Subscribe to Collegiate Chronicles        RSS Feed

Security: Learning the Hard Way

Icon 5 Comments
Last Thursday - as mentioned in my last post - I spent my morning teaching a class. When I returned to my office, I found 12 missed phone calls, 8 voicemails, 24 emails and 3 Post-it notes. Our web forms were under attack. The Admissions Office and Career Services Office had been hit hard with over 1,000 emails each overnight.

The emails were riddled with Javascript. My guess is the sender was attempting to insert the code into our database. What the sender didn't count on is that we have no database at the moment. Our web forms shoot a text-based email out to the department that needs the information, none of it is stored on our servers.

Regardless of this fact, panic ensued. Being pressed for time, I issued a quick fix: a generic text-based math problem to check for human verification. It worked. The emails stopped.

This morning, I recieved a frantic email from the Admissions Office - 336,000 junk emails came in last night. While I was down the hall looking through those messages, the Career Services Office left a panicked voicemail: 450,000 emails.

Given that our entire website will be changing next week, I don't want to invest (read "lose") the time setting up Captcha just to tear it down in five days. My temporary work-around: small images of math problems to check for human verification. I've spent most of my morning creating tiny little images which I will have to manually replace every so many hours between now and the new site launch. No two images have the same answer and while they are not obfuscated, the semi-constant stream of changing images and answers should be enough to thwart our attackers until the big switch early next week.

My new task after the site launch? Delve into the dark realm of site security and learn the best methods for preventing more of this nonsense.

5 Comments On This Entry

Page 1 of 1


23 March 2010 - 08:00 AM
That email scrambler script by Jayman in the snippets section works great. I used a modded version of it on our sites.


23 March 2010 - 08:05 AM
Sweet! I will definitely look it up! Thank you!


23 March 2010 - 11:14 AM
This seems like something that reCAPTCHA's Mailhide would be well suited to.


24 March 2010 - 06:11 AM
The poor Admissions Director is still deleting the junk from her inbox. Our Network Administrator set something in her Outlook to filter out anything recieved within a certain timeframe with a certain message title. He told her it would take "about 9 hours" to finish. It ran all day yesterday, all night last night and is STILL running. In the meantime, the form responses she would normally get have been redirected to MY inbox. What a cluster.


24 March 2010 - 04:33 PM
I'll also recommend reCAPTCHA. It's pretty easy to set up, you can probably have it going in less time than it takes to upload all those images.
Page 1 of 1

January 2021

242526 27 282930

Recent Entries

Recent Comments

Search My Blog

0 user(s) viewing

0 Guests
0 member(s)
0 anonymous member(s)