Re: [PHP] Be careful! Look at what this spammer did.
On Mon, August 15, 2005 4:57 pm, Dotan Cohen wrote: I have a form that my visitors can email me from. Some jerk is trying to fool the mail() function into sending his spam, and I got this today: Put a CAPTCHA on the form. The jerk is probably not actually using your form, but a script that walks the net looking for forms that have name=xyz where xyz is something that looks like a contact form or the URL has contact in it or... Anyway, if CAPTCHA doesn't do it, you can also put in a throttle to only accept N posts from IP a.b.c.d within X hours. Not completely foolproof, but what spammer will bother to change his IP address to send out junk when there are so many open relays and wide-open email forms out there? And, yeah, if more than N people who work at Big Company try to post within X hours, you'll lock them out, but how likely is that? -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
On 8/18/05, Richard Lynch [EMAIL PROTECTED] wrote: On Mon, August 15, 2005 4:57 pm, Dotan Cohen wrote: I have a form that my visitors can email me from. Some jerk is trying to fool the mail() function into sending his spam, and I got this today: Put a CAPTCHA on the form. The jerk is probably not actually using your form, but a script that walks the net looking for forms that have name=xyz where xyz is something that looks like a contact form or the URL has contact in it or... Anyway, if CAPTCHA doesn't do it, you can also put in a throttle to only accept N posts from IP a.b.c.d within X hours. Not completely foolproof, but what spammer will bother to change his IP address to send out junk when there are so many open relays and wide-open email forms out there? And, yeah, if more than N people who work at Big Company try to post within X hours, you'll lock them out, but how likely is that? Like Music? http://l-i-e.com/artists.htm I don't really like CAPTCHA's. I'm filtering the content now, which is in my opinion better anyway. In my university one of the computer science projects (for an assignment!) is to break CAPTCHA's. Jpg- bmp and once it's a bmp the white noise and lines can be removed (think photoshop filters), then OCR software extracts the words. It even works on squiggly text with the right fonts installed in the OCR. Not 100%, but it is easier for the computer to decipher than a handicapped person, or a text browser. And I don't want to lock those out. Dotan http://lyricslist.com/lyrics/artist_albums/137/crosby_stills_and_nash.php Crosby, Stills And Nash Song Lyrics -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
My website form also appeared to get hacked (I'm using that term very loosely), although I have no idea if anything actually got hacked. It definitely seems like an automated script that crawls the net probing every form. It triggered a bunch of emails to me but nothing that I wouldn't have got from someone filling in the form normally so I can't see what damage it has done. Perhaps (this is a GUESS) it has emailed the spammer useful information but I don't know how I could possibly tell if that has happened. This is an example of one of the emails I got sent (a simple details collecting form) - the interesting bit is in the Job Title field: == Name: [EMAIL PROTECTED] Email: [EMAIL PROTECTED] Job Title: [EMAIL PROTECTED] Content-Type: multipart/mixed; boundary1157386915== MIME-Version: 1.0 Subject: 90cfd7d5 To: [EMAIL PROTECTED] bcc: [EMAIL PROTECTED] From: [EMAIL PROTECTED] This is a multi-part message in MIME format. --===1157386915== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit pzkd --===1157386915==-- Company Name: [EMAIL PROTECTED] Company Website: [EMAIL PROTECTED] Telephone: [EMAIL PROTECTED] Location: [EMAIL PROTECTED] === Notice that their hack contains a BCC to [EMAIL PROTECTED]. Perhaps this is an email account set up by the hacker. Richard Lynch wrote: Put a CAPTCHA on the form. The jerk is probably not actually using your form, but a script that walks the net looking for forms that have name=xyz where xyz is something that looks like a contact form or the URL has contact in it or... Anyway, if CAPTCHA doesn't do it, you can also put in a throttle to only accept N posts from IP a.b.c.d within X hours. I don't know what a CAPTCHA is but I'm going to take your second suggestion and make it only accept X form submits from each IP address over Y hours. Alex -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
- Original Message - From: Alex Gemmell [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, August 18, 2005 12:11 PM Subject: Re: [PHP] Be careful! Look at what this spammer did. Notice that their hack contains a BCC to [EMAIL PROTECTED]. Perhaps this is an email account set up by the hacker. sorry, i'm a bit in the dark here. how did they manage to fill in bcc ? you mean that someone can spam from your site by bcc'ing messages to other mail accounts ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
