Full Disclosure mailing list archives
Re: Automated mass abuse of form mailers
From: Luc Stroobant <fd () stroobant be>
Date: Mon, 12 Sep 2005 14:52:10 +0200
Michael Holzt wrote:
Automated mass abuse of form mailers 2005/09/12, Michael Holzt, kju -at- fqdn.org 1. Summary Lately webpage mail forms has become a target of spammers. The attacks seems to be automated and try to exploit the use of untrusted input data in a lot of these form mailers. The attacks inserts newlines into data fields which are used unchecked in header lines of the mail generated. These newlines allow the attacker to add own header lines and message content.
I noticed this too. They started testing our forms few weeks ago and it's still going on. They're using zombies, so IP-blocking is pointless.
The victim has managed to add his own Cc line (which will be the spam target), a own subject and a own body. The original subject (and other header lines) as well as the original content have been moved into the body of the mail. Examples of real abuse witnessed have shown that the attackers even try to create multipart messages to hide the original content generated by the form mailer.
I used some mod_security filters (To\:, Cc\:, Bcc\: etc...) to analyse their POST requests. The multipart tric is in all their tests in our case. This is an example:
Content-Type: multipart/mixed; boundary="===============1269369969==" MIME-Version: 1.0 Subject: e2dae455 To: oirkcyexud () coza net bcc: jrubin3546 () aol com From: oirkcyexud () coza net This is a multi-part message in MIME format. --===============1269369969== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding:+7bit dzrgpjy --===============1269369969==--
The abusers also try to track sucessfull attempts. In a number of cases a bcc to an aol email address (jrubin3546 () aol com) was inserted into the message as well. Other internet users reported such abuse as well. Google shows nearly 72.000 hits when searching for this mail address.
Another address they use is bergkoch8 () aol com (noticed aol abuse about this, but I guess that's /dev/null)
It is therefore advised to check the relevant data fields for newlines inserted and deny sending the mail if any are found. For example the vulnerable script shown above could be added by a check like this:
In my opinion, part of this filtering should be done by the php mail() function. Disallowing the insertion of recipients via additional_headers and moving cc: bcc: and from: to an own variable -just as they do with "to"- would make it much more abuse-proof.
Luc _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Automated mass abuse of form mailers Michael Holzt (Sep 12)
- Re: Automated mass abuse of form mailers Luc Stroobant (Sep 12)
- Re: Automated mass abuse of form mailers n3td3v (Sep 12)
- Re: Automated mass abuse of form mailers Dave Korn (Sep 12)
- Re: Re: Automated mass abuse of form mailers Bipin Gautam (Sep 12)
- Re: Re: Automated mass abuse of form mailers Valdis . Kletnieks (Sep 12)
- RE: Re: Automated mass abuse of form mailers Aditya Deshmukh (Sep 12)
- Re: Re: Automated mass abuse of form mailers Dave Korn (Sep 13)
- Re: Automated mass abuse of form mailers Luc Stroobant (Sep 12)
- Re: Automated mass abuse of form mailers n3td3v (Sep 12)
- Re: Automated mass abuse of form mailers Ron DuFresne (Sep 12)