|
|
Posted by Jerry Stuckle on 04/29/06 02:42
Martin Jay wrote:
> In message <ve-dnQNo9JQ-ms_ZnZ2dneKdnZydnZ2d@comcast.com>, Jerry Stuckle
> <jstucklex@attglobal.net> writes
>
>> Martin Jay wrote:
>>
>>> In message <XMednXc-99BGnM_ZnZ2dneKdnZydnZ2d@comcast.com>, Jerry
>>> Stuckle <jstucklex@attglobal.net> writes
>>>
>>>> Martin Jay wrote:
>>>>
>>>>> Okay, that's good.
>>>>> So in your HTML you'll have something like the:
>>>>> <select name="subject">
>>>>> <option value="Subject 1" SELECTED>Subject 1</option>
>>>>> <option value="Subject 2">Subject 2</option>
>>>>> <option value="Subject 3">Subject 3</option>
>>>>> </select>
>>>>> Just POST that off to your PHP script and then use the mail command:
>>>>> $subject = $_POST['subject'];
>>>>> /* It's probably a good idea to include this so you don't end up
>>>>> with \'
>>>>> and \" in the subject */
>>>>> $subject = stripslashes($subject);
>>>>> mail($to, $subject, $message);
>
>
>>>> Do this and you will be ripe for becoming a spam relay. At a minimum
>>>> you need to ensure there are no newline characters in the input.
>>>
>>> Please explain why.
>
>
>> Google "Email injection" for a lot more info. But basically - the
>> user could enter something like:
>>
>> This is a spammer subject
>> bcc: john@example.com, tom@example.com
>>
>> And so on. Quit easy to do - and used by a lot of spammers.
>> Unsecured scripts are used by a lot of spammers. Try another search on
>>
>> spam formmail
>>
>> And see what pops up.
>
>
> I (think) I understand the principle, but I cannot replicate it.
>
> The 'hack' seems to rely on email being routed by the 'to,' 'cc,' and
> 'bcc' fields in its header, which is isn't. Well, not until it reaches
> its destination, maybe.
>
> I emailed Paul an example script earlier. I've also uploaded it to:
> <http://www.spam-free.org.uk/pages/email_test.php>.
>
> I would be interested to see how the spamming technique you mention can
> be used with it. I have changed the form method from POST to GET to
> make it easier to 'hack.'
Either way. I just make a local copy of your form, edit it to add the headers I
want, and post it back to you. For instance, I place in the subject field:
This is spam
bcc: someone@example.com
And off it goes. The more fields I add, the more I'm sending.
Not hard at all.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|