Spam Injection

December 8, 2005

In these past two weeks, three of our hosting client websites have been exploited by a new, and common security hole among Contact Forms.

The attack itself is extremely simple. Simply stick \n or \r into the “subject” or “your email” field in an email to create a new line, then bcc in the rest of your comma-delimited email addresses in. Then when you submit the form, all of those bcc’d in email addresses will recieve the message that was intended to only be recieved by the you.

What spammers are doing is exploiting the above hole, and sticking their own spam into the ‘message’ field, and sticking their database of emails into the bcc field.

What can you do to stop this stuff?

1) Image Verification
Many of these exploits are run on a reutine basis by bots. Bots can’t usually detect what’s in an image, let alone one that is written on an angle with different colors throughout the pattern of letters. Require a user enter a string of letters he would have to read off of an image to send out his message.

2) Complicated PHP Code
Here’s some complicated php code that can be used to stop this kinda thing, you will need to edit some variables to fit your form:

if (preg_match(’ /[\r\n,;\’?]/ ‘, $_POST[’email’])) {
exit(’Invalid email address’);
else {
//code to send the mail

3) mod_security
mod_security is an addon module for apache that is made for filtering out all kinds of attacks. SQL Injection, XSS, and it can even filter out this kinda attack. Just add this into your mod_security configuration:

SecFilterSelective POST_PAYLOAD "Subject\:" chain
SecFilterSelective ARG_Bcc ".*\@"
SecFilterSelective POST_PAYLOAD "Subject\:" chain
SecFilterSelective POST_PAYLOAD "\s*bcc\:"
SecFilterSelective ARGS_VALUES "\n\s*bcc\:.*\@"

4) Multi-part forms
If they have to go through 3 or 4 pages to exploit your script, this is going to lessen the likelyhood of a bot-based attack.

Many many many many many scripts are vulnerable to this attack. Take care of your websites, will ya people?


18 Responses to “Spam Injection”

  1. dkappe Says:

    mod_security is probably the best way to stop the bleeding on existing systems. It’s kind of like a stateful firewall for web applications. See for a more detailed howto.

  2. Toby Skinner Says:

    One of my clients just had this, 15 of their sites (all built using the same framework) came under a huge spam attack which did exactly what you mention above, wiped out about 15gb of bandwidth in 3 days!

    The quick work around (since this is a live server and heavily used) I’ve put in place is to put a 255 character limit on all fields in the message, and a double check on strlen at the actual send phase (since all emails go through the same class/function).

    This has appeared to solve the problem but I’d be interested to know if anyone can see a blatent flaw with this method?

  3. Krista Antonini Says:

    I’m not sure if I want to try that one, sounds like a neat trick thought.

  4. Daria Harlow Says:

    I don’t usually reply to posts but I’ll in this case.
    my God, i thought you were going to chip in with some decisive insght in the finish there, not leave it
    with ‘we go away it to you to decide’.

  5. Cxevgkpl Says:

    I’ve been made redundant nude preteen

  6. Vudthcrx Says:

    Will I have to work on Saturdays? cute little teen lolita 957286

  7. Qomzmbgo Says:

    Punk not dead kdz bbs cp i must say, this is a fantastic porno. The (probably acted) passion is good enough to make this seriously hot.

  8. Bnvlpnrm Says:

    I came here to work karen teen model Fucking LOVE the body on this blonde – and a super pussy and asshole to eat out. Wouldn’t mind fucking the guy either for that matter –

  9. Lfzzxpui Says:

    This is the job description teen tights bbs Too bad they couldn’t show all these deleted scenes on the VHS version I had as a youngin. I always knew Snow White was a filthy slut with a midget fetish.

  10. Ohgjmaog Says:

    Is it convenient to talk at the moment? preteen pictures mouse This is one of the hottest vids on Pornhub! I had to keep stopping stroking my cock to make it through the video without cumming!

  11. news Says:

    Wanted to drop a comment and let you know your Rss feed isnt functioning today. I tried adding it to my Yahoo reader account but got nothing.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: