For some reason I didn't see the original mail on this, but it sounds like you got a submission through one of your web forms with email headers in the body of the email.
Looks like a fairly common practice to try to use a form which submits by email for spamming. It's in the hope that the script which takes the input and sends the email will not check its input and just pass the contents of the 'email body' field straight to a mailer. When sending mails via SMTP, the current mail you are sending can be terminated with a dot on a line by itself... the mail server then sends that first mail, and waits for you to give it another mail (or close the connection). So, if this attack works, it goes like this: Your script passes the proper headers etc of the first mail to the server, along with the email body from the textarea on the form (or whatever). The text being passed from the form contains a dot on a line by itself, the server sees that and accepts it as the end of the first mail being sent. If the text being submitted now contains email headers, the mail server will send the second email. So, if your script was susceptible to this attack, I could submit something like: . MAIL FROM: <[EMAIL PROTECTED]> RCPT TO: <[EMAIL PROTECTED]> DATA To: [EMAIL PROTECTED] From: Bill Gates <[EMAIL PROTECTED]> Subject: my evil spam mail This is an evil spam mail sent using somebody's broken form handling script - the above would cause the server to send that email :) The good news is, since you're seeing the extra headers etc in a mail sent to you, the attack did not work on your server, the script (or whatever your script uses to send mails) correctly deals with a . on its own line in the email, removing or escaping it as necessary). Note, in my example above I put a space before the dot just in case, although I shouldn't need to. For this attack to work, you'd do it without the space. Hope that clarifies it a bit :) Cheers Dave P ____ The WDVL Discussion List from WDVL.COM ____ To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: [email protected] To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk ________________ http://www.wdvl.com _______________________ You are currently subscribed to wdvltalk as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
