Chris W. Parker wrote:
Hello,
About a few weeks ago I started seeing three emails that all come at the
same time (within the same minute) that seem to be trying to exploit a
feedback form I have on our website. Everytime someone submits a
feedback form I am sent the information they entered. The To and From
address are hard coded.
that makes no difference, what the spammer is trying to do is pass
mail headers directly in the body of the email you are generating which when
passed to the SMTP server by whatever function/syscall you use will
be interpreted by the SMTP server as a seperate email to be sent.
this 'fairly recent' class of attack is already quite well documented,
google around for more info.
I don't if any mail classes out there deal with this issue for you,
I wrote a simple function to attempt to check for 'problem' message
bodies:
<?php
/* returns true if any of the values in the passed are suspect in terms
* of someone trying to hack our form based mailer to start sending people
* spam.
*
* simple example:
*
* if (emailFieldHackAttempt( $_REQUEST )) {
* die('off with thy head, spamwannabe!');
* }
*/
function emailFieldHackAttempt( $fieldVals )
{
$evilStrings = array(
'Content-Type: multipart/mixed;',
'Content-Type: text/plain;',
'boundary="',
'boundary=\\"',
'Content-Transfer-Encoding: 7bit',
"\nSubject: ",
'MIME-Version: ',
"\nbcc: ",
"\ncc: ",
"\nFrom: ",
"\nTo: ",
);
if (is_array($fieldVals) && count($fieldVals)) {
foreach ($evilStrings as $evilStr) {
foreach ($fieldVals as $k => $v) {
if (strstr($v, $evilStr) !== false) {
return true;
}
}
}
}
// nothing going on!
return false;
}
?>
any comments or improvements to this function are appreciated.
Here is an example message
[begin]
== Name ==
[EMAIL PROTECTED]
== Agency ==
[EMAIL PROTECTED]
Content-Type: multipart/mixed; boundary="===============1815270735=="
MIME-Version: 1.0
Subject: a8f1a36a
To: [EMAIL PROTECTED]
bcc: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
This is a multi-part message in MIME format.
--===============1815270735==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
thgfxnes
--===============1815270735==--
== Email ==
[EMAIL PROTECTED]
== Comment ==
[EMAIL PROTECTED]
[end]
It seems to me that the attemped exploit is unsuccessful because I
cannot find "dtdegq" or "mhko321" in /var/log/maillog. But I wanted to
send this to the list in case someone knows different.
Thanks,
Chris.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
