|
Posted by Jochem Maas on 09/20/05 12:37
Chris W. Parker wrote:
> Hello,
>
> About a few weeks ago I started seeing three emails that all come at the
> same time (within the same minute) that seem to be trying to exploit a
> feedback form I have on our website. Everytime someone submits a
> feedback form I am sent the information they entered. The To and From
> address are hard coded.
that makes no difference, what the spammer is trying to do is pass
mail headers directly in the body of the email you are generating which when
passed to the SMTP server by whatever function/syscall you use will
be interpreted by the SMTP server as a seperate email to be sent.
this 'fairly recent' class of attack is already quite well documented,
google around for more info.
I don't if any mail classes out there deal with this issue for you,
I wrote a simple function to attempt to check for 'problem' message
bodies:
<?php
/* returns true if any of the values in the passed are suspect in terms
* of someone trying to hack our form based mailer to start sending people
* spam.
*
* simple example:
*
* if (emailFieldHackAttempt( $_REQUEST )) {
* die('off with thy head, spamwannabe!');
* }
*/
function emailFieldHackAttempt( $fieldVals )
{
$evilStrings = array(
'Content-Type: multipart/mixed;',
'Content-Type: text/plain;',
'boundary="',
'boundary=\\"',
'Content-Transfer-Encoding: 7bit',
"\nSubject: ",
'MIME-Version: ',
"\nbcc: ",
"\ncc: ",
"\nFrom: ",
"\nTo: ",
);
if (is_array($fieldVals) && count($fieldVals)) {
foreach ($evilStrings as $evilStr) {
foreach ($fieldVals as $k => $v) {
if (strstr($v, $evilStr) !== false) {
return true;
}
}
}
}
// nothing going on!
return false;
}
?>
any comments or improvements to this function are appreciated.
>
> Here is an example message
>
> [begin]
> == Name ==
>
> dtdegq@nonlethal.com
>
> == Agency ==
>
> dtdegq@nonlethal.com
> Content-Type: multipart/mixed; boundary="===============1815270735=="
> MIME-Version: 1.0
> Subject: a8f1a36a
> To: dtdegq@nonlethal.com
> bcc: mhkoch321@aol.com
> From: dtdegq@nonlethal.com
>
> This is a multi-part message in MIME format.
>
> --===============1815270735==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
>
> thgfxnes
> --===============1815270735==--
>
>
> == Email ==
>
> dtdegq@nonlethal.com
>
> == Comment ==
>
> dtdegq@nonlethal.com
> [end]
>
> It seems to me that the attemped exploit is unsuccessful because I
> cannot find "dtdegq" or "mhko321" in /var/log/maillog. But I wanted to
> send this to the list in case someone knows different.
>
>
> Thanks,
> Chris.
>
[Back to original message]
|