Spam Injection

December 8, 2005

In these past two weeks, three of our hosting client websites have been exploited by a new, and common security hole among Contact Forms.

The attack itself is extremely simple. Simply stick \n or \r into the “subject” or “your email” field in an email to create a new line, then bcc in the rest of your comma-delimited email addresses in. Then when you submit the form, all of those bcc’d in email addresses will recieve the message that was intended to only be recieved by the you.

What spammers are doing is exploiting the above hole, and sticking their own spam into the ‘message’ field, and sticking their database of emails into the bcc field.

What can you do to stop this stuff?

1) Image Verification
Many of these exploits are run on a reutine basis by bots. Bots can’t usually detect what’s in an image, let alone one that is written on an angle with different colors throughout the pattern of letters. Require a user enter a string of letters he would have to read off of an image to send out his message.

2) Complicated PHP Code
Here’s some complicated php code that can be used to stop this kinda thing, you will need to edit some variables to fit your form:

if (preg_match(’ /[\r\n,;\’�]/ ‘, $_POST[’email’])) {
exit(’Invalid email address’);
}
else {
//code to send the mail
}

3) mod_security
mod_security is an addon module for apache that is made for filtering out all kinds of attacks. SQL Injection, XSS, and it can even filter out this kinda attack. Just add this into your mod_security configuration:

SecFilterSelective POST_PAYLOAD "Subject\:" chain
SecFilterSelective ARG_Bcc ".*\@"
SecFilterSelective POST_PAYLOAD "Subject\:" chain
SecFilterSelective POST_PAYLOAD "\s*bcc\:"
SecFilterSelective ARGS_VALUES "\n\s*bcc\:.*\@"

4) Multi-part forms
If they have to go through 3 or 4 pages to exploit your script, this is going to lessen the likelyhood of a bot-based attack.

Many many many many many scripts are vulnerable to this attack. Take care of your websites, will ya people?

This entry was posted on December 8, 2005 at 12:16 pm and is filed under Inside my mind, internet.

18 Responses to “Spam Injection”

  1. dkappe Says:

    May 17, 2006 at 9:34 pm

    mod_security is probably the best way to stop the bleeding on existing systems. It’s kind of like a stateful firewall for web applications. See http://blogs.pathf.com/highperf/2006/05/php_spam_inject.html for a more detailed howto.

    Reply
  2. Toby Skinner Says:

    July 4, 2006 at 6:22 am

    One of my clients just had this, 15 of their sites (all built using the same framework) came under a huge spam attack which did exactly what you mention above, wiped out about 15gb of bandwidth in 3 days!

    The quick work around (since this is a live server and heavily used) I’ve put in place is to put a 255 character limit on all fields in the message, and a double check on strlen at the actual send phase (since all emails go through the same class/function).

    This has appeared to solve the problem but I’d be interested to know if anyone can see a blatent flaw with this method?

    Reply
  3. Krista Antonini Says:

    October 26, 2007 at 8:21 pm

    I’m not sure if I want to try that one, sounds like a neat trick thought.

    Reply
  8. Daria Harlow Says:

    May 23, 2011 at 1:17 am

    I don’t usually reply to posts but I’ll in this case.
    my God, i thought you were going to chip in with some decisive insght in the finish there, not leave it
    with ‘we go away it to you to decide’.

    Reply
  11. Cxevgkpl Says:

    September 6, 2011 at 8:10 pm

    I’ve been made redundant nude preteen
     lqzq

    Reply
  13. Vudthcrx Says:

    September 8, 2011 at 8:27 pm

    Will I have to work on Saturdays? cute little teen lolita 957286

    Reply
  14. Qomzmbgo Says:

    May 3, 2012 at 3:55 pm

    Punk not dead http://ucujoopoip.de.tl kdz bbs cp i must say, this is a fantastic porno. The (probably acted) passion is good enough to make this seriously hot.

    Reply
  15. Bnvlpnrm Says:

    May 4, 2012 at 4:39 am

    I came here to work http://fijenugaka.de.tl karen teen model Fucking LOVE the body on this blonde – and a super pussy and asshole to eat out. Wouldn’t mind fucking the guy either for that matter -

    Reply
  16. Lfzzxpui Says:

    May 4, 2012 at 7:04 pm

    This is the job description http://kyputunape.de.tl teen tights bbs Too bad they couldn’t show all these deleted scenes on the VHS version I had as a youngin. I always knew Snow White was a filthy slut with a midget fetish.

    Reply
  17. Ohgjmaog Says:

    May 7, 2012 at 9:46 am

    Is it convenient to talk at the moment? http://acuhadoou.de.tl preteen pictures mouse This is one of the hottest vids on Pornhub! I had to keep stopping stroking my cock to make it through the video without cumming!

    Reply
  18. news Says:

    May 27, 2012 at 12:53 pm

    Wanted to drop a comment and let you know your Rss feed isnt functioning today. I tried adding it to my Yahoo reader account but got nothing.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.