On 8/18/05, Alex Gemmell [EMAIL PROTECTED] wrote: My website form also appeared to get hacked (I'm using that term very loosely), although I have no idea if anything actually got hacked. It definitely seems like an automated script that crawls the net probing every form. It triggered a bunch of emails to me but nothing that I wouldn't have got from someone filling in the form normally so I can't see what damage it has done. Perhaps (this is a GUESS) it has emailed the spammer useful information but I don't know how I could possibly tell if that has happened. This is an example of one of the emails I got sent (a simple details collecting form) - the interesting bit is in the Job Title field: == Name: [EMAIL PROTECTED] Email: [EMAIL PROTECTED] Job Title: [EMAIL PROTECTED] Content-Type: multipart/mixed; boundary1157386915== MIME-Version: 1.0 Subject: 90cfd7d5 To: [EMAIL PROTECTED] bcc: [EMAIL PROTECTED] From: [EMAIL PROTECTED] This is a multi-part message in MIME format. --===1157386915== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit pzkd --===1157386915==-- Company Name: [EMAIL PROTECTED] Company Website: [EMAIL PROTECTED] Telephone: [EMAIL PROTECTED] Location: [EMAIL PROTECTED] === Notice that their hack contains a BCC to [EMAIL PROTECTED]. Perhaps this is an email account set up by the hacker. Richard Lynch wrote: Put a CAPTCHA on the form. The jerk is probably not actually using your form, but a script that walks the net looking for forms that have name=xyz where xyz is something that looks like a contact form or the URL has contact in it or... Anyway, if CAPTCHA doesn't do it, you can also put in a throttle to only accept N posts from IP a.b.c.d within X hours. I don't know what a CAPTCHA is but I'm going to take your second suggestion and make it only accept X form submits from each IP address over Y hours. Alex It looks like you got hit with the same thing that I did. Are you recording IP addresses? Dotan http://www.lyricslist.com/lyrics/artist_albums/510/wilde_kim.php Wilde, Kim song lyrics -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
- Original Message - From: Cilliè [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, August 18, 2005 12:42 PM Subject: Re: [PHP] Be careful! Look at what this spammer did. - Original Message - From: Alex Gemmell [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, August 18, 2005 12:11 PM Subject: Re: [PHP] Be careful! Look at what this spammer did. Notice that their hack contains a BCC to [EMAIL PROTECTED]. Perhaps this is an email account set up by the hacker. sorry, i'm a bit in the dark here. how did they manage to fill in bcc ? you mean that someone can spam from your site by bcc'ing messages to other mail accounts ? whoops ! got a bit carried away there. sorry. but wouldn't a simple check in the length of the job title field , or a regex or something be able to prevent this asswell ? come to think of it, simply replacing all @'s with at will also solve the problem .. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
On 8/18/05, Cilliè [EMAIL PROTECTED] wrote: sorry, i'm a bit in the dark here. how did they manage to fill in bcc ? you mean that someone can spam from your site by bcc'ing messages to other mail accounts ? They are spoofing headers, so that the mailing agent thinks that there are two emails instead of one. Dotan http://lyricslist.com/lyrics/artist_albums/139/crow_sheryl.php Crow, Sheryl Song Lyrics -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
Cilliè wrote: - Original Message - From: Alex Gemmell [EMAIL PROTECTED] To: php-general@lists.php.net Sent: Thursday, August 18, 2005 12:11 PM Subject: Re: [PHP] Be careful! Look at what this spammer did. Notice that their hack contains a BCC to [EMAIL PROTECTED]. Perhaps this is an email account set up by the hacker. sorry, i'm a bit in the dark here. how did they manage to fill in bcc ? you mean that someone can spam from your site by bcc'ing messages to other mail accounts ? If you look at the code they inserted into my form it's all email headers. One of the headers is a BCC field. I don't actually think it worked (well, I hope it didn't) but you can see the hacker _intended_ to BCC the email to that AOL address. Come to think of it the AOL address is probably not the hacker's email address but some poor sod who would have recieved a spam email supposedly from my domain. Alex -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
Dotan Cohen wrote: It looks like you got hit with the same thing that I did. Are you recording IP addresses? Yep - The bunch of emails all came from the same IP address: 62.245.167.6 There was no browser/user agent given so it's clearly some sort of spyder/net trawling software. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
On 8/18/05, Cilliè [EMAIL PROTECTED] wrote: Notice that their hack contains a BCC to [EMAIL PROTECTED]. Perhaps this is an email account set up by the hacker. sorry, i'm a bit in the dark here. how did they manage to fill in bcc ? you mean that someone can spam from your site by bcc'ing messages to other mail accounts ? whoops ! got a bit carried away there. sorry. but wouldn't a simple check in the length of the job title field , or a regex or something be able to prevent this asswell ? come to think of it, simply replacing all @'s with at will also solve the problem .. Yes, that should be enough. Acually, I am not _sure_ that his trick is succeeding in every case. But I think that it was in mine, because as soon as I started blocking, I got a nasty email. Go put a regex in your forms! Dotan http://lyricslist.com/lyrics/artist_albums/139/crow_sheryl.php Sheryl Crow -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
