- hacked form mailer?
- Posted by Rocky on October 2nd, 2005
When I receive an email from the form mailer on one of my sites it looks
like this.
first_name: John Smith
RadioGroup1: Member
textarea: hi, nice site.
But yesterday I had several forms submitted that looked like patsed below.
As well as all the additonal stuff, the RadioGroup1 is listed first instead
of second, then there's the aol addy I never heard of in there, and the to
and from email's at the bottom are for mydomain, but those accounts don't
exist. Anyone know what has happened? Additionally I googled that aol addy,
and it crops up all over the place, even in shoutboxes...?
RadioGroup1: mvrhnct@mydomain.org.uk
first_name: mvrhnct@mydomain.org.uk
textarea: mvrhnct@mydomain.org.uk
Content-Type: multipart/mixed; boundary="===============0451012470=="
MIME-Version: 1.0
Subject: fec5dd35
To: mvrhnct@mydomain.org.uk
bcc: homeigoldstein@aol.com
From: mvrhnct@mydomain.org.uk
This is a multi-part message in MIME format.
--===============0451012470==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
pgmq
--===============0451012470==--
Any ideas?
Alistair.
- Posted by Doc O'Leary on October 2nd, 2005
In article <dIV%e.120256$G8.94925@text.news.blueyonder.co.uk> ,
"Rocky" <Rocky@GhostRecon.net> wrote:
I've (knowingly) gotten a handful of these kinds of things in the last
month. They are obvious probes for some exploit. The From email, I
assume, simply identifies your site as being vulnerable to the To AOL
account (interestingly, all the attempt I saw used AOL as well).
Block by IP.
- Posted by Toby Inkster on October 2nd, 2005
Rocky wrote:
There is a very clever hack for the PHP mail() function.
Summary of solution: make sure that the "headers" parameter (from the top
of my head, the fourth one) ends "\r\n\r\n".
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
- Posted by Ben Jamieson on October 3rd, 2005
On 2005-10-02 14:31:37 -0400, "Rocky" <Rocky@GhostRecon.net> said:
Its a standard email injection attack, basically using the 'from' field
to enter a whole bunch of additional headers. Luckily, these headers
have to be seperated by a line break, so an easy solution is to check
for these in your processing script, i.e.:
if (eregi($mail_from,'\r') || eregi($mail_from,'\n')){
//don't process form. Block sender ip
} else{
//All is good - send the email
}
- Posted by JoePete on October 3rd, 2005
Without knowing exactly the PHP behind this, it's just shooting in the
dark. But one thing you need to check against is PHP code being injected
into a field. For example, php mail basically has four variables
(to,subject,message,header) if any of those values is set through what
someone posts -- this would include a from email address, which becomes
a From: header -- then someone can screw with your script to get it to spam.
My guess this is someone testing. The fact that it is trying to sending
multipart mail is a good sign that someone is testing for spam abilities
(unless your php script naturally sends you email as multipart). The bcc
address may be the source, but then again it may be nothing.
Keep in mind that with any email, the from address is easily forged.
--
JoePete
Rocky wrote:
- Posted by Mikhail Esteves on October 3rd, 2005
It could also be a script written to spam the forms. In which case,
consider adding a CAPTCHA [1]
Mikhail
[1] http://en.wikipedia.org/wiki/Captcha
- Posted by brucie on October 3rd, 2005
In post <news:1128323715.674202.91630@g44g2000cwa.googlegr oups.com>,
Mikhail Esteves said:
rates for successfully cracking CAPTCHA are around 80-95% depending on the
method CAPTCHA used to generate the image.
--
l i t t l e v o i c e s
- Posted by MGW on October 3rd, 2005
On 3 Oct 2005 00:15:15 -0700, "Mikhail Esteves" <mikster@gmail.com>
scrawled:
But if you add a captcha, be sure to include a way around it (for
example, on Yahoo you can click on a link to receive a verification
email) - otherwise you will lose people who are visually impaired or
have images blocked for some reason (such as using a text-only
browser).
--
MGW
Information on Hurricane Assistance - http://uniquelygifted.org/katrina.htm
- Posted by Jim on October 3rd, 2005
"brucie" <shit@usenetshit.info> wrote in message
news:5kkmm0vodhtk.dlg@usenetshit.info...
Besides captcha is mainly usefull for stopping the bots and won't help much
if the spammer is on your page sending the spam. Unless they are too stupid
to match up the letters.
--
Jim Snape of Page-Zone Web Hosting
AKA The thread ender.
http://www.page-zone.com
- Posted by Heidi on October 4th, 2005
brucie wrote:
: rates for successfully cracking CAPTCHA are around 80-95% depending
: on the method CAPTCHA used to generate the image.
brucie!! *HUG*
