to all the users that still have POP addresses on my domains and I have added forwarders for all email accounts to the respective GMail accounts. Thus I encourage such users to use GMAIL whenever possible.

This is only a partial solution however, and a user with a POP email address from one of my domains still has the very real potential of spamming to the world via my domain! This is one of the reasons that Bluemail has an hourly email limit! If I have not mentioned it before: A shared hosting company must have a reporting tool detailing the quantity (and destination) of email sent from individual email addresses over a period of time. We should all be clamoring for this!!!

When viewing the Drupal CMS statistics (>Administer > Logs > top pages) I discovered the following entry for the Drupal Statistics module. This is for access for the last day:

4866 email this page
emailpage 683 ms 55 min 24 sec

Obviously there is an exploit or attempted exploit concerning the Drupal Emailpage module. The above stat refers to the past 24 hours. 4866 is the amount of times this module has been invoked while 55 minute 24 second time is the 'Total page generation time' that has been consumed in generating the pages etc. No wonder my sites are timing out with this excess load on the servers and my email limit is constantly reached.

Sure enough a visit to Drupal.org confirmed my suspicions:

Email This Page

Because this project was unmaintained for a long time, it has been replaced by the Forward module.

Thus the solution is to remove the Email page module that I employed widely on all the domains and sub-domains and monitor this situation. It is frightening to see how vulnerable a website can be and how it can adversely affect everybody in a shared hosting environment. The lesson to be learned is to monitor your site and to be constantly vigilant.

The following email header is typical of an email that was returned to my domain as undeliverable. A dummy email address was added to this email to make it appear as a legitimate email from my domain.

It appears that "ziacu ([203.144.98.182])" actually sent the email.


Return-Path: <fgqgyt@krooninfo.co.za>
Received: from caching1-pnc2.asianet.co.th (ppp-124.120.1.122.revip2.asianet.co.th [124.120.1.122])
by mac.com (Xserve/smtpin42/MantshX 4.0) with SMTP id kBD16V3i009644
for <tenbelow@mac.com>; Tue, 12 Dec 2006 17:06:54 -0800 (PST)
Received: from ziacu ([203.144.98.182]) by caching1-pnc2.asianet.co.th with Microsoft SMTPSVC(5.0.2195.6713); Wed, 13 Dec 2006 08:06:19 +0700
Message-ID: <001c01c71e52$e5f097d0$b66290cb@ziacu>
From: "Stephanie" <fgqgyt@krooninfo.co.za>
To: <tenbelow@mac.com>
Subject: Most offer very little in the way of added confidence for reasons of cost and liability.
Date: Wed, 13 Dec 2006 07:59:10 +0700
MIME-Version: 1.0

Below is an example of a Cross-Site-Scripting attack using the Feedback form (Drupal 4.7.4)

This was an actual mail sent by my box at Bluehost to a third party address.

By entering bcc: addresses in the subject line this exploit was conducted:

Subject: with
bcc: philsimmons1948@yollowodp.com

I am not sure whether this particular exploit actually worked. This message ended up in my inbox since all Feedback Form messages are directed to my address. Had this exploit worked, the line "bcc: phil..." would probably not have appeared.

Return-path: < krooninf@box79.bluehost.com>
Envelope-to: info@boerboel.co.za
Delivery-date: Mon, 04 Dec 2006 05:09:18 -0700
Received: from krooninf by box79.bluehost.com with local-bsmtp (Exim 4.52)
id 1GrCdD-0003SX-Mq
for info@boerboel.co.za; Mon, 04 Dec 2006 05:09:17 -0700
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on box79.bluehost.com
X-Spam-Level:
X-Spam-Status: No, score=-1.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
NO_REAL_NAME autolearn=ham version= 3.1.7
Received: from localhost ([127.0.0.1] helo=box79.bluehost.com)
by box79.bluehost.com with esmtp (Exim 4.52)
id 1GrCdC-0003S6-Oq
for info@boerboel.co.za; Mon, 04 Dec 2006 05:09:11 -0700
X-Originating-IP: [202.123.219.227]
Date: Mon, 04 Dec 2006 05:09:10 -0700
To: info@boerboel.co.za
Subject: Feedback: the7232@boerboel.co.za
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-transfer-encoding: 8Bit
From: krooninf@box79.bluehost.com
Reply-To: the7232@boerboel.co.za
Errors-To: the7232@boerboel.co.za
X-Mailer: Drupal
X-Identified-User: {592:box79.bluehost.com:krooninf:krooninfo.co.za} {sentby:program running on server}
Message-Id: < E1GrCdD-0003SX-Mq@box79.bluehost.com>


