Spamming the Spammers

Filed under python on December 12, 2019

So I’ve been getting some intriguing emails lately, featuring auto replies from contact us forms saying thank you for your message.

Finally got one that included the body that was sent and sure enough it had a link to a “German” SEO company. Digging further, I found their contact form submitted to a 3rd party site, an “American” ad agency which doesn’t seem to exist at all.

I dug through the site a bit more, just to confirm that they were definitely fake. Just a hint, if you want to sell yourself as tech savvy make sure your website isn’t a hot mess like mine. What intrigued me, though, is how their webform didn’t seem to require any sort of CSRF token, nor did it seem to demand any additional state beyond the form data.

Seems a little silly, given that you can quite easily use the Python requests library to create a post request with random garbage that fits that form data with garbage, like so

data = {
    # these will vary depending on the form
    'first_name': fname,
    'last_name': lname,
    'email': email,
    'subject': subject,
    'body': body
}
resp = requests.post(url, data)

I mean, set that up with a few dictionaries and loops to build up unpredictable garbage data and loop around a few million of times over the course of a few weeks and bam, their database is full of crap they can’t sift through easily.

But then again, I’m not a vengeful person and wouldn’t do that. Here’s a video of someone doing just this though

Showing a Craigslist scammer who's boss using Python

Onto other stuff…

I’ve read ahead in Blackhat Python, I’ll probably do two or three more posts around the Github command and control, as that’s something I’ve done before to control my Raspberry Pis and is always a bit of fun, along with some of the Windows ones and maybe the offensive forensics as there isn’t really as much to change as I thought there might be and most of the code is more less working verbatim out of the book.

I’d maybe like to take an aside and do a blog post on getting started with the Fyne framework before getting back to more network shenanigans, after seeing one of the core devs give a talk at Gophercon I’ve been intrigued by it.


Stephen Gream

Written by Stephen Gream who lives and works in Melbourne, Australia. You should follow him on Minds