Posted by arjenmeijer@nietbereikbaar.nl on 09/15/05 22:09

Paul Marshall schreef:
> Hi
>
> I am my wits end! I have a PHP script running that captures variables
> posted from a form on the previous page. The script then emails the
> results using the mail() function.
>
> The script is currently being spammed in two ways:
>
> 1) The page is being loaded directly, therefore emailing blank results
> 2) The variables are made up of an accepted email address (all variables
> are filled with it). This email address is random, created using any
> cobinations of characters before the accepted domain.
>
> Does anyone have any ideas of how I can stop this? The mails are
> exceeding 60 per day now! Obviously it is some form of program doing it
> but I don't know of a way that I can stop it, either to restrict the
> variables or the script page or what?
>
> Any help would be much appreciated!
>
> Paul :s
>
> marshallrp AT gmail DOT com
>
Validating an email address does not solve the problem.

See http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

Excerpts:

Make sure you end your headers with \r\n\r\n.

change

$headers .= "From: " . $from . "\r\n";

to

$headers .= "From: " . $from . "\r\n\r\n";

It is always best to filter mail form inputs

// Strip \r and \n from the email address

$_POST['email'] = preg_replace("\r", "", $_POST['email']);
$_POST['email'] = preg_replace("\n", "", $_POST['email']);

// Remove injected headers

$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");

$_POST['email'] = preg_replace($find, "", $_POST['email']);
$comments = preg_replace($find, "", comments);

---------------------------------------------------------------------------------------------------------------

http://www.sinisterfrog.com
My latest news post suggests my solution. Basically for all variables use $name=stripslashes($_POST['name']);
---------------------------------------------------------------------------------------------------------------
try this in PHP:
clean_variables($_POST);
function clean_variables( &$value )
{
if(is_array($value)){
array_walk(&$value,'clean_variables');
return;
} else {
$value = str_replace(array("\r","\n","Content-Type:"),"",$value);
}
}

---------------------------------------------------------------------------------------------------------------
Seems like they're very active, again. Found this site via googling "bergkoch8@aol.com". Luckily I was sitting at my computer yesterday around 21:50 when the first attempts dropped in at my EMail account. Took the formmail script off immediately and then searched every POST variable in PHP with the following code:

if (eregi("\r",$MailFrom) || eregi("\n",$MailFrom) || eregi("Content-Type:",$MailFrom)){
die("SPAM Injection Error :(");

---------------------------------------------------------------------------------------------------------------
I'm a PHP minimalist and the following seems to prevent from getting any more of these mails:

if(
eregi("\r",$_POST["email"])
|| eregi("\n",$_POST["email"])
|| eregi("@mydomain.net",$_POST["email"])
|| eregi("@mydomain.net",$_POST["message"])
|| eregi("boundary=",$_POST["message"])
)
{
die($sorry_string);
}

---------------------------------------------------------------------------------------------------------------
They always use bcc to send the mail so now we just block any mail with bcc

<% if (CGI.getValue("bcc").length()>0) { %>
<%//
// This is SPAM
//
// So dont sent any emails!
//%>

<% } else { %>
---------------------------------------------------------------------------------------------------------------

Looking at my logs, I noticed that the requests from the bots don't contain the HTTP_USER_AGENT field, and the HTTP_REFERER field is set to my home page, not to the address of my contact form.

So I added the following to my php script:
$valid_user_agent = isset($_SERVER["HTTP_USER_AGENT"]) && $_SERVER["HTTP_USER_AGENT"] != "";
$valid_referrer = isset($_SERVER["HTTP_REFERER"]) && $_SERVER["HTTP_REFERER"] == "http://{$_SERVER["HTTP_HOST"]}/contact.php";

if ( $valid_user_agent && $valid_referrer ) {
// send email
} else {
// spambot
}
---------------------------------------------------------------------------------------------------------------
If the $from variable in post #208 is from a input field of the form this code is unsecure. You have to apply a substitution as Anders has described in his article http://www.anders.com/projects/sysadmin/formPostHijacking/ to disable email injections.

