Sent from the wrong address so it didnt make it to the list..
On Tue, 27 Sep 2005, Mike Garrison wrote:
Hi Clayton,
I can tell you what's going on. It's a fairly new exploit that spammers are
starting to highly utilize. There are a few ways this occurs:
1) the form does not check for \n or \r, so when they input data they are
able to hard-insert a return and create their own mail headers
2) the form does not check for MIMe, so they are able to exploit it that way
too.
Check for forms that use the php "mail()" function. it's a pain, but it's the
way I had to do it.
Example of a form I had to fix:
if (eregi("\r",$email) || eregi("\n",$email) ||
eregi("Content-Type:",$email) ) {
mail("[EMAIL PROTECTED]", "Warning, spam attempt onXXXXX",
gethostbyaddr($_SERVER['REMOTE_ADDR']), "From: [EMAIL PROTECTED]
<[EMAIL PROTECTED]>");
die("Thanks for attempting to spam. We've notified the
admin.");
}
else {
mail( "[EMAIL PROTECTED]", "Feedback Form Results",
"Email: $email\n Message: $message", "From: $email" );
header( "Location: http://www.blah.com/thanks.php"; );
}
If you need more help, feel free to contact me off the list.
--
Mike Garrison
On Tue, 27 Sep 2005, Clayton Weise wrote:
I know this is way off topic, but there are a lot of really smart people
on this list so I'm hoping to get some ideas here. I've got a web
server that has some kind of formmail-esque script that is being
horribly abused but I can't find it. The server (shut down qmail-send
on it for now) is spewing out messages by the hundreds, if not
thousands, and I can't seem to center down on which site has the
offending script. Again, it's pretty off topic but I'm just looking for
some help here... please.
Thanks,
Clayton
