I am getting attacked by a bot that is sending email through/to my webformmailer.php with No Sender and No Subject line. I get about 3 or 4 in the 15 min. intervals that the GD formailer typically cycles out (since Oct 13th close to a thousand). What I am saying here is that those two fields are coming in BLANK both in my WorkSpace mailbox and in the forwarded to another email address I’ve set up to me.
For years the email came to both places with the
“email@example.com” .... in the From....(now BLANK)
my email address in the to.... (which is still happening)
“Form Submission (TimeStamp)....(now BLANK)
===================================The email Header
Authentication-Results: mta4082.aol.mail.gq1.yahoo.com from=; domainkeys=neutral (no sig); from=; dkim=neutral (no sig)
X-Cmae-Envelope: MS4wfBhdOCk9YIRXn/Xn946VhhZWfctpa763uiYtJnPSlYtkrOF8vb3wblBYPYrnkl1sZSfu5rR8FWFtfjnOMVsQy5R8dt+FeHtGmkxGdV9rbOV177Mv1jdD VEfHsd2qWGiruBZF870m+We7uLbtckZrmbKZIX4a7K5Sgz6HcxXXphzszSb2AVW2zY6k4tGGzx16zORbTHGowZB9wy/jgdSP+82et8l++IvzBvL5PZbQVsUg
X-Ymailisg: UiJLge0WLDtKv7VfHclfVUza_xnRUoSvYh94b.Ufii1T2sHn g50EG7KURsDmTHMU1kYkDBSzms38qd0H4pIUUdb_dFwMU0T.7Lib3mVdmgN8 ngyKYjvpTddy8XnCZFiYgeeKG7teOd3l4_GoXn3UJFerZz84tv3iLVf8zr8n Ydg6HOC5CLiUHzmsGMWMk2I8Yyv.LZVNuPBYlyaT7f3p_n1olLvHcSkLewSX 3wI4HwTCZr2akUQJvKczBPk5LAv1BZ1bR8cVJ4TyQuDJw1Z.czyW5hVG4TsR xjrZ92cBuAj8sYem7obXgVWq5QDpD.FiP0zDI4izmwZ1zo7yDBlbl_bevGV2 CavqEzxr6Z1_TAITfg9NoRtyOXucL.cVz47Gxw5xstu3cDOjHB5v5QWpBNrS 0BxdASCiis.b473coFzMwbGkeYhvIRmhrqYr40gVwc0t6.VGwJyoNOYSiJum kzAOAjwWhyVEtlkfB9ybUb9AydRX276beH_pbt6aAitQYzU4IhE2kL30V59y mOl_H8_0hULucz_TZxXL._DsHISG8c90yboV_0ziVqaml8RsNe7arp8ipAq3 ybsFFvHnh5wTD1Y8ZjncxBbxe77uN.3q4WIfeTLg2MQPW0NcucGfraRuGV9s mY8zin2L22S7S78vQR9tFcuf9iNsN.erGt0lUqetIC9e7soJJx7xd5E82cs1 1QeQUbyVlwU6ceClQlzAgh6rffAg6YOy6dyfgChxiIFTu0n.tMl_HxJzKvPd 01XHXVxasdfAorjGtHaVMNGg.WS6VYFF95jPA_KJ8_mUxYTr9iLn6_EJnv8. LvKB0iX1Bn_0n.Qjj_XbWD.dBAvheS25f3qZJiyGCETnkDJMQqGGtksRhDxc qUCXdy.h.sgKup7kDB6i8tlvePtLLuOJqFOF6292DGCyLY8oKRSMuPtaHJm. KfBsbtigi4cWN9stFPDEplgfwtbKFCwWiThH9C87onP6HPjZ1EN3.TLfwAgx svLVYWyI7IAbjWWz91yT9CWRSg35eFIXfydsRMJ5D8XwYS9s_jBb95SSV9HP WAZP09hLp49dbQTd9kXdnJp2EaSyXSkLCgk7gjnv0_1YnY16NOf7kC4GLkjg Q56LijQHS_ivwzDYvlDrdDtfXzu8UA--
X-Apparently-To: firstname.lastname@example.org; Mon, 15 Oct 2018 18:01:32 +0000
Received: from 127.0.0.1 (EHLO p3plsmtp02-01-26.prod.phx3.secureserver.net) (184.108.40.206) by mta4082.aol.mail.gq1.yahoo.com with SMTP; Mon, 15 Oct 2018 18:01:31 +0000
Received: (qmail 16410 invoked from network); 15 Oct 2018 18:01:31 -0000
Received: (qmail 16375 invoked by uid 30297); 15 Oct 2018 18:01:31 -0000
Received: from unknown (HELO p3plibsmtp01-14.prod.phx3.secureserver.net) ([220.127.116.11]) (envelope-sender <email@example.com>) by p3plsmtp02-01-26.prod.phx3.secureserver.net (qmail-1.03) with SMTP for <firstname.lastname@example.org>; 15 Oct 2018 18:01:31 -0000
Received: from p3nlsmtp19.shr.prod.phx3.secureserver.net ([18.104.22.168]) by bizsmtp with ESMTP id C7Atgq4jwn7f2C7BLgEWIN; Mon, 15 Oct 2018 11:01:31 -0700
