Posted by Dotan Cohen on 08/17/05 23:36

On 8/17/05, Greg Schnippel <schnippy@gmail.com> wrote:
> > I'll reply soon off list, as I don't think it appropriate to give
> > potential spammers an archive full of new tricks.
>
> I don't know -- I think its always better to discuss this in the open
> if there is a real security risk that people should be aware of.
>
> A couple days after your posting to PHP-General, I saw the same kind
> of probe on my system:
>
> <begin clueless code>
> Content-Type: multipart/mixed; boundary="===============0493326424=="
> MIME-Version: 1.0
> Subject: c3b8e7fc
> To: wmlhlk@gyre.org
> bcc: bergkoch8@aol.com
> From: wmlhlk@gyre.org
>
> This is a multi-part message in MIME format.
>
> --===============0493326424==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
>
> awhvtr
> --===============0493326424==--
> </end clueless code>
>
> This was submitted through a simple web contact form with a message,
> subject, and body form fields. The hakor submitted the above as the
> body of the message 3-4 times than seemed to give up (although he did
> send a few obnoxious threats). I don't believe this did anything
> because
>
> 1) I never got a bounce message from the made-up address he attempted
> to send to ("wmlhlk@gyre.org")
>
> 2) I believe that since the mail function already sent out the
> headers, any subsequent "headers" would just be ignored. Or they would
> be treated as text since they occurred in the message portion and not
> parsed literally.
>
> Not sure that there is any risk here, but I'm shrouding my contact
> script (changing the form variables and script name to something less
> obvious) just in case.
>
> - Greg

I believe that sendmail would send the two emails. How could it know
that the headers are not part of a new message? I haven't tested it
yet, but to be on the safe side I put up some filters that chech for
certain content in the form. If the content is there, then nothing
gets sent to mail(). Just a little while the spammer sent me message
with the form, regarding his opinion of myself, my mother, a horse,
and a dead man.

His IP was 80.172.48.102

Dotan Cohen
http://lyricslist.com/lyrics/artist_albums/332/mccartney_paul.php
McCartney, Paul Song Lyrics

• Next in forum: Re: PHP help
• Prev in forum: Re: [PHP] Help correcting a form mailer problem...
• Thread view: Re: [PHP] Be careful! Look at what this spammer did.

[Reply to this message]