Forums (Obsolete)


Member	andrew.robulack-gov.yk - 1/17/2014 2:30:35 PM Spammers Abusing Forms -- How to Identify IP? I've got a spammer hammering some forms on our site. How do I identify their IP so I can block them?

Kentico Legend

Brenden Kehren - 1/17/2014 3:01:58 PM

RE:Spammers Abusing Forms -- How to Identify IP?

Can do a couple things, assuming you are requiring them to authenticate prior to posting.

1). Look at the user info and the last time they logged in and IP address are recorded.
2). Look in your event log for SOURCE = "Authentication" and Event Code = "AUTHENTICATIONSUCC". You can get the same type of info from there as well if you know the username.

Member

Andrew Robulack - 1/19/2014 8:12:14 PM

RE:Spammers Abusing Forms -- How to Identify IP?

We're not requiring users to authenticate before submitting the forms so, unfortunately, I can't track this activity using this method. We have open forms inviting feedback on pages, and that's what the attacker is using.

Any insight on how to identify the IP that is being used to submit a form? The Event Log only seems to collect information about certain system events. I'm more interested in identifying the IP that was used to submit a form on a certain date and at a certain time.

Kentico Legend

Brenden Kehren - 1/20/2014 10:39:42 AM

RE:Spammers Abusing Forms -- How to Identify IP?

Andrew Robulack wrote: Any insight on how to identify the IP that is being used to submit a form? The Event Log only seems to collect information about certain system events. I'm more interested in identifying the IP that was used to submit a form on a certain date and at a certain time.

In the Site Manager>Settings>System>General section, ensure the Log metadata checkbox is checked. This will log nearly every action taken on the site. You should be able to find the info then by comparing forum post times and event log times.

Member

Andrew Robulack - 1/20/2014 1:06:15 PM

RE:Spammers Abusing Forms -- How to Identify IP?

Thanks for your continued support on this matter. You input is helpful.

Unfortunately, this is not part of a forum. These are simply forms on our web site set up to collect user input. You can see one if you go to this page:

http://wcb.yk.ca/News-0001/Feature-01.aspx

Then pull down the "Tell us how we can improve this page" tab.

Basically, someone is repeatedly filling out that form on different pages of the site. There have been over 300 submissions over the weekend. I'm trying to identify the IP address of each submission (so I'd like to compare the time-date stamp on the submission with a view on the page, or some form of form submission record).

Kentico Legend

Accepted solution

Brenden Kehren - 1/20/2014 1:19:37 PM

RE:Spammers Abusing Forms -- How to Identify IP?

Andrew Robulack wrote: Unfortunately, this is not part of a forum.

My apologies. I missed the mark on that one, mixed up form and forum.

At any rate, is that "Tell us how we can improve this page" a biz form in Kentico? If so, I'd still suggest turning on the "Log metadata changes" because this will log anytime someone submits data from a biz form. You can search for Source = "Form item" and Event code = "CREATEOBJ". This will have everything you need (IP, page they were on, browser used, etc).


Member	Andrew Robulack - 1/20/2014 3:19:22 PM RE:Spammers Abusing Forms -- How to Identify IP? Awesome! That's exactly what I needed. Thanks a ton for your support and persistence!


Member	kentico_sandroj - 1/17/2014 3:34:44 PM RE:Spammers Abusing Forms -- How to Identify IP? Hello, As FroggEye mentioned, it is possible to find out the IP by reviewing the Event Log details. Once you have the IP you can use the BannedIPs module to block access. Please let me know if you have any questions or concerns. Best Regards, Sandro

Member

Andrew Robulack - 1/19/2014 8:15:36 PM

RE:Spammers Abusing Forms -- How to Identify IP?

As I mentioned above, the Event Log only seems to collect information about certain system events, not every transaction. I'm interested in identifying the IP that was used to submit a form on a certain date and at a certain time. The attacker is successfully submitting forms on multiple pages on the site, and I'm not sure how to identify what IP is being used.

That said, I believe I did manage to identify one IP address and I added it to the Banned IPs list. Despite this, the system seems to still be responding to activities generated using this IP, so I'm not sure how thorough a block the banned IP list really is... any insight on that?

Member

kentico_sandroj - 1/21/2014 4:28:46 PM

RE:Spammers Abusing Forms -- How to Identify IP?

Hello,

What is the Ban Type set to? I would recommend setting it to Access. Also, are you sure that it is the same exact IP and not a different subnet? You are allowed to use wildcard if you wish to block an entire subnet. The BannedIP module is as thorough as its configuration, it should not allow any users from blocked IPs to perform those specific actions on your site. Please let us know if that is not the case in your instance.

Please let me know if you have additional questions.

Best Regards,
Sandro