Page 1 of 1

Spam attack possible?

Posted: Fri Jul 29, 2005 4:55 am
by Addos
I have a form on this page in PHP
http://www.irishmusicteachers.ie/contact.php

I have this setup so that I actually get an email with all the details and
nothing is actually sent to my database. Lately I'm getting emails
containing the code below.
I have now found this site http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay describing the detail but I don’t really know how to approach what they recommend in my PHP script.

Thanks for any advice

Brian

This is my code

Code: Select all

$from = 'IMT<info.blah.ie>' . "\r\n";
	$subject = 'Message from your Web Site' . "\r\n";
	$headers = "To: Irish Music Teachers <info@blah.ie> \r\n";
	$headers .= "from: $from\n";
	
	$message =  $_POST['Name']. ' is requesting some information.' . "\r\n";
	$message .=  ' ' . "\r\n";
	$message .= 'The Subject is: ' .$_POST['Subject']. "\r\n";
            $message .=  ' ' . "\r\n";
	$message .= 'They wrote: ' ."$messagedetails". "\r\n";
	$message .=  '' . "\r\n";
	$message .= 'You can email them back at: ' .$_POST['Email']. "\r\n";
	$message .=  ' ' . "\r\n";
	$message .=  ' ' . "\r\n";
	$message .=  ' ' . "\r\n";
	$message .= 'This email has been automatically generated. Please do not reply to it.' . "\r\n";
And this is the spam email I often get.

Code: Select all

kxsquqwn@irishmusicteachers.com is requesting some information.

The Subject is: kxsquqwn@irishmusicteachers.com
Content-Type: multipart/mixed; boundary=\&quote;===============1884661094==\&quote;
MIME-Version: 1.0
Subject: b19e6e1e
To: kxsquqwn@irishmusicteachers.com
bcc: bergkoch8@aol.com
From: kxsquqwn@irishmusicteachers.com

This is a multi-part message in MIME format.

--===============1884661094==
Content-Type: text/plain; charset=\&quote;us-ascii\&quote;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

bugdqondhn
--===============1884661094==--


They wrote: kxsquqwn@irishmusicteachers.com

You can email them back at: kxsquqwn@irishmusicteachers.com

Posted: Tue Aug 09, 2005 6:45 am
by Ashiro
The moral of the story is:
Validate and filter ALL external data before using
In this case there is a bot trawling the net which is attempting to find a web form that allows for injection into the header of the email axtra fields which register as BCC. If you allow external data to go into your email before checking it then your vulnerable. Personally all the scripts I've made have hard coded mail functions and no external data goes into the header before being sent.

If yours does then it suggests stripping all carriage returns and new line characters from that data before placing it in your header.

You could do this like so:

Code: Select all

str_replace("\r", "", $header_sendto);
str_replace("\n", "", $header_sendto);
NOTE: The blue "are" should be simply r. The forum changes it automatically.

I've made this purposefully as simple looking as possible.
The above spam your getting does NOT automatically mean your vulnerable. Its means you've been checked for vulnerability.

Posted: Tue Aug 09, 2005 7:43 am
by Addos
So to be completely clear the following is a risk:

Code: Select all

$from = "Brian ";
            $subject = 'My woes' ."\r\n";
            $headers = 'To: admin<info@my_email.ie>, ' .$_POST['email'] ."\r\n";

            $headers .= "From: $from" ."\r\n";
            $message  = 'Thank you ' ."$f_name_message". ' '. 'for joining my team.' . "\r\n";

            $message .=  '' . "\r\n";
            $message .= ': You said -' .$_POST['details']. "\r\n";
            mail($to,$subject,$message,$headers);
But if the headers 'only' are amended to this, it's not at risk:

Code: Select all

$original = $_POST['email'];
function stripNewLines($original) {
return preg_replace('/\r|\n/', ' ', $original);
}$headers = 'To: admin<info@my_email.ie>, ' .$_POST['email'] ."\r\n";
And finally this is perfectly ok as there is nothing passed to the headers
via the form as they are all hard coded.

Code: Select all

$from = 'IMT<info.blah.ie>' . "\r\n";
$subject = 'Message from your Web Site' . "\r\n";
$headers = "To: IMT <info@me.ie>, ."$original" \r\n";
$headers .= "from: $from\n";

$message = $_POST['Name']. ' Thanks for joining.' . "\r\n";
$message .= ' ' . "\r\n";
$message .= 'The Subject is: ' .$_POST['Subject']. "\r\n";
mail($to,$subject,$message,$headers);
Thanks again for all this help. It makes for great learning too!

Brian

Posted: Tue Aug 09, 2005 11:37 am
by josh
Your best bet is to only allow email addresses to be sent in the mail function if they have passes a strict regex