Michael Holzt wrote:
Automated mass abuse of form mailers
2005/09/12, Michael Holzt, kju -at- fqdn.org
1. Summary
Lately webpage mail forms has become a target of spammers. The attacks
seems to be automated and try to exploit the use of untrusted input data
in a lot of these form mailers. The attacks inserts newlines into data
fields which are used unchecked in header lines of the mail generated.
These newlines allow the attacker to add own header lines and message
content.
I noticed this too. They started testing our forms few weeks ago and
it's still going on. They're using zombies, so IP-blocking is pointless.
The victim has managed to add his own Cc line (which will be the spam
target), a own subject and a own body. The original subject (and other
header lines) as well as the original content have been moved into
the body of the mail. Examples of real abuse witnessed have shown that
the attackers even try to create multipart messages to hide the original
content generated by the form mailer.
I used some mod_security filters (To\:, Cc\:, Bcc\: etc...) to analyse
their POST requests. The multipart tric is in all their tests in our
case. This is an example:
Content-Type: multipart/mixed; boundary="===============1269369969=="
MIME-Version: 1.0
Subject: e2dae455
To: [EMAIL PROTECTED]
bcc: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
This is a multi-part message in MIME format.
--===============1269369969==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding:+7bit
dzrgpjy
--===============1269369969==--
The abusers also try to track sucessfull attempts. In a number of cases
a bcc to an aol email address ([EMAIL PROTECTED]) was inserted into
the message as well. Other internet users reported such abuse as well.
Google shows nearly 72.000 hits when searching for this mail address.
Another address they use is [EMAIL PROTECTED]
(noticed aol abuse about this, but I guess that's /dev/null)
It is therefore advised to check the relevant data fields for newlines
inserted and deny sending the mail if any are found. For example the
vulnerable script shown above could be added by a check like this:
In my opinion, part of this filtering should be done by the php mail()
function. Disallowing the insertion of recipients via additional_headers
and moving cc: bcc: and from: to an own variable -just as they do with
"to"- would make it much more abuse-proof.
Luc
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
