Blog of Daniel Ruf

post mortem: spam attack (2018)

09.06.2019

This is a post mortem report of a contact form spam attack in 2018 which was handled by me.

post mortem

People

  • Incident Controller: Daniel Ruf
  • Operations A: Daniel Ruf
  • Communications A: Daniel Ruf
  • Project Owner A: REDACTED

Problem

At 8:42 AM, on Monday, 12th of November 2018 we’ve got a report that there are many spam messages coming through the contact form on the website of the customer.

A first analysis revealed that a single IP address was sending the same message multiple times.

Timeline

2018.11.12 08:42: got report about spam attacks

2018.11.12 08:43: first response to customer, planning to block IP ranges

2018.11.12 19:25: started analysis of accesslog files

2018.11.12 20:32: applied iptables rule for 185.212.171.146 using Plesk f2b-apache jail

2018.11.13 17:21: checking if the IP address was correctly blocked due to new spam from the same range

2018.11.13 17:52: switched from Plesk jail to pure iptables entries

2018.11.13 20:43: we did a short test, the IP range is successfully blocked now

2018.11.13 20:45: started ongoing monitoring and blocking of additional IP address ranges

An excerpt from the first spam attack:

185.212.171.146 - - [14/Nov/2018:17:06:46 +0100] "GET /kontakt"
185.212.171.146 - - [14/Nov/2018:17:06:46 +0100] "POST /verify.php"
185.212.171.146 - - [14/Nov/2018:17:06:46 +0100] "GET /contact1.php?message=1"
185.212.171.146 - - [14/Nov/2018:17:06:46 +0100] "GET /kontakt"
185.212.171.146 - - [14/Nov/2018:17:06:47 +0100] "POST /verify.php"
185.212.171.146 - - [14/Nov/2018:17:06:47 +0100] "GET /contact1.php?message=1"
185.212.171.146 - - [14/Nov/2018:17:06:47 +0100] "GET /kontakt"
185.212.171.146 - - [14/Nov/2018:17:06:47 +0100] "POST /verify.php"
185.212.171.146 - - [14/Nov/2018:17:06:47 +0100] "GET /contact1.php?message=1"
185.212.171.146 - - [14/Nov/2018:17:06:48 +0100] "GET /kontakt"
185.212.171.146 - - [14/Nov/2018:17:06:48 +0100] "POST /verify.php"
185.212.171.146 - - [14/Nov/2018:17:06:48 +0100] "GET /contact1.php?message=1"
185.212.171.146 - - [14/Nov/2018:17:06:48 +0100] "GET /kontakt"

The IP address 185.212.171.146 belongs to M247 Ltd Amsterdam (m247.com) which is used by spammers and other criminals.

Every spam wave came from a different single IP but most were from the same ISP but different subnets.

Impact

The spam attacks caused additional work and it has cost time to manually remove the spam mails in the internal contact system. No extra financial costs were caused as we could resolve it with iptables. The system is now daily monitored and additional iptables rules are created on demand.

Contributing Factors

  • Not correctly configured Plesk fail2ban jails
  • Contact forms without any reliably working anti-spam features
  • First iptables rules were not tested
  • No automatic tools for blocking malicious IPs

Abstract

The PO of the website contacted us and let us know that there are spam mails in the internal contact system. The spam attacks occur mostly once or twice per day.

As these IP addresses are also in well known blacklists and have been also reported for scanning websites for vulnerabilities and other attacks, we blocked the whole access to our systems.

We’ve done this by dropping the packets using the iptables firewall.

At first we thought this would work but the used fail2ban jail in Plesk was actually not used. So we switched to normal iptables rules and tested them.

For the first IP address it was done with
iptables -i eth0 -A INPUT -s 185.212.171.0/24 -j DROP.

185.212.171.146 is part of the subnet 185.212.171.0/24.

Currently we are monitoring new incoming spam attacks and are blocking the subnets where the attacks are coming from.


Daniel Ruf

Written by Daniel Ruf. You should follow him on Twitter