QUOTE
Date: 27 Aug 2006 07:04:13 -0000
Message-ID: <M2K9V4KJ38956.1279282407[at]twistycreek.com>
From: I Hate Web Spams
Subject: And Now an Epidemic of Web Contact Form Hacks Used to Send Spam
Newsgroups: news.admin.net-abuse.email
Over the last two weeks, the occasional spam from a hacked web form has
turned into a torrent. Most spammers aren't the brightest bulbs in the box,
so they like this technique because it requires virtually no talent and can
be run from a scri_pt. I did a random unscientific sample and found about a
10-15% of forms were exploitable, despite the stellar credentials of some
of their authors and webmasters. It's that easy to overlook.
The technique is perfect for spammers. Respected businesses end up sending
thousands of spams without their knowledge. Their mail addresses aren't on
any block lists (for the time being) because the recipients seldom
complain. As a result, lists of vulnerable web input forms can be recycled
and are probably being shared among spammers. These are world wide sources,
although the U.S., Britain, Germany and Japan has had the most exploited
forms so far.
How does he do it?? The spammer injects the characters '\n' and '\r' (end
of line and carriage return) in an explotiable web form and then adds
"bcc:" followed by a long list of spamees. (If you host a web page with a
form and you start getting "bounces" related to your web form then that is
what has happened). After the spammer is allowed to do this several times,
your hosts's mail server ends up on a set of email blocklists from which
removal is unlikely. At that point your provider either disconnects you or
puts a contract out on you or both.
The bcc: lists vary from spam victim to spam victim, but I see a lot of
yahoo, gmail and hotmail addresses on there. Were talking about several
hundred per hacked web form. If the process is automated it is very easy to
see milions of spams coming out the other end.
If you have a web page with ANY kind of user input, verify that there is a
control character filter on you web form or that the mail handler you use
does not accept the "bcc" statement. Either one will foil his attempts.
To filter
with php use
"if(egregi("\r",[field]) || egregi("\n",[field])) die("No Spam From Me!")
with perl use regular expression matching
with C and C++ use regexec and regcomp.
to trap these characters.
There are a hundred good references in google on how to fix your form.
The spammer dejour using this technique is hawking hoodia/hgh/herbals
linking to coded urls from snipurl.com. She has also spammed for the fake
diploma guy at U.S. 314-219-2907. The snipurls are all coded differently,
probably to identify blocks of victims. The current scam site ends up at
http://hggdadcner.com, a hanaro site supposedly registered to a "Michael
McCain" in Palatine, IL, north of Chicago. Injection is coming from a
variety of sources in (where else?) China.
Blocklists trap 95% of "conventional" spam, but can not trap any of the web
form spam. If you host customers with web forms, demand that you check the
forms before they go online. Also, someone needs to start automatically
probing the millions of web forms out there and letting the owners and
hosting sites know if their forms are vulnerable. Since probing can be
construed as "computer invasion", it sounds like a project for a government
agency or a delegate like isc.org or cert.org.
Message-ID: <M2K9V4KJ38956.1279282407[at]twistycreek.com>
From: I Hate Web Spams
Subject: And Now an Epidemic of Web Contact Form Hacks Used to Send Spam
Newsgroups: news.admin.net-abuse.email
Over the last two weeks, the occasional spam from a hacked web form has
turned into a torrent. Most spammers aren't the brightest bulbs in the box,
so they like this technique because it requires virtually no talent and can
be run from a scri_pt. I did a random unscientific sample and found about a
10-15% of forms were exploitable, despite the stellar credentials of some
of their authors and webmasters. It's that easy to overlook.
The technique is perfect for spammers. Respected businesses end up sending
thousands of spams without their knowledge. Their mail addresses aren't on
any block lists (for the time being) because the recipients seldom
complain. As a result, lists of vulnerable web input forms can be recycled
and are probably being shared among spammers. These are world wide sources,
although the U.S., Britain, Germany and Japan has had the most exploited
forms so far.
How does he do it?? The spammer injects the characters '\n' and '\r' (end
of line and carriage return) in an explotiable web form and then adds
"bcc:" followed by a long list of spamees. (If you host a web page with a
form and you start getting "bounces" related to your web form then that is
what has happened). After the spammer is allowed to do this several times,
your hosts's mail server ends up on a set of email blocklists from which
removal is unlikely. At that point your provider either disconnects you or
puts a contract out on you or both.
The bcc: lists vary from spam victim to spam victim, but I see a lot of
yahoo, gmail and hotmail addresses on there. Were talking about several
hundred per hacked web form. If the process is automated it is very easy to
see milions of spams coming out the other end.
If you have a web page with ANY kind of user input, verify that there is a
control character filter on you web form or that the mail handler you use
does not accept the "bcc" statement. Either one will foil his attempts.
To filter
CODE
with php use
"if(egregi("\r",[field]) || egregi("\n",[field])) die("No Spam From Me!")
with perl use regular expression matching
with C and C++ use regexec and regcomp.
to trap these characters.
There are a hundred good references in google on how to fix your form.
The spammer dejour using this technique is hawking hoodia/hgh/herbals
linking to coded urls from snipurl.com. She has also spammed for the fake
diploma guy at U.S. 314-219-2907. The snipurls are all coded differently,
probably to identify blocks of victims. The current scam site ends up at
http://hggdadcner.com, a hanaro site supposedly registered to a "Michael
McCain" in Palatine, IL, north of Chicago. Injection is coming from a
variety of sources in (where else?) China.
Blocklists trap 95% of "conventional" spam, but can not trap any of the web
form spam. If you host customers with web forms, demand that you check the
forms before they go online. Also, someone needs to start automatically
probing the millions of web forms out there and letting the owners and
hosting sites know if their forms are vulnerable. Since probing can be
construed as "computer invasion", it sounds like a project for a government
agency or a delegate like isc.org or cert.org.