Ironically, on AOL - all of my EMAIL accounts were spammed with test (subject message) emails... approzimately 10 a day for about 5 days in a row - all which had different account names - but the same messages. So, I have a feeling these are all connected with the hacked forms everyone's experiencing... - Clint
Re: [PHP] Be careful! Look at what this spammer did. (Thank you)
Hey, Funny, was following this thread and suddenly I got a few emails that were almost exactly in the same format... Anyway, I just want to send a thank you to whoever had the bright idea of replacing the @ with something else its a quick and easy method and should solve that problem (in tests it works great...I used a str_replace as I am not too good with RegEXs) Cheers, Ryan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
Can you explain exactly what he tried to do. I should probably be able to figure this out, but I'm not feeling too well today. He modded his message to put different email addresses into the message field using mime headers? On 8/16/05, Dotan Cohen [EMAIL PROTECTED] wrote: I have a form that my visitors can email me from. Some jerk is trying to fool the mail() function into sending his spam, and I got this today: start asshole code [EMAIL PROTECTED] Content-Type: multipart/mixed; boundary=\===0110030565==\ MIME-Version: 1.0 Subject: 7510b460 To: [EMAIL PROTECTED] bcc: [EMAIL PROTECTED] From: [EMAIL PROTECTED] This is a multi-part message in MIME format. --===0110030565== Content-Type: text/plain; charset=\us-ascii\ MIME-Version: 1.0 Content-Transfer-Encoding: 7bit blrt --===0110030565==-- /start asshole code I just updated the code to stop this. I think that if anybody else has a form that goes to the mail() function, they should learn from this email and put up some code to block it. Dotan Cohen http://lyricslist.com/lyrics/artist_albums/367/n_sync.php N Sync Song Lyrics -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
On 8/17/05, Rory Browne [EMAIL PROTECTED] wrote: Can you explain exactly what he tried to do. I should probably be able to figure this out, but I'm not feeling too well today. He modded his message to put different email addresses into the message field using mime headers? I'll reply soon off list, as I don't think it appropriate to give potential spammers an archive full of new tricks. Dotan Cohen http://lyricslist.com/lyrics/artist_albums/373/newton-john_olivia.php Newton-John, Olivia Song Lyrics -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
I'll reply soon off list, as I don't think it appropriate to give potential spammers an archive full of new tricks. I don't know -- I think its always better to discuss this in the open if there is a real security risk that people should be aware of. A couple days after your posting to PHP-General, I saw the same kind of probe on my system: begin clueless code Content-Type: multipart/mixed; boundary0493326424== MIME-Version: 1.0 Subject: c3b8e7fc To: [EMAIL PROTECTED] bcc: [EMAIL PROTECTED] From: [EMAIL PROTECTED] This is a multi-part message in MIME format. --===0493326424== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit awhvtr --===0493326424==-- /end clueless code This was submitted through a simple web contact form with a message, subject, and body form fields. The hakor submitted the above as the body of the message 3-4 times than seemed to give up (although he did send a few obnoxious threats). I don't believe this did anything because 1) I never got a bounce message from the made-up address he attempted to send to ([EMAIL PROTECTED]) 2) I believe that since the mail function already sent out the headers, any subsequent headers would just be ignored. Or they would be treated as text since they occurred in the message portion and not parsed literally. Not sure that there is any risk here, but I'm shrouding my contact script (changing the form variables and script name to something less obvious) just in case. - Greg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
Greg Schnippel wrote: I'll reply soon off list, as I don't think it appropriate to give potential spammers an archive full of new tricks. I don't know -- I think its always better to discuss this in the open if there is a real security risk that people should be aware of. I tend to agree on things like this. If it's a generic problem then I think it does everyone some good to discuss it in the open. Although I can see the point of not discussing specific problems with specific applications, at least not until a fix is in and notices have been sent out. Then I think it falls back to the it does everyone some good to have it in the open senerio. I learn a lot from my mistakes, but I also learn from other's mistakes too, if I'm given the chance. 2) I believe that since the mail function already sent out the headers, any subsequent headers would just be ignored. Or they would be treated as text since they occurred in the message portion and not parsed literally. I was wondering the same thing. That it would just send the message and the MTA's would ignore any other addresses listed in the actual message text. Not sure that there is any risk here, but I'm shrouding my contact script (changing the form variables and script name to something less obvious) just in case. - Greg I think I'm just going to generate some random number to submit to the processor and if it's not there then ignore it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