If you want to ignore such attemps apply a check similiar to post #81 from Uwe. But this does not ignore all attempts. Although they are harmless and only fill your mailbox.
---------------------------------------------------------------------------------------------------------------
he can only go so far before his emails will be malformed and worthless

if(eregi("Content-Transfer-Encoding",$_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])){exit;}

if(eregi("MIME-Version",$_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])){exit;}

if(eregi("Content-Type",$_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])){exit;}
---------------------------------------------------------------------------------------------------------------
here is my latest, i think it's working now.
note: as stated above ... miss 1 variable and he will get through.

he can only go so far before his emails will be malformed and worthless

if(eregi("Content-Transfer-Encoding",$_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])){exit;}

if(eregi("MIME-Version",$_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])){exit;}

if(eregi("Content-Type",$_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])){exit;}

MG from Bribane QLD Australia
#227 posted on Mon, Sep 12, 2005 05:47 PM
253 emails from jrubin3546@aol.com

Matthias from Germany
#228 posted on Mon, Sep 12, 2005 05:49 PM
FoTo50 from Austria finally explains why I am always getting 3 hits: I got 3 fields in my form, 2 text fields and one submit button. The latter does not transmit any string, therefore it is not causing any spam injection.

Phil from Davie / Florida / USA
#229 posted on Mon, Sep 12, 2005 06:02 PM
I've been getting hit by probes under the variation jrubin3654@aol.com in connection with spam relaying. I think I've plugged all the possible leaks and the relaying has stopped. I'll try to report more details once I have documented the details. Phil

Barbara from uk
#230 posted on Mon, Sep 12, 2005 06:41 PM
This is for all those who want to get the attention of AOL. Ever read the 'review this site' posts on Alexa.com Usually reserved for very good sites and for scams.
Now, if everyone who is getting no response from aol about blocking the email addresses was to put a review about aol and how they allow spammers to carry on.....
After reading how aol was the first site to be attractive to phishing - getting unsuspecting aol members to part with user profiles so that they could use valid email addresses for their spoofs - I think that aol needs some encouragement to sort this out. Even if it means asking a genuine aol client to change their email address so that the hacke/phisherr can no longer use it.

Mike from UK
#231 posted on Mon, Sep 12, 2005 07:22 PM
Hi
If you want a simple contact form, this code should be fine. It is simple enough to expand the fields. I didn't write it, this site did http://www.totallyphp.co.uk.. basically, make note of its use of the "stripslashes" to clean up the output.
Just copy/paste this code to a page and call it something like contact.php (no other processor scripts required)

If anyone can see a flaw in this, I'd be happy to know about it :)

<?php
$your_email = "nospam@yourdomain.com";
$subject = "Contact Form Submission (yourdomain.com)";
$empty_fields_message = "<p>Please go back and complete all the fields in the form.</p>";
$thankyou_message = "<p>Thankyou. Your message has been sent.</p>";

$name = stripslashes($_POST['txtName']);
$email = stripslashes($_POST['txtEmail']);
$message = stripslashes($_POST['txtMessage']);

if (!isset($_POST['txtName'])) {
?>

<form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>">

<p><label for="txtName">Name:</label><br />
<input type="text" title="Enter your name" name="txtName" /></p>

<p><label for="txtEmail">Email:</label><br />
<input type="text" title="Enter your email address" name="txtEmail" /></p>

<p><label for="txtMessage">Your message:</label><br />
<textarea title="Enter your message" name="txtMessage"></textarea></p>

<p><label title="Send your message">
<input type="submit" value="Send" /></label></p>

</form>

<?php

}

elseif (empty($name) || empty($email) || empty($message)) {
echo $empty_fields_message;
}

else {
$referer = $_SERVER['HTTP_REFERER'];
$this_url = "http://".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"];
if ($referer != $this_url) {
echo "Haven't you got anything better to do?";
exit;
}

// The URLs matched so send the email
mail($your_email, $subject, $message, "From: $name <$email>");

// Display the thankyou message
echo $thankyou_message;
}
?>

-----------------------------------------------------------------------------------------------------------------------


