Jump to content

contact form abuse by header injection


RavanH

Recommended Posts

Hi all,

I've been looking on the internet and these forums but cannot find anything on where to report attempts of abusing contact forms to send spam (not the spam itself)... I have learned a lot on how to prevent it but nothing on how to fight it!

If anyone is interested in this case, here is my 'abuse' report I sent to AOL:

==================

Dear madam, sir,

This is not a complaint about abuse originating from AOL but is related to AOL. I do not know the proper authorities to turn to who could investigate this case further or are interested in this information. Please bear with me as I try to explain the situation and how it is linked to AOL.

Recently, I found that the contact form on the website http://###edited out### (not hosted at AOL) was under 'attack'. Someone was trying with Header Injections on a massive scale - going on for a week now - to abuse the form (for spamming purposes, I guess). All messages ended up in the info[at] mailbox as they should so I do not think there was any succesfull spamming done. Just hard to get rid of these messages overflowing the mailbox...

After modifying the contactform (in PHP) a bit, I managed to get some information (see attached examples) about these attempts:

The attempts originated from a lot of different IP's located around the globe (not associated with AOL) and I suspect were done by bots running on infected computers. But I found that *all* attempts used only one of 3 repeated email addresses included by 'Bcc:' in the injected headers:

###edited out###[at]aol.com

###edited out###[at]aol.com

###edited out###[at]aol.com

I conclude these are testing-addresses run by the person controling the bots, to see wether his attempts were succesfull. You see where AOL comes in! I don't know if you can act upon this? If my conclusion is correct, closing these mailboxes wouldn't make any difference whatsoever, but you might know what else can be done or who I should turn to with this info...

Thank you for your time,

======================

I didn't get any response yet, and I don't expect one. Would anyone know where I should send the info?

Link to comment
Share on other sites

The presence of those email addresses in those Bcc headers doesn't prove anything - what matters is what was attempted in a MAIL FROM field. However, the AOL Postmaster Team may still be interested in your evidence - you may contact them at postmaster[at]aol.com or via their AOL Postmaster Hotline at 1-888-212-5537 (in the US) or at +1-703-265-4670 (international callers).

Link to comment
Share on other sites

The best people to send your complaints to would be the owners of the IP addresses that were attempting to abuse your web form. You should be able to get the IP addresses from your web logs, and then locate the owners of those IP addresses using ARIN, or the registry responsible for the particular IP addresses in question.

Yes, it is a tedious process looking each one up, but it really doesn't take that long, and once you get the info you want, you can set up a complaint template and just fill in the needed information, and the appropriate snippet from you logfiles.

Link to comment
Share on other sites

The presence of those email addresses in those Bcc headers doesn't prove anything - what matters is what was attempted in a MAIL FROM field.

Hi Jeff,

Thanks for your answer, I sent it to abuse[at]aol.com... Hope that didn't irritate them because it isn't abuse originating from their servers :/

Anyway, the bcc-addresses i found were always somewhere in the code that was submitted in alternating fields of the mail form. This is what you mean, right? If you are interested, I have the resulting messages stored and I can post an example. To me this is really interesting as I have never encountered this thing before. Like magic... ;)

But seriously, there is someone trying to do some real annoying stuff and illegal I guess so if any authority is interested in the data, I am happy to turn it over. Didn't hear anything from AOL though...

The best people to send your complaints to would be the owners of the IP addresses that were attempting to abuse your web form. You should be able to get the IP addresses from your web logs, and then locate the owners of those IP addresses using ARIN, or the registry responsible for the particular IP addresses in question.

Hi Telarin, there are really many, many IP addresses! I had traced a few and they are spread all over the world so my guess was that they are just ignorant users with bot-infected computers. I wouldn't want to get them into trouble with their providers by accusing them of abuse... Do you really think that would help?

Link to comment
Share on other sites

there are really many, many IP addresses! I had traced a few and they are spread all over the world so my guess was that they are just ignorant users with bot-infected computers. I wouldn't want to get them into trouble with their providers by accusing them of abuse... Do you really think that would help?

41088[/snapback]

I do think that you giving those service providers a heads-up ASAP is a good idea. If not you, who? If not now, when? :)
Link to comment
Share on other sites

Hi Telarin, there are really many, many IP addresses! I had traced a few and they are spread all over the world so my guess was that they are just ignorant users with bot-infected computers. I wouldn't want to get them into trouble with their providers by accusing them of abuse... Do you really think that would help?

Yes, I think it would really help. Wouldn't you want to know that your computer was infected? Do you have a problem with police stopping cars that have a headlight out?

Don't accuse them of abuse. Just point out that a spammer is attempting to access the form through their IP address.

Some providers like Comcast seem to be really slow about notifying and stopping infected computers. Others, though, are more responsible and immediately take care of the situation - which, IMHO, makes everyone happier - the owner of the infected computer, the ISP, and those who no longer get spam via this source.

Miss Betsy

Link to comment
Share on other sites

  • 3 weeks later...

We've seen a lot of this lately (like dozens of attempts a week), on our site and many of our client sites (we're a web design company). Generally speaking, each attempt seems to return about 6 emails, always with an aol address in the bcc line.

We've been forwarding them to TOSEmail1[at]aol.com, not sure how quick they are to act, though we don't see the original addresses anymore.

On one site we renamed the directory our form processing scripts sit in, they found it pretty quick though (same day I think).

We tried tracing some of the ip ddresses as well - easy to find in the logs, the form processing page is the entry page. The ones we checked though all went back to proxy servers.

I'd love to find a quick way to shut these folks down, its consuming way too much time.

Simon

Link to comment
Share on other sites

Well, as a general rule of thumb, I deny access to our webservers entirely from any open proxy servers I find accessing it. Thats a good security measure to begin with. If you have a decent firewall, you can go a step further and deny access at the firewall level completely.

There really is no legitimate reason for someone to use an open proxy. Many companies use proxys for their employees to browse the web, but these should never be open, and most responsible companies will keep detailed browsing logs so they can trace things like this back to the originating person.

I would start by sending a complaint to the ISP controlling the proxy, and if you receive no response, then I would block their IPs completely from your server, and send an email to their upstream provider.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...