media
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html
Subject: with
bcc: philsimmons1948@yollowodp.com

relatively less fat compared to other cuts. iddle bacon is much like
back b=
acon but is cheaper and somewhat fattier. ollar bacon is taken from the
bac=
k of a pig near the head. treaky bacon, the most common form of bacon
in th=
e nited tates, comes from the


Filthy Spammers! I think that it is plain that I am at my wits end concerning the continuous spamming attacks! Furthermore, the idiot spammers are blatently perpertrating a range of misdemenours and fraudulent activity - but who is going to prosecute them?

I borrowed this from another Host I have although I havnt implimented it it is on my to do list, It seems to be a sensible approach.

"Instead of listing every bad bot in .htaccess, you can create a "whitelist" of bots that are allowed in Vs listing all the ones you want to keep out. The list to allow bots in is much shorter than the list to keep bots out.

I own a web directory that was getting hit by everything and anything, continuously. After implementing a whitelist in .htaccess it cut down the bad bot instances dramatically and thereby reduced my amount of wasted bandwidth by about 3 GIG a month -- just on one site!

Anyway, here's an example of a whitelist in .htaccess that I use on my site".

<Limit GET POST PUT HEAD>
order allow,deny
allow from env=good_pass
deny from env=bad_pass
</Limit>
#allow Firefox, MSIE, Opera
SetEnvIfNoCase User-agent "AOL" good_pass
SetEnvIfNoCase User-agent "Mozilla" good_pass
SetEnvIfNoCase User-agent "Opera" good_pass
SetEnvIfNoCase User-agent "Msie" good_pass
SetEnvIfNoCase User-agent "Firefox" good_pass
SetEnvIfNoCase User-agent "Netscape" good_pass
SetEnvIfNoCase User-agent "Safari" good_pass
SetEnvIfNoCase User-agent "Lynx" good_pass
SetEnvIfNoCase User-agent "Konqueror" good_pass
SetEnvIfNoCase User-agent "WebTV" good_pass
SetEnvIfNoCase User-agent "Camino" good_pass
SetEnvIfNoCase User-agent "K-Meleon" good_pass
SetEnvIfNoCase User-agent "Galeon" good_pass
SetEnvIfNoCase User-agent "Trends" good_pass

# allow CaRP
SetEnvIfNoCase User-agent "^CaRP" good_pass

# allow Google
SetEnvIfNoCase User-agent "Google" good_pass

# allow Yahoo
SetEnvIfNoCase User-agent "Slurp" good_pass
SetEnvIfNoCase User-agent "Yahoo" good_pass
SetEnvIfNoCase User-agent "MMCrawler" good_pass

# allow MSN
SetEnvIfNoCase User-agent "^msnbot" good_pass
SetEnvIfNoCase User-agent "SandCrawler" good_pass
SetEnvIfNoCase User-agent "^MSRBOT" good_pass

# allow ASK/Teoma
SetEnvIfNoCase User-agent "Teoma" good_pass
SetEnvIfNoCase User-agent "Jeeves" good_pass

# allow Inktomi
SetEnvIfNoCase User-agent "inktomisearch" good_pass

# allow Clush
SetEnvIfNoCase User-agent "^Clushbot" good_pass

# allow Voyager
SetEnvIfNoCase User-agent "^Voyager" good_pass

#allow Voila
SetEnvIfNoCase User-agent "^Voila" good_pass

# allow MoJeek
SetEnvIfNoCase User-agent "^MoJeek" good_pass

# allow WISENutbot
SetEnvIfNoCase User-agent "^WISENutbot" good_pass

# deny spammers
SetEnvIfNoCase User-agent "Indy" bad_pass
SetEnvIfNoCase User-agent "kastaneta" bad_pass
SetEnvIfNoCase User-agent "kasparek" bad_pass
SetEnvIfNoCase User-agent "Mozilla/3" bad_pass
SetEnvIfNoCase User-agent "Mozilla/2" bad_pass
SetEnvIfNoCase User-agent "furl" bad_pass You can set any bot you want to access your site by listing it followed by
good_pass

