A tale of experince with spam bots and Custom Forms (and Rules)

Tags: Orchard, Orchard HUN, Spam, Anti-spam, ReCaptcha, Custom Forms, Rules

We have been experiencing some weird behaviour from our email notification rule, which sends an email to our Orchard Hungary mailing list with the message details when a contact form is submitted on our pages. In detail, the weird behaviour was that we received a notification almost every day and the emails were empty (aside from the nicely configured and tokenized message skeleton). The emails we receive also contain a link to the submitted contact form content item, which displayed a 404 page, however, the content item ids were incrementing.
I have to confess: we ignored it for a while. :)

But after yesterday's Orchard meeting Zoltán and I began our holy crusade to investigate this issue and we found some interesting stuff. First of all, we concluded that most probably we were under attack (how dramatic) by a spam bot. That's okay, we weren't DoS-ed and our email inboxes weren't flooded and we are somewhat responsible, because we didn't attach ReCaptcha to the contact form (we did attach it since then).

But all this didn't answer the question about the empty content item descriptions in the email notifications. The solution was that the notification rule was set to fire when a content item of our contact form content type is created (so, basically it's my mistake): that bad-bad spam bot was trying send us some HTML code, which is prohibited by ASP.NET and in these cases an exception is thrown:

System.Web.HttpRequestValidationException (0x80004005):

A potentially dangerous Request.Form value was detected from the client (ContactForm.Message.Text="...interview <a href=" http://www...").

The exception stops the process of saving this contact form content item to the database and roll-back comes to action. The problem is that the content item is created at the beginning of this process (and content item id counter is also already incremented) and so the rule activates.

So the conclusion is to choose your rule events wisely and/or use ReCaptcha!

No Comments

Add a Comment