Web Contact Form Hacks Used to Send Spam

[Wazoo]

stolen from NANAE

Date: 27 Aug 2006 07:04:13 -0000

Message-ID: <M2K9V4KJ38956.1279282407[at]twistycreek.com>

From: I Hate Web Spams

Subject: And Now an Epidemic of Web Contact Form Hacks Used to Send spam

Newsgroups: news.admin.net-abuse.email

Over the last two weeks, the occasional spam from a hacked web form has

turned into a torrent. Most spammers aren't the brightest bulbs in the box,

so they like this technique because it requires virtually no talent and can

be run from a scri_pt. I did a random unscientific sample and found about a

10-15% of forms were exploitable, despite the stellar credentials of some

of their authors and webmasters. It's that easy to overlook.

The technique is perfect for spammers. Respected businesses end up sending

thousands of spams without their knowledge. Their mail addresses aren't on

any block lists (for the time being) because the recipients seldom

complain. As a result, lists of vulnerable web input forms can be recycled

and are probably being shared among spammers. These are world wide sources,

although the U.S., Britain, Germany and Japan has had the most exploited

forms so far.

How does he do it?? The spammer injects the characters '\n' and '\r' (end

of line and carriage return) in an explotiable web form  and then adds

"bcc:" followed by a long list of spamees. (If you host a web page with a

form and you start getting "bounces" related to your web form then that is

what has happened). After the spammer is allowed to do this several times,

your hosts's mail server ends up on a set of email blocklists from which

removal is unlikely. At that point your provider either disconnects you or

puts a contract out on you or both.

The bcc: lists vary from spam victim to spam victim, but I see a lot of

yahoo, gmail and hotmail addresses on there. Were talking about several

hundred per hacked web form. If the process is automated it is very easy to

see milions of spams coming out the other end.

If you have a web page with ANY kind of user input, verify that there is a

control character filter on you web form or that the mail handler you use

does not accept the "bcc" statement. Either one will foil his attempts. 

To filter

	with php use
	  "if(egregi("\r",[field]) || egregi("\n",[field])) die("No spam From Me!")   
	with perl use regular expression matching
	with C and C++ use regexec and regcomp.

to trap these characters.

There are a hundred good references in google on how to fix your form.

The spammer dejour using this technique is hawking hoodia/hgh/herbals

linking to coded urls from snipurl.com. She has also spammed for the fake

diploma guy at U.S. 314-219-2907. The snipurls are all coded differently,

probably to identify blocks of victims. The current scam site ends up at

http://hggdadcner.com, a hanaro site supposedly registered to a "Michael

McCain" in Palatine, IL, north of Chicago. Injection is coming from a

variety of sources in (where else?) China.

Blocklists trap 95% of "conventional" spam, but can not trap any of the web

form spam. If you host customers with web forms, demand that you check the

forms before they go online. Also, someone needs to start automatically

probing the millions of web forms out there and letting the owners and

hosting sites know if their forms are vulnerable. Since probing can be

construed as "computer invasion", it sounds like a project for a government

agency or a delegate like isc.org or cert.org.

[inko9nito]

	  if(egregi("\r",[field]) || egregi("\n",[field])) die("No spam From Me!");

Didn't anyone try testing this code? The eregi() function is misspelled twice. Or was that done on purpose?

[jongrose]

Which web contact forms are vulnerable? Are there specific systems that are problematic, or is this occurring with many different types of setups?

[StevenUnderwood]

	  if(egregi("\r",[field]) || egregi("\n",[field])) die("No spam From Me!");

Didn't anyone try testing this code? The eregi() function is misspelled twice. Or was that done on purpose?

Is it also possible that a spell checker somewhere along the lines made this change? egregi seems to be Italian for Kind or Dear.

[ivolator]

Why would this happen if you just escape the \r and \n? Or use just preg_replace('/\r/','',$message);. You can come up with more complex message to clean up the headers.

Also do not expose forms for not logged in users (why do that).

Log all activity.

Check for source of activity (i.e. add some GUID for user such as session id of some type).

Limit fields length, validate input .....

... only my humble opinion

[Wazoo]

Why would this happen if you just escape the \r and \n? Or use just preg_replace('/\r/','',$message);.

Depends on the code involved.

You can come up with more complex message to clean up the headers.

Also do not expose forms for not logged in users (why do that).

Log all activity.

Check for source of activity (i.e. add some GUID for user such as session id of some type).

Limit fields length, validate input .....

The general 'user' maintained web-site isn't also generally maintained by a programmer ....

Gee, I want a GuestBok ... Google for 'free GuestBok' ... toss out the hundreds that are "too hard to install" .. Oh kewl!! .. here's one that looks pretty easy and even better, it comes in Pink!!!!!

What are the odds that this one was 'easy to install' because it had no thoughts of security involved in the 5 lines of code that were provided (for free) ....