On 8/17/05, Greg Schnippel [EMAIL PROTECTED] wrote: I'll reply soon off list, as I don't think it appropriate to give potential spammers an archive full of new tricks. I don't know -- I think its always better to discuss this in the open if there is a real security risk that people should be aware of. A couple days after your posting to PHP-General, I saw the same kind of probe on my system: begin clueless code Content-Type: multipart/mixed; boundary0493326424== MIME-Version: 1.0 Subject: c3b8e7fc To: [EMAIL PROTECTED] bcc: [EMAIL PROTECTED] From: [EMAIL PROTECTED] This is a multi-part message in MIME format. --===0493326424== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit awhvtr --===0493326424==-- /end clueless code This was submitted through a simple web contact form with a message, subject, and body form fields. The hakor submitted the above as the body of the message 3-4 times than seemed to give up (although he did send a few obnoxious threats). I don't believe this did anything because 1) I never got a bounce message from the made-up address he attempted to send to ([EMAIL PROTECTED]) 2) I believe that since the mail function already sent out the headers, any subsequent headers would just be ignored. Or they would be treated as text since they occurred in the message portion and not parsed literally. Not sure that there is any risk here, but I'm shrouding my contact script (changing the form variables and script name to something less obvious) just in case. - Greg I believe that sendmail would send the two emails. How could it know that the headers are not part of a new message? I haven't tested it yet, but to be on the safe side I put up some filters that chech for certain content in the form. If the content is there, then nothing gets sent to mail(). Just a little while the spammer sent me message with the form, regarding his opinion of myself, my mother, a horse, and a dead man. His IP was 80.172.48.102 Dotan Cohen http://lyricslist.com/lyrics/artist_albums/332/mccartney_paul.php McCartney, Paul Song Lyrics -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
I believe that sendmail would send the two emails. How could it know that the headers are not part of a new message? I haven't tested it yet, but to be on the safe side I put up some filters that chech for certain content in the form. If the content is there, then nothing gets sent to mail(). Just a little while the spammer sent me message with the form, regarding his opinion of myself, my mother, a horse, and a dead man. His IP was 80.172.48.102 Dotan Cohen http://lyricslist.com/lyrics/artist_albums/332/mccartney_paul.php McCartney, Paul Song Lyrics I just tried it on my hosted account and only got the one email that I was supposed to get. Maybe there's an old sendmail exploit that would send the second mail? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
In a message dated 8/17/2005 1:17:54 P.M. Central Standard Time, [EMAIL PROTECTED] writes: I tend to agree on things like this. If it's a generic problem then I think it does everyone some good to discuss it in the open. Although I can see the point of not discussing specific problems with specific applications, at least not until a fix is in and notices have been sent out. Then I think it falls back to the it does everyone some good to have it in the open senerio. I learn a lot from my mistakes, but I also learn from other's mistakes too, if I'm given the chance. I agree as well... I was just reading about the whole thing at the Black Hat convention in Vegas, what some were jokingly calling Ciscogate. These problems should definitely be discussed out in the open so people can know about the problem - not just 'developers of the product'. - Clint
[PHP] Be careful! Look at what this spammer did.
I have a form that my visitors can email me from. Some jerk is trying to fool the mail() function into sending his spam, and I got this today: start asshole code [EMAIL PROTECTED] Content-Type: multipart/mixed; boundary=\===0110030565==\ MIME-Version: 1.0 Subject: 7510b460 To: [EMAIL PROTECTED] bcc: [EMAIL PROTECTED] From: [EMAIL PROTECTED] This is a multi-part message in MIME format. --===0110030565== Content-Type: text/plain; charset=\us-ascii\ MIME-Version: 1.0 Content-Transfer-Encoding: 7bit blrt --===0110030565==-- /start asshole code I just updated the code to stop this. I think that if anybody else has a form that goes to the mail() function, they should learn from this email and put up some code to block it. Dotan Cohen http://lyricslist.com/lyrics/artist_albums/367/n_sync.php N Sync Song Lyrics -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Be careful! Look at what this spammer did.
Yeah, I had this happen to me a while back... glad some of the biggest have been caught lately =) Original Message I have a form that my visitors can email me from. Some jerk is trying to fool the mail() function into sending his spam, and I got this today: start asshole code [EMAIL PROTECTED] Content-Type: multipart/mixed; boundary=\===0110030565==\ MIME-Version: 1.0 Subject: 7510b460 To: [EMAIL PROTECTED] bcc: [EMAIL PROTECTED] From: [EMAIL PROTECTED] This is a multi-part message in MIME format. --===0110030565== Content-Type: text/plain; charset=\us-ascii\ MIME-Version: 1.0 Content-Transfer-Encoding: 7bit blrt --===0110030565==-- /start asshole code