Form Post Hijacking Spam
First off, let me apologise if you've received any spam emails supposedly from gavinvincent.co.uk, my email form was hijacked last night. I woke up to find about 250 "undelivered mail" messages to aol users I'd not sent any message to.
The From, Name, and Subject field of my form (and a lot of other forms out there) go straight into the email header. A spammer exploits this by posting from addresses with newline characters in (\n or \r), and if this is not checked then the spammer can insert whatever headers they like, including BCC headers, or a Content-type and boundary header so that they can use your server to go about their foul business, instead of their own.
How can it be beaten? Fortunately it is quite easy, just strip out or disallow newlines in any header fields:
For extra security you could also refuse to send email with Content-type in any of the header fields.
If you are to become the victim of such an attack, you will usually receive 4 or 5 e-mails containing junk in the from, subject and message within a few seconds. This is the spammer testing your script to see if it is vulnerable- they put their own address in the bcc, if they get itback they know that they have found a host, and will start sending spam en masse through your server. If you get 4 or 5 e-mails like this, don't ignore it- make sure your script is secure!
Here are some links for more information:
The From, Name, and Subject field of my form (and a lot of other forms out there) go straight into the email header. A spammer exploits this by posting from addresses with newline characters in (\n or \r), and if this is not checked then the spammer can insert whatever headers they like, including BCC headers, or a Content-type and boundary header so that they can use your server to go about their foul business, instead of their own.
How can it be beaten? Fortunately it is quite easy, just strip out or disallow newlines in any header fields:
$from = str_replace("\r", "", $from);
$from = str_replace("\n", "", $from);
/ *or you could stop yourself from receiving any such email in the first place by refusing to send it */
if(strpos($value, "\r") !== false || strpos($value, "\n") !== false) {
//do not send
}
For extra security you could also refuse to send email with Content-type in any of the header fields.
If you are to become the victim of such an attack, you will usually receive 4 or 5 e-mails containing junk in the from, subject and message within a few seconds. This is the spammer testing your script to see if it is vulnerable- they put their own address in the bcc, if they get itback they know that they have found a host, and will start sending spam en masse through your server. If you get 4 or 5 e-mails like this, don't ignore it- make sure your script is secure!
Here are some links for more information:
Posted 14 Mar 2006 // Permalink