Mail flood handling in on error of application.cfc

Report · Jun 15, 2022

Is it possible to throw site wide error of each unique type only once? Using CF 2016 . The website application has on error exception handling mechanism used in Application.cfc. The site encounter ed a SQL injection attempt and numerous error sent like mail flood.
Can we handle without using any black list table creation in such a way that the spam kind of mail throw only once in a day? Also, genuine error mails are not prevented.
Any suggestion is appreciated.

Report · Jun 15, 2022

I use an application variable that is set to 0 when the application starts.

In the application error handler, I increment that variable each time an error is emailed to me. Once the variable reaches a threshold, I don't send any more emails.

Since my applications only get used during business hours, the variable is set each morning by the first person to use the app.

Report · Jun 15, 2022

Besides Eddie's helpful suggestion, note that this problem is indeed solved by error handling framework solutions/services that can be leveraged from cfml. They imbue all that intelligence from years of experience, saving you thinking of how best to prevent such floods, while handling that error and others intelligently.

I keep a list of them as a category of my cf411 site, specifically:

https://www.cf411.com/error

Let us know if you find one that seems to suit you.

/Charlie (troubleshooter, carehart.org)

Report · Jun 16, 2022

I can think of a method similar to EddieLotter's.

1. In onApplicationStart, initialize:

<cfset application.mailFloodChecker=0>

2. Obtain from your records an identifying string that is present in the stacktrace of every flooder mail. Use it in onError to check if e-mail is from the mail flooder. If so, send only the first such e-mail:

<!--- In my case, the stacktrace of every mail flooder contains the text "Variable NGAHNMBBVCDSEWJHTTP is undefined" --->
			<cfif structKeyExists(arguments.exception, "stacktrace") and findNoCase("Variable NGAHNMBBVCDSEWJHTTP is undefined", arguments.exception.stacktrace) gt 0>
				<cfif application.mailFloodChecker eq 0>
					<cfmail>
						... etc
					</cfmail>
					<cfset application.mailFloodChecker = 1>
				</cfif>
			</cfif>

Report · Jun 16, 2022

The error message may vary depending on the page requested and based on the hack attempt tried.

Therefore, Can we handle in more Generic way like Same error message from same remote IP(CGI.REMOTE_HOST) triggered more than once within a minute , mail is not send after that. Is it possible to store this information in scope and compare without writing to db or file?

Hope the flag 'mailFloodChecker ' will get reset when next day the application is started again in browser without restarting cf service.

Report · Jun 16, 2022

Jibinanto, I'm sure bkbk will follow up with extensive support to guide you in the handcrafting of his solution to be still more capable.

But I will stress again to you both: beware "re-inventing the wheel". See my first comment about error handling solutions that build in all you're contemplating adding here, and they add much more that you'll inevitably think of--and perhaps more you'd not.

Again, I don't say this to discourage the effort.. You will learn a lot building this solution by hand. But you may miss something. If nothing else, since two of the solutions are open source cfml, consider looking to them for ideas. Even the sites about the non-cf services can give you (both) ideas.

But you may find you'd spend less time implementing one in your app (even if it's a struggle, being something new to you) than building out such more-evolved but hand-crafted error handling. Just a friendly suggestion, not an admonition.

/Charlie (troubleshooter, carehart.org)

Report · Jun 16, 2022

But I will stress again to you both: beware "re-inventing the wheel".

By @Charlie Arehart

Good advice!

Report · Jun 16, 2022

Hope the flag 'mailFloodChecker ' will get reset when next day the application is started again in browser without restarting cf service.

By @jibinanto40792294

Yes, it will. The check is initialized in onApplicationStart.So it will be reset whenever the application is restarted.

The error message may vary depending on the page requested and based on the hack attempt tried.

Therefore, Can we handle in more Generic way like Same error message from same remote IP(CGI.REMOTE_HOST) triggered more than once within a minute , mail is not send after that. Is it possible to store this information in scope and compare without writing to db or file?

By @jibinanto40792294

I would answer yes to every question. I used stacktrace to test, just as an example. You may, of course, use any test you want. So a combined test of error-message and IP is fine. Remember you can apply regular expressions to search the error-message. For example, by means of REFindNoCase or REMatch.

In any case, you can still apply exactly the same solution strategy.

1. in onApplicationStart

<cfset application.mailFloodTimer=getTickCount()><!--- Milliseconds --->
<cfset application.pauseSendingMailFlood=false>

2. in onError

<!--- Define a boolean to be used to check for flood mail --->
<cfset var isMailFloodEmail = check_consisting_of_IP_and_error_message>

<cfif isMailFloodEmail and not application.pauseSendingMailFlood>
	<cfmail>
		... etc
	</cfmail>

	<!--- Milliseconds since last timed --->
	<cfset application.mailFloodTimer=getTickCount() - application.mailFloodTimer>

	<!--- Flood mail triggered more than once in 60 000 milliseconds --->	
	<cfif application.mailFloodTimer lt 60000>
		<cfset application.pauseSendingMailFlood=true>				
	</cfif>

</cfif>

Report · Jun 17, 2022

Thank you for the guidance

Report · Jun 17, 2022

Are you giving any consideration to one of the error handling frameworks? Or are you preferring to do it all by hand?

/Charlie (troubleshooter, carehart.org)

Adobe Community

Mail flood handling in on error of application.cfc