// Sputnik Internet's spam stopping script.
// If you have any text fields that should allow /r or /n,
// add them in the 2nd line separated by ||, as so:
// if ($postvar_name == "comments" || $postvar_name == "questions") {}
// www.sputnikinternet.com

foreach ($HTTP_POST_VARS as $postvar_name => $postvar_value) {
if ($postvar_name == "comments" || $postvar_name == "questions") {}
else {
if (eregi("\r",$postvar_value) || eregi("\n",$postvar_value)){
die();
}
}
}
-----------------------------------------------------------------------------------------------------------------------
This is what I am using now after 400+ email from jrubin3546@aol.com.

if (isset($_POST['Submit']))
{
$find = array("/bcc\:/i",
"/Content\-Type\:/i",
"/cc\:/i",
"/to\:/i"
);


$_POST['name'] = preg_replace("/\\\\r/", "", $_POST['name']);
$_POST['name'] = preg_replace("/\\\\n/", "", $_POST['name']);
$_POST['name'] = preg_replace($find, "", $_POST['name']);
$name = $_POST['name'];

// other fields
// check all data is imputted
//send mail
}

It creates an array containing BCC CC etc and checks the posted data if anything is found remove the inforamtion, then it checks to see if and \r or \n occur in the field if so remove them as well. Also escape the from email address as above and add \r\n\r\n to the end to stop any extra headers being added. eg.

$from = "From:$email\r\n\r\n";



The way I use this code is:

<?php

if (isset($_POST['submit'])) //user presses send
{

$find = array("/bcc\:/i",
"/Content\-Type\:/i",
"/cc\:/i",
"/to\:/i"
); //set up array to find information that should not be there. You can add other things here but cc and bcc are the most important to stop the spammer sending out email from your address

if ($_POST['name'] == NULL) {$name = false; $message_e .= 'please enter your name<br>';}
else
{
$_POST['name'] = preg_replace("/\\\\r/", "", $_POST['name']);
$_POST['name'] = preg_replace("/\\\\n/", "", $_POST['name']);
$_POST['name'] = preg_replace($find, "", $_POST['name']);
$name = $_POST['name'];
}
//you need to change the $_POST['name'] to $_POST['your_variable']
You will need to do this for all the variables that are posted to the script that sends out the email

if ($_POST['email'] == NULL) {$their_email = false; $message_e .= 'please enter your email address<br>';}
else
{
$_POST['email’] = preg_replace("/\\\\r/", "", $_POST['email’]);
$_POST['email’] = preg_replace("/\\\\n/", "", $_POST['email’]);
$_POST['email’] = preg_replace($find, "", $_POST['email’]);
$their_email = $_POST['email’];
}

If ($name && $email) //if the name and email field are fill in send email else return to form and display $message_e
{
$from = "From:$their_email\r\n\r\n";
$body = "Enquiry From: $name \r\n message: $enquiry \r\n how did you hear about us: $about";
mail('me@somewhere.co.uk', $subject, $body, $from);
}
//if mail has been sent redirect to thank you page

}
Else
{
?>
<Html Display the from html >
<?php
}
?>



Additionally before submitting the email address is run through a regular expression to ensure that it is formatted correctly. For those interested in the expression:
"^(([A-Za-z0-9]+_+)|([A-Za-z0-9]+\-+)|([A-Za-z0-9]+\.+)|([A-Za-z0-9]+\++))*[A-Za-z0-9]+@((\w+\-+)|(\w+\.))*\w{1,63}\.[a-zA-Z]{2,6}$"



I've been getting loads of these through recently (same addresses as everyone else). My PHP mail function now looks like this:

function safeEscapeString($string) {
if (stristr($string,"Bcc")) {
die("F*ck off spamming c*nt...");
} else {
$temp = preg_replace("\r", "", $string);
$temp = preg_replace("\n", "", $temp);
return mysql_escape_string($temp);
}
}

