Topic awaiting preservation: weird website spam — OZONE Asylum, home of the Mad Scientists

Topic awaiting preservation: weird website spam $Pages that link to <a href="https://ozoneasylum.com/backlink?for=26666" title="Pages that link to Topic awaiting preservation: weird website spam" rel="nofollow" >Topic awaiting preservation: weird website spam\$

Author	Thread
GRUMBLE Paranoid (IV) Mad Scientist From: Omicron Persei 8 Insane since: Oct 2000	posted 09-16-2005 15:36 hi, on one of my clients website i use a "normal" contact form. it has two inputs: name and email one textarea: some text and one submit button. once the user fills out all fields and hits submit the form is submitted using POST and on the next page the contents are sent to my client (and myself) using the php->mail function. this has been workin now for years without any problem. but since a couple of weeks, exactly every six hours we get four emails with kinda strange content. the first one has the same values in all three form elements, and looks like eight random characters + @ + the domainname. example: xhrtj8iuz@mydomain.com the second one has this in its body: This is a multi-part message in MIME format. --===============1217498244== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit pnkdyoq --===============1217498244==-- the third one is the most strangest of all cause it contains nothing but still the size of the email is about 1800bytes. this is strange cause the form usually does not allow empty content to be sent. the fourth one is a mixture of the first and the second. it has the same values for the three fields but additionally in the content field it has the multi-part thing as in the second version. it looks like this: hujrkdeo@mydomain.com Content-Type: multipart/mixed; boundary=\"===============1526510514==\" MIME-Version: 1.0 Subject: 9605bb75 To: hujrkdeo@mydomain.com bcc: PeiCanteenMc@aol.com From: hujrkdeo@mydomain.com This is a multi-part message in MIME format. --===============1526510514== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit mgeeid --===============1526510514==-- ok, as i said we get these four mails exactly every six hours, each time from a different ip. if i traceroute the ip it points to a random mailserver of companies here in my country. the guy is obviously trying to send attachments, probably virii. any hints on how to stop him? thanks. edit: hmmm the ulist tag here seems to add extra lines to the list items. (Edited by GRUMBLE on 09-16-2005 15:38)
poi Paranoid (IV) Inmate From: France Insane since: Jun 2002	posted 09-16-2005 16:17 Check SecurePHP : Email Injection (Edited by poi on 09-16-2005 16:17)
GRUMBLE Paranoid (IV) Mad Scientist From: Omicron Persei 8 Insane since: Oct 2000	posted 09-16-2005 16:38 thank you poi, that is an interesting article. indeed i used "Reply-To: $email" as the string for my headers, which is very convenient since you can just hit reply in your emailclient to write back. I removed it for now, lets see how the next four emails will look like. I'll probably have to find another solution though since the Reply-To feature is too nice to drop it. (Edited by GRUMBLE on 09-16-2005 16:39)
poi Paranoid (IV) Inmate From: France Insane since: Jun 2002	posted 09-16-2005 16:46 At the end of the article, they give some simple ideas to detect the attempt to pass a MIME header in the form fields.

hi,
on one of my clients website i use a "normal" contact form.
it has two inputs: name and email
one textarea: some text
and one submit button.

once the user fills out all fields and hits submit the form is submitted using POST and on the next page the contents are sent to my client (and myself) using the php->mail function.

this has been workin now for years without any problem.

but since a couple of weeks, exactly every six hours we get four emails with kinda strange content.

the first one has the same values in all three form elements, and looks like eight random characters + @ + the domainname.

example: xhrtj8iuz@mydomain.com
the second one has this in its body:

This is a multi-part message in MIME format.

--===============1217498244==

Content-Type: text/plain; charset=\"us-ascii\"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

pnkdyoq

--===============1217498244==--
the third one is the most strangest of all cause it contains nothing but still the size of the email is about 1800bytes. this is strange cause the form usually does not allow empty content to be sent.
the fourth one is a mixture of the first and the second. it has the same values for the three fields but additionally in the content field it has the multi-part thing as in the second version. it looks like this:

hujrkdeo@mydomain.com

Content-Type: multipart/mixed; boundary=\"===============1526510514==\"

MIME-Version: 1.0

Subject: 9605bb75

To: hujrkdeo@mydomain.com

bcc: PeiCanteenMc@aol.com

From: hujrkdeo@mydomain.com

This is a multi-part message in MIME format.

--===============1526510514==

Content-Type: text/plain; charset=\"us-ascii\"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

mgeeid

--===============1526510514==--

ok, as i said we get these four mails exactly every six hours, each time from a different ip. if i traceroute the ip it points to a random mailserver of companies here in my country.
the guy is obviously trying to send attachments, probably virii.
any hints on how to stop him?
thanks.

edit: hmmm the ulist tag here seems to add extra lines to the list items.

(Edited by GRUMBLE on 09-16-2005 15:38)