Closed Thread Icon

Topic awaiting preservation: weird website spam Pages that link to <a href="https://ozoneasylum.com/backlink?for=26666" title="Pages that link to Topic awaiting preservation: weird website spam" rel="nofollow" >Topic awaiting preservation: weird website spam\

 
Author Thread
GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 09-16-2005 15:36

hi,
on one of my clients website i use a "normal" contact form.
it has two inputs: name and email
one textarea: some text
and one submit button.

once the user fills out all fields and hits submit the form is submitted using POST and on the next page the contents are sent to my client (and myself) using the php->mail function.

this has been workin now for years without any problem.

but since a couple of weeks, exactly every six hours we get four emails with kinda strange content.

  • the first one has the same values in all three form elements, and looks like eight random characters + @ + the domainname.

    example: xhrtj8iuz@mydomain.com
  • the second one has this in its body:

    This is a multi-part message in MIME format.



    --===============1217498244==

    Content-Type: text/plain; charset=\"us-ascii\"

    MIME-Version: 1.0

    Content-Transfer-Encoding: 7bit



    pnkdyoq

    --===============1217498244==--
  • the third one is the most strangest of all cause it contains nothing but still the size of the email is about 1800bytes. this is strange cause the form usually does not allow empty content to be sent.
  • the fourth one is a mixture of the first and the second. it has the same values for the three fields but additionally in the content field it has the multi-part thing as in the second version. it looks like this:



    hujrkdeo@mydomain.com

    Content-Type: multipart/mixed; boundary=\"===============1526510514==\"

    MIME-Version: 1.0

    Subject: 9605bb75

    To: hujrkdeo@mydomain.com

    bcc: PeiCanteenMc@aol.com

    From: hujrkdeo@mydomain.com



    This is a multi-part message in MIME format.



    --===============1526510514==

    Content-Type: text/plain; charset=\"us-ascii\"

    MIME-Version: 1.0

    Content-Transfer-Encoding: 7bit



    mgeeid

    --===============1526510514==--




ok, as i said we get these four mails exactly every six hours, each time from a different ip. if i traceroute the ip it points to a random mailserver of companies here in my country.
the guy is obviously trying to send attachments, probably virii.
any hints on how to stop him?
thanks.



edit: hmmm the ulist tag here seems to add extra lines to the list items.

(Edited by GRUMBLE on 09-16-2005 15:38)

poi
Paranoid (IV) Inmate

From: France
Insane since: Jun 2002

posted posted 09-16-2005 16:17

Check SecurePHP : Email Injection



(Edited by poi on 09-16-2005 16:17)

GRUMBLE
Paranoid (IV) Mad Scientist

From: Omicron Persei 8
Insane since: Oct 2000

posted posted 09-16-2005 16:38

thank you poi, that is an interesting article.
indeed i used
"Reply-To: $email"
as the string for my headers, which is very convenient since you can just hit reply in your emailclient to write back.

I removed it for now, lets see how the next four emails will look like.

I'll probably have to find another solution though since the Reply-To feature is too nice to drop it.



(Edited by GRUMBLE on 09-16-2005 16:39)

poi
Paranoid (IV) Inmate

From: France
Insane since: Jun 2002

posted posted 09-16-2005 16:46

At the end of the article, they give some simple ideas to detect the attempt to pass a MIME header in the form fields.

« BackwardsOnwards »

Show Forum Drop Down Menu