Hi all

I think we covered something like this in a previous thread but it's
something that's driving me mad.

A customer of mine keeps getting form submission through his website.
I'm using the PHP derivative of Matt's form mail script. This is what
comes through (I replaced the real domain with REALDOMAIN and the *'s
obscure the bcc address):

Below is the result of your feedback form. It was submitted by
ylqgvx@REALDOMAIN.co.uk on October 16th, 2005 at 05:31AM (BST).

Fax: ylqgvx@REALDOMAIN.co.uk
checkbox: ylqgvx@REALDOMAIN.co.uk
from: ylqgvx@REALDOMAIN.co.uk
Name: ylqgvx@REALDOMAIN.co.uk
Submit2: ylqgvx@REALDOMAIN.co.uk
Submit: ylqgvx@REALDOMAIN.co.uk
Content-Type: multipart/mixed; boundary="===============0544105781=="
MIME-Version: 1.0
Subject: 3800c4e8
To: ylqgvx@REALDOMAIN.co.uk
bcc: BenVVw2***@aol.com
From: ylqgvx@REALDOMAIN.co.uk

This is a multi-part message in MIME format.

--===============0544105781==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

wxbxszn
--===============0544105781==--

Telephone: ylqgvx@REALDOMAIN.co.uk
sender_email: ylqgvx@REALDOMAIN.co.uk
Address: ylqgvx@REALDOMAIN.co.uk
query: ylqgvx@REALDOMAIN.co.uk
email: ylqgvx@REALDOMAIN.co.uk

We removed the form from the contact page for about 3 weeks in the hope
that it would go away. When I reinstated the form a week or so ago,
things stayed quiet but it's not started happening again.

It looks like someones trying to use the BCC field to send spam. At
least that's the only thing I can think of.

Is anyone else getting this, and can anyone think of a way to stop it.
I don't think the spam is actually going, I just think it's someone
trying to find a hole to use and failing but the customer is getting
loads of these.

Cheers

Andy

--
Andy Jacobs
www.redcatmedia.net
Intelligent Websites For Intelligent Business People

I noticed that Message-ID:
<andy-7F1661.09395617102005@news.btinternet.com> from Andy Jacobs
contained the following:


I've had two one of the forms that I administer but no more since. It
may be worth looking for certain strings e.g. Content-Type:,
MIME-Version: 1.0, or bcc: and dropping the request if those are found.
There was a tread about it on one of the PHP groups and I'm waiting for
a round tuit to apply the mod to by own mail script, phmail, though I
don't think there are any vulnerabilities in current installations.
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011

I noticed that Message-ID: <php6l1d4i3qn7n61o2a8qhgahn1pvt7b26@4ax.com>
from Geoff Berrow contained the following:


Umm, touch of the Irish there, I meant thread. I'm sure there was more,
maybe it was multi posted, but here is one I found.

Message-ID: <1126115558.002497.196480@g47g2000cwa.googlegroups .com>

--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011

On 17/10/05 10:00 am, in article php6l1d4i3qn7n61o2a8qhgahn1pvt7b26@4ax.com,
"Geoff Berrow" <blthecat@ckdog.co.uk> wrote:

Cheers for that Geoff. We're just in the process of redoing the site with a
custom form2mail script that is all going to be pretty much hard wired so
that should sort it but I have other clients using the dodgy one and I guess
it's only a matter of time before they get hit as well.

Cheers

Andy

Andy Jacobs wrote:
I had this problem too. Their cracking attempts failed, as I validate
the 'from' field, but it was very annoying, so I just added another
regexp to block these attempts too. Since doing this I've had no
problems (despite getting 500 hits on the form a month). I've put my
code up here:

http://www.safalra.com/programming/php/contactform/

--
Safalra (Stephen Morley)
http://www.safalra.com/hypertext/

Andy Jacobs <andy@redcatmedia.net> wrote:
The original Perl version of form mail was notorious for its
security flaws - the PHP derivative sounds to be similar.
It should be dropped like a hot brick.

Actually Matt's script archive was full of dodgy scripts.

Axel

In article <BF7935AF.9350%andy@redcatmedia.net>, andy@redcatmedia.net
says...
Sounds like this:
<http://securephp.damonkohler.com/index.php/Email_Injection>

--
Pete Gray

Say No to ID Cards <http://www.no2id.net>
<http://www.redbadge.co.uk/no2idcards/>

"Safalra" <usenet@safalra.com> wrote in message
news:1129567314.069614.214850@g44g2000cwa.googlegr oups.com...
We have to do that on all our servers to stop these silly tests.
They never get through anyway as our install of formmail will only send to
domains listed in /etc/localdomains.

If you want to stop it happening just change the name of formmail.pl to
something else and then they won't find it.


--
Gordon Hudson || Hostroute.com Ltd
e-mail:ghudson [at] hostroute.net
http://www.hostroute.co.uk/resellers Host 5 web sites for £9 per month
http://www.nameroute.co.uk/ Domain Names with free hosting and email

On Tue, 18 Oct 2005 09:18:05 +0100, "Gordon Hudson"
<gordon@usenet3.hostroute.co.uk> wrote:

Not quite, I had several (unsucessful attempts) of these probes, to
various domains earlier in the year. None of the domains used a script
cgi-bin/formmail.pl which could be easily "checked and tested" by a
bot. They were all similar to cgi-bin/myform/mycontact.pl Only by
"looking" at the html of the contact page could that info be found. I
added a sub to check if any data entered on any field on the form
included bcc: and to exit the script if it was found.

Graham

"Graham" <gra@hglmotors.co.uk> wrote in message
news:ihc9l1di7i97nf2c9rbb0oj1r3k55u9lj0@4ax.com...
Yes but it stops most of them.

I have had a few looking for callback.pl as well which is interesting.


--
Gordon Hudson || Hostroute.com Ltd
e-mail:ghudson [at] hostroute.net
http://www.hostroute.co.uk/resellers Host 5 web sites for £9 per month
http://www.nameroute.co.uk/ Domain Names with free hosting and email