Web Contact Form Hacks Used to Send Spam, Reposted from a NANAE thread Options

[Wazoo]

stolen from NANAE

Date: 27 Aug 2006 07:04:13 -0000
Message-ID: <M2K9V4KJ38956.1279282407[at]twistycreek.com>
From: I Hate Web Spams
Subject: And Now an Epidemic of Web Contact Form Hacks Used to Send Spam
Newsgroups: news.admin.net-abuse.email


Over the last two weeks, the occasional spam from a hacked web form has
turned into a torrent. Most spammers aren't the brightest bulbs in the box,
so they like this technique because it requires virtually no talent and can
be run from a scri_pt. I did a random unscientific sample and found about a
10-15% of forms were exploitable, despite the stellar credentials of some
of their authors and webmasters. It's that easy to overlook.

The technique is perfect for spammers. Respected businesses end up sending
thousands of spams without their knowledge. Their mail addresses aren't on
any block lists (for the time being) because the recipients seldom
complain. As a result, lists of vulnerable web input forms can be recycled
and are probably being shared among spammers. These are world wide sources,
although the U.S., Britain, Germany and Japan has had the most exploited
forms so far.

How does he do it?? The spammer injects the characters '\n' and '\r' (end
of line and carriage return) in an explotiable web form  and then adds
"bcc:" followed by a long list of spamees. (If you host a web page with a
form and you start getting "bounces" related to your web form then that is
what has happened). After the spammer is allowed to do this several times,
your hosts's mail server ends up on a set of email blocklists from which
removal is unlikely. At that point your provider either disconnects you or
puts a contract out on you or both.

The bcc: lists vary from spam victim to spam victim, but I see a lot of
yahoo, gmail and hotmail addresses on there. Were talking about several
hundred per hacked web form. If the process is automated it is very easy to
see milions of spams coming out the other end.

If you have a web page with ANY kind of user input, verify that there is a
control character filter on you web form or that the mail handler you use
does not accept the "bcc" statement. Either one will foil his attempts. 
To filter

CODE

    with php use
      "if(egregi("\r",[field]) || egregi("\n",[field])) die("No Spam From Me!")   
    with perl use regular expression matching
    with C and C++ use regexec and regcomp.

to trap these characters.

There are a hundred good references in google on how to fix your form.

The spammer dejour using this technique is hawking hoodia/hgh/herbals
linking to coded urls from snipurl.com. She has also spammed for the fake
diploma guy at U.S. 314-219-2907. The snipurls are all coded differently,
probably to identify blocks of victims. The current scam site ends up at
http://hggdadcner.com, a hanaro site supposedly registered to a "Michael
McCain" in Palatine, IL, north of Chicago. Injection is coming from a
variety of sources in (where else?) China.

Blocklists trap 95% of "conventional" spam, but can not trap any of the web
form spam. If you host customers with web forms, demand that you check the
forms before they go online. Also, someone needs to start automatically
probing the millions of web forms out there and letting the owners and
hosting sites know if their forms are vulnerable. Since probing can be
construed as "computer invasion", it sounds like a project for a government
agency or a delegate like isc.org or cert.org.

[inko9nito]

CODE

      if(egregi("\r",[field]) || egregi("\n",[field])) die("No Spam From Me!");

Didn't anyone try testing this code? The eregi() function is misspelled twice. Or was that done on purpose?

[jongrose]

Which web contact forms are vulnerable? Are there specific systems that are problematic, or is this occurring with many different types of setups?

[StevenUnderwood]

CODE

      if(egregi("\r",[field]) || egregi("\n",[field])) die("No Spam From Me!");

Didn't anyone try testing this code? The eregi() function is misspelled twice. Or was that done on purpose?

Is it also possible that a spell checker somewhere along the lines made this change? egregi seems to be Italian for Kind or Dear.

[ivolator]

Why would this happen if you just escape the \r and \n? Or use just preg_replace('/\r/','',$message);. You can come up with more complex message to clean up the headers.
Also do not expose forms for not logged in users (why do that).
Log all activity.
Check for source of activity (i.e. add some GUID for user such as session id of some type).
Limit fields length, validate input .....

... only my humble opinion

[Wazoo]

Why would this happen if you just escape the \r and \n? Or use just preg_replace('/\r/','',$message);.

Depends on the code involved.

You can come up with more complex message to clean up the headers.
Also do not expose forms for not logged in users (why do that).
Log all activity.
Check for source of activity (i.e. add some GUID for user such as session id of some type).
Limit fields length, validate input .....

The general 'user' maintained web-site isn't also generally maintained by a programmer ....

Gee, I want a GuestBok ... Google for 'free GuestBok' ... toss out the hundreds that are "too hard to install" .. Oh kewl!! .. here's one that looks pretty easy and even better, it comes in Pink!!!!!

What are the odds that this one was 'easy to install' because it had no thoughts of security involved in the 5 lines of code that were provided (for free) ....