<?php

function diescript($errmsg, $user, $domain) {
// set up message to display if user doesn't fill out the form right or if injection exploit detected
$errormsg = "Sorry. You have entered invalid contact information, please check your input and try again. ";
$errormsg .= "<a href='javascript:history.back(1);'>Click here to go back</a>.<br /><br />";
$errormsg .= "If you continue having problems, use your email program and email me at: ".$user."@".$domain." Thank you.<br /><br />\n";
echo $errormsg . $errmsg . "</body></html>";
die;
}

if (isset($_POST['submit'])) { // user pressed submit button

// who are we sending the email to
$user = "you"; // change this to your username
$domain = "yourdomain.com"; //change this to your domain name

// set up array to find information that should not be there - using 3 different arrays for different form fields
$findfrom = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i","/@mydomain.com/i","/boundary=/i","/\r/","/\n/","/%/","/;/","/,/");
$findhead = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i","/@mydomain.com/i","/boundary=/i","/\r/","/\n/","/%/");
$findbody = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i","/@mydomain.com/i","/boundary=/i");

$email = $_POST["email"];
$name = $_POST["name"];
$address = $_POST["address"];
$city = $_POST["city"];
$state = $_POST["state"];
$zip = $_POST["zip"];
$phone = $_POST["phone"];
$comments = $_POST["comments"];
$subject = "Website Contact"; // change this to whatever you want to show in the subject line

// check from email against $findfrom array
foreach ($findfrom as $n) {
// checking email field
if(preg_match($n, $email)) {
$error = "Detected Potential Spam Attempt in Email: ".$n."<br />\n";
diescript($error, $user, $domain);
}
}

// check head email items against $findhead array
foreach ($findhead as $n) {
// checking name field
if(preg_match($n, $name) || preg_match($n, $address) || preg_match($n, $city) || preg_match($n, $state) || preg_match($n, $zip) || preg_match($n, $phone)) {
$error = "Detected Potential Spam Attempt: ".$n."<br />\n";
diescript($error, $user, $domain);
}
}

// check body email items against $findbody array
foreach ($findbody as $n) {
// checking comments field
$comments = str_replace("%"," percent",$comments); // convert % sign to percent text
if(preg_match($n, $comments)) {
$error = "Detected Potential Spam Attempt in Comments: ".$n."<br />\n";
diescript($error, $user, $domain);
}
}

$emailmsg = "Name: " . $name . "\r\n\r\n" . "Subject: " . $subject . "\r\n\r\n" . "Email: " . $email . "\r\n\r\n" . "Address: " . $address . "\r\n\r\n" . "City: " . $city . "\r\n\r\n" . "State: " . $state . "\r\n\r\n" . "Zip: " . $zip . "\r\n\r\n" . "Phone: " . $phone . "\r\n\r\n" . "Comments: " . "\r\n\r\n" . $comments;
$headers = "From: ".$email;
mail($user."@".$domain, $subject, $emailmsg, $headers);
$successmsg = "Thank you for submitting your contact information.<br /><br /><a href='javascript:history.back(1);'>Click here to go back.</a>"; // change link to whatever you want
echo $successmsg;
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="" />
<meta name="description" content="" />
<meta name="robots" content="all" />
<title>Your Site</title>
</head>
<body>

<?php
} else {
?>

<form id="contact" method="post" action="<?php $_SERVER['PHP_SELF'] ?>">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td>Name:</td><td colspan="2">Address:</td></tr>
<tr><td><input type="text" name="name" size="30"></td><td colspan="2"><input type="text" name="address" size="35"></td></tr>
<tr><td>City:</td><td>State:</td><td>Zip Code:</td></tr>
<tr><td><input type="text" name="city" size="30"></td><td><input type="text" name="state" size="5"></td><td><input type="text" name="zip" size="10"></td></tr>
<tr><td>E-mail (required):</td><td colspan="2">Phone:</td></tr>
<tr><td><input type="text" name="email" size="30"></td><td colspan="2"><input type="text" name="phone" size="25"></td></tr>
<tr><td colspan="3">Questions / Comments:</td></tr>
<tr><td colspan="3"><textarea name="comments" cols="55" rows="3"></textarea></td></tr>
<tr><td colspan="3" style="padding-left: 2px;"><br /><input type="submit" name="submit" value="Submit Form"></td></tr>
</table>
</form>

<?php
} ?> </body> </html>
-----------------------

[Back to original message]