You can set a flag to match a bad bot or bad browser by listing it followed by
bad_pass

HTH

reduced my amount of wasted bandwidth by about 3 GIG a month -- just on one site!

This shows what impact these pests are having on the cumulative Bluehost shared environment! Just multiply that 3 GIG by 100 or 1,000 or 21,000 (assuming only 10% of Bluehost is affected) domains!

Thanks for the .htaccess example. What is nice about this is that .htaccess will protect your website on at the level of Apache that serves the pages. Most other solutions are specific to the scripting language and code on the website. Thus .htaccess will prevent a lot of these pests even though your site is HTML or anything else!

I will certainly implement it. I had the Drupal bad-behaviour module running on a number of sites. Bad behaviour consists of a set of PHP scripts that blocks bots from accessing your site.

http://drupal.org/node/30501
http://www.ioerror.us/software/bad-behavior/bad-behavior-download/

On one domain I had to remove the bad-behaviour module since a significant number of registered users could no longer access the website. The reason was that they were all infected with some sort of Windows malware/bot that the bad-behaviour script recognised. After painstaking efforts I would help the users to remove the malware from their PC's only to have them complain again a week later that they could not access the site again.

I can only conclude that there are a frightening number of zombie PC's out there running one or other form of malware under the control of malicious bots. Unfortunately the users operate under the false security that they run an anti-virus package and therefore they are OK!

This affects all users of Drupal

In the past there was no version numbering associated with Drupal modules. You had no real way, other than the file date, of knowing when a module was updated and that made applying the latest modules containing security updates difficult. In practice the modules would only be updated once the next major Drupal release was launched.

Now all Drupal modules are numbered as modulename-4.7.x-1.x-dev.tar.gz and where the x-1.x represents the version number.

This is very nice, but now comes a new problem. Most existing modules used in Drupal are probably slightly out of date. Thus, if you run Drupal, you will have to download and install every one of your modules again in order to be sure that you can continue to be up to date with the latest sources. This is a lot of work and 95% of the code you replace will be identical, but if you neglect this step, you are probably already at risk of one or more exploits!

Also, from a perspective of managing your Drupal site, you will have to save all the modules in their modulename-4.7.x-1.x-dev.tar.gz state in a directory on your local PC's hard disk that serves as your master source of Drupal modules. Thus you will always extract and copy from this directory to your hosted websites because when the modules are upacked you again lose the version numbering and you won't know which version of the module you are actually running! You will be able to compare the modules in that 'master directory' against the versions of the modules on Drupal.org and only download updated (newer) modules from Drupal.org in future.

Thank you Casper for the time and effort you have put into this thread, it has been informative and educational.

After all the talk within this forum recently on spam & cpu errors along with my sites poor performance I had taken the drastic step of moving my sites to other hosts, what I discovered was that it wasn't only Bluehost that was causing my sites problems per se, but a combination of things including spam & scripts.

So I have been converting my main site over to Drupal and finding it is performing well (thanks for the tips with drupal too :)) I have also reimplemented my Firetrust (http://firetrust.com)Mailwasher Program & will look at the other things you have mentioned.

I have been an advocate of keeping the catchall email, but even Firetrust issued an email this week "As you may have noticed, over the past couple of months spam has got a lot worse. So I thought it's probably a good time to send you some tips and ideas to get around the ever increasing flood of spam." and even they advocate the cancelling of the catchall so I am going to start work on that too.

Maybe if we all took actions to 'help' eliminate the spam, not only will Bluehost thrive so will our sites.

Thanks again