Wazoo Posted August 27, 2006 Share Posted August 27, 2006 stolen from NANAE Date: 27 Aug 2006 07:04:13 -0000 Message-ID: <M2K9V4KJ38956.1279282407[at]twistycreek.com> From: I Hate Web Spams Subject: And Now an Epidemic of Web Contact Form Hacks Used to Send spam Newsgroups: news.admin.net-abuse.email Over the last two weeks, the occasional spam from a hacked web form has turned into a torrent. Most spammers aren't the brightest bulbs in the box, so they like this technique because it requires virtually no talent and can be run from a scri_pt. I did a random unscientific sample and found about a 10-15% of forms were exploitable, despite the stellar credentials of some of their authors and webmasters. It's that easy to overlook. The technique is perfect for spammers. Respected businesses end up sending thousands of spams without their knowledge. Their mail addresses aren't on any block lists (for the time being) because the recipients seldom complain. As a result, lists of vulnerable web input forms can be recycled and are probably being shared among spammers. These are world wide sources, although the U.S., Britain, Germany and Japan has had the most exploited forms so far. How does he do it?? The spammer injects the characters '\n' and '\r' (end of line and carriage return) in an explotiable web form and then adds "bcc:" followed by a long list of spamees. (If you host a web page with a form and you start getting "bounces" related to your web form then that is what has happened). After the spammer is allowed to do this several times, your hosts's mail server ends up on a set of email blocklists from which removal is unlikely. At that point your provider either disconnects you or puts a contract out on you or both. The bcc: lists vary from spam victim to spam victim, but I see a lot of yahoo, gmail and hotmail addresses on there. Were talking about several hundred per hacked web form. If the process is automated it is very easy to see milions of spams coming out the other end. If you have a web page with ANY kind of user input, verify that there is a control character filter on you web form or that the mail handler you use does not accept the "bcc" statement. Either one will foil his attempts. To filter with php use "if(egregi("\r",[field]) || egregi("\n",[field])) die("No spam From Me!") with perl use regular expression matching with C and C++ use regexec and regcomp. to trap these characters. There are a hundred good references in google on how to fix your form. The spammer dejour using this technique is hawking hoodia/hgh/herbals linking to coded urls from snipurl.com. She has also spammed for the fake diploma guy at U.S. 314-219-2907. The snipurls are all coded differently, probably to identify blocks of victims. The current scam site ends up at http://hggdadcner.com, a hanaro site supposedly registered to a "Michael McCain" in Palatine, IL, north of Chicago. Injection is coming from a variety of sources in (where else?) China. Blocklists trap 95% of "conventional" spam, but can not trap any of the web form spam. If you host customers with web forms, demand that you check the forms before they go online. Also, someone needs to start automatically probing the millions of web forms out there and letting the owners and hosting sites know if their forms are vulnerable. Since probing can be construed as "computer invasion", it sounds like a project for a government agency or a delegate like isc.org or cert.org. Link to comment Share on other sites More sharing options...
inko9nito Posted January 2, 2007 Share Posted January 2, 2007 if(egregi("\r",[field]) || egregi("\n",[field])) die("No spam From Me!"); Didn't anyone try testing this code? The eregi() function is misspelled twice. Or was that done on purpose? Link to comment Share on other sites More sharing options...
jongrose Posted January 2, 2007 Share Posted January 2, 2007 Which web contact forms are vulnerable? Are there specific systems that are problematic, or is this occurring with many different types of setups? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 2, 2007 Share Posted January 2, 2007 if(egregi("\r",[field]) || egregi("\n",[field])) die("No spam From Me!"); Didn't anyone try testing this code? The eregi() function is misspelled twice. Or was that done on purpose? Is it also possible that a spell checker somewhere along the lines made this change? egregi seems to be Italian for Kind or Dear. Link to comment Share on other sites More sharing options...
ivolator Posted April 9, 2007 Share Posted April 9, 2007 Why would this happen if you just escape the \r and \n? Or use just preg_replace('/\r/','',$message);. You can come up with more complex message to clean up the headers. Also do not expose forms for not logged in users (why do that). Log all activity. Check for source of activity (i.e. add some GUID for user such as session id of some type). Limit fields length, validate input ..... ... only my humble opinion Link to comment Share on other sites More sharing options...
Wazoo Posted April 9, 2007 Author Share Posted April 9, 2007 Why would this happen if you just escape the \r and \n? Or use just preg_replace('/\r/','',$message);. Depends on the code involved. You can come up with more complex message to clean up the headers. Also do not expose forms for not logged in users (why do that). Log all activity. Check for source of activity (i.e. add some GUID for user such as session id of some type). Limit fields length, validate input ..... The general 'user' maintained web-site isn't also generally maintained by a programmer .... Gee, I want a GuestBok ... Google for 'free GuestBok' ... toss out the hundreds that are "too hard to install" .. Oh kewl!! .. here's one that looks pretty easy and even better, it comes in Pink!!!!! What are the odds that this one was 'easy to install' because it had no thoughts of security involved in the 5 lines of code that were provided (for free) .... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.