Received: from hostingcgi.secureserver.net ([22.214.171.124]) by : HOSTING RELAY : with SMTP id C7AMg1TNPKU5IC7AMgPgOZ; Mon, 15 Oct 2018 11:00:30 -0700
Received-Spf: pass (domain of bounce.secureserver.net designates 126.96.36.199 as permitted sender)
=====================================The Form Email (just one sample of about 4 I’m getting every 15 min.)
Reply-To: info @ mywebsite . net
Subject: Form Submission Sun, 14 Oct 2018 15:43:37 -0700
Date: Mon, 15 Oct 2018 11:00:30 -0700
Content-Type: text/plain; charset="iso-8859-1"
degreetitle: There is offers
Co_title: There is offers
Add_State_1: Р РѕСЃСЃРёСЏ
Diagnosis: Hey What we have here is , - Join us now, and we will double or even triple your first deposit
request: Hey What we have here is , - Join us now, and we will double or even triple your first deposit
What_else?: Hey What we have here is , - Join us now, and we will double or even triple your first deposit
This e-mail was generated from a form submission on your website.
The Green (I added the color) above has never been in the body of the emails before.
Anyone have a clue as to what to do?
Solved! Go to Solution.
Hi @DougL. Thanks for posting. I'm not sure why this would be happening, but if it continues, our advanced support team should be able to locate where the email is coming from using the address the mail is being sent to, and then pass this information to our security team. To facilitate that, please connect with our customer care team.
Thank You JesseW for your response. I have a few other questions:
Do you think that this exploit allowed the spammers to send out spam emails to others using the GD Formmailler php and I could be blacklisted?
Can I AutoPurge from 'WorkSpace email' these without a "Sender" or "Subject" in the Header? I don't want it to AutoPurge my legitimate form mail.
@DougL - On the blacklist question, it's hard to say. It seems possible, though blacklists of this nature are usually specific to the sending IP, so it would be the reputation of our email server rather than your domain. We have a team that manages our email environment in regard to things like this, so even if there is a blacklist, it would likely be temporary. As for filtering the messages, the only options would be what are available in the webmail interface:
OK this is my story for anyone interested...
After several days and thousands of these emails, chatting with Cloud on the chat line for a few hours and finding very little help but good conversations. I'm thinking that a couple of files got corrupted somehow. Still not sure why it would change the Headers and cycle through and resend the same emails over and over, weird. I did start with creating another email account and setting it up for the hosting to use in the Form Mail section. Having GoDaddy reinstall the php files (little checkbox in the same section you assign the email address for the form) and adding a blank field on the html form I created (validated only when blank/empty to stop bots). Haven't checked their php code for the webformmailler.php yet but the date was for sometime in 2017, I think my original version was from 2001. Oh, well, it's been 12 hours and all is well!!