Last Thursday - as mentioned in my last post - I spent my morning teaching a class. When I returned to my office, I found 12 missed phone calls, 8 voicemails, 24 emails and 3 Post-it notes. Our web forms were under attack. The Admissions Office and Career Services Office had been hit hard with over 1,000 emails each overnight.
The emails were riddled with Javascript. My guess is the sender was attempting to insert the code into our database. What the sender didn't count on is that we have no database at the moment. Our web forms shoot a text-based email out to the department that needs the information, none of it is stored on our servers.
Regardless of this fact, panic ensued. Being pressed for time, I issued a quick fix: a generic text-based math problem to check for human verification. It worked. The emails stopped.
This morning, I recieved a frantic email from the Admissions Office - 336,000 junk emails came in last night. While I was down the hall looking through those messages, the Career Services Office left a panicked voicemail: 450,000 emails.
Given that our entire website will be changing next week, I don't want to invest (read "lose") the time setting up Captcha just to tear it down in five days. My temporary work-around: small images of math problems to check for human verification. I've spent most of my morning creating tiny little images which I will have to manually replace every so many hours between now and the new site launch. No two images have the same answer and while they are not obfuscated, the semi-constant stream of changing images and answers should be enough to thwart our attackers until the big switch early next week.
My new task after the site launch? Delve into the dark realm of site security and learn the best methods for preventing more of this nonsense.
The emails were riddled with Javascript. My guess is the sender was attempting to insert the code into our database. What the sender didn't count on is that we have no database at the moment. Our web forms shoot a text-based email out to the department that needs the information, none of it is stored on our servers.
Regardless of this fact, panic ensued. Being pressed for time, I issued a quick fix: a generic text-based math problem to check for human verification. It worked. The emails stopped.
This morning, I recieved a frantic email from the Admissions Office - 336,000 junk emails came in last night. While I was down the hall looking through those messages, the Career Services Office left a panicked voicemail: 450,000 emails.
Given that our entire website will be changing next week, I don't want to invest (read "lose") the time setting up Captcha just to tear it down in five days. My temporary work-around: small images of math problems to check for human verification. I've spent most of my morning creating tiny little images which I will have to manually replace every so many hours between now and the new site launch. No two images have the same answer and while they are not obfuscated, the semi-constant stream of changing images and answers should be enough to thwart our attackers until the big switch early next week.
My new task after the site launch? Delve into the dark realm of site security and learn the best methods for preventing more of this nonsense.
5 Comments On This Entry
Page 1 of 1

Nykc
23 March 2010 - 08:00 AM
That email scrambler script by Jayman in the snippets section works great. I used a modded version of it on our sites.

girasquid
23 March 2010 - 11:14 AM
This seems like something that reCAPTCHA's Mailhide would be well suited to.

5thWall
24 March 2010 - 04:33 PM
I'll also recommend reCAPTCHA. It's pretty easy to set up, you can probably have it going in less time than it takes to upload all those images.
Page 1 of 1
← January 2021 →
S | M | T | W | T | F | S |
---|---|---|---|---|---|---|
1 | 2 | |||||
3 | 4 | 5 | 6 | 7 | 8 | 9 |
10 | 11 | 12 | 13 | 14 | 15 | 16 |
17 | 18 | 19 | 20 | 21 | 22 | 23 |
24 | 25 | 26 | 27 | 28 | 29 | 30 |
31 |
Tags
My Blog Links
Recent Entries
Recent Comments
Search My Blog
0 user(s) viewing
0 Guests
0 member(s)
0 anonymous member(s)
0 member(s)
0 anonymous member(s)