Strange info getting posted :-(

Kold

Hey!

I think I'm safe in putting this here, it isnt really PHP related...

I have a form which posts to a PHP script, which then adds to the database. I looked today and there are loads of entries with email addresses in the fields - even hidden form fields.

The email addresses all appear to be a random string, with my domain on the end.

Every so often, insteasd of an email address, there is something like this; (I'm not sure who bergcoch8@aol is :queasy: The red [MY_DOMAIN] is replacing the actual address of the website I am working on.);

[email]rqk@[MY_DOMAIN].com[/email] Content-Type: multipart/mixed; boundary="===============1593073753==" MIME-Version: 1.0 Subject: 7856c9ed To: [email]rqk@[MY_DOMAIN].com[/email] bcc: bergkoch8@aol.com From: [email]rqk@[MY_DOMAIN].com[/email] This is a multi-part message in MIME forma...

Email headers posted in a form 😕

This has never happened before, it reminded me of a spam bot that filled a form on another site I administered with URL's. This one however doesnt seem to have a purpose. :xbones:

Can anyone shed some light onto what may have caused this, and why?
Thanks!
K.

justsomeone

Can you confirm that these database entries have come through your new script?

Can you search your apache logs for suspicious activity patterns around that script? Can you see where these oddball entries are coming from?

Is your form intended to send a mail, maybe a "Thank you for your submission" mail? Or does it look like a script that would? If so, someone maybe attempting to inject their mail into your form so that you end up sending their spam on their behalf...

Kold

I dont have the apache logs, but I do have some sort of access logs;

The IP (201.147.199.205) made 27 requests, all to the submission script, using POST, over 3 minutes. There was no browser/user agent.

There is a 'thank you' thing, and the script does send out emails, but I dont see how you could that. I would like to be able to see the data that they posted, but I dont suppose this gets stored anywhere?

The best thing I can think of at the moment is limit the number of submissions in a certain time period.

Thanks for your reply.
K.

justsomeone

This looks very much like a mail injection attack.

I don't know what your form prompts for, but let's imagine that it prompts for a recipent's email address. If your visitor types in "me@mydomain.com" your code ultimately triggers the following input to your sendmail program:

RCPT TO: me@mydomain.com

Which is fine, this tells sendmail that the mail recipient is as you expect.

But what if they type in (or otherwise send to your form) a value of "me@mydomain.com\nSomething else"? What might happen is that your code might pass that whole string on to your sendmail. That would mean that the following ends up being sent to sendmail:

RCPT TO: me@mydomain.com
Something else

The "Something else" bit is now interpreted by sendmail and rejected as invalid.
But what if "Something else" was replaced by some commands which sendmail would happily process?

RCPT TO: joe@schmoe.com
DATA
Buy some fake viagra and fake rolexes from www.hfhfhfhfhfhfhfhf.com
.

Now your mail program has unwittingly sent out some spam to poor old joe@schmoe.com

Ok, so this is a simple example, but you get the point. A scripted atatck can stuff mail headers into your form handler, which might in turn pass them on to your sendmail program, unless you are smart enough to filter out the rubbish.

What values does your form accept. A safe system will always attempt to ensure that only expected inputs are allowed through. In this case a regular expression check could have been used to ensure that the incoming email address didn't have anything weird in it. You can find tons of useful examples of ways to validate email addresses if you look around.

If your form allows a free text area for your visitor to enter a message, that could be slightly harder to block, but you could always reject any input that has known suspicious-looking strings in it. For example, would any legitimate user try to send a message containing the text "Content-Type: multipart/mixed"?

Can you check your mail logs? Did this attack succeed? Did you actually send spam?

justsomeone

Kold wrote:
I would like to be able to see the data that they posted, but I dont suppose this gets stored anywhere?

Nope. POST values aren't stored in apache logs. Unless your application creates its own logs, you've probably lost them.

Kold

Wow - I had never thought about the posibilities of mail injection - I didnt know it existed lol.

I doubt this attack would have been sucessfull as data is written to the database first, then emails sent out via a different script (the reason for the cropped header).

It has just occurred to me that the form has arround 27 fields, it is likely (I cant check at the moment) that a different field contained the headers each time (in each record, only 1 of the fields ever contained the headers).

From this, would it be feasible that bergkoch8@aol.com is an address set up to receive emails and find out wether the script is a candidate for spam use (along with which fields to exploit)?

Scary Stuff!
Thanks for your help!!
K.

justsomeone

Kold wrote:
From this, would it be feasible that bergkoch8@aol.com is an address set up to receive emails and find out wether the script is a candidate for spam use (along with which fields to exploit)?

I'd say that's a reasonable conclusion.

If you were that sort of person, you could presumably write an app which would do a web search (via Google or whatever) for likely looking forms. Then, taking each form in turn, it would try various combinations of injections into different fields, sending the results to a known address. The known address could then be polled manually or automatically to see what got through.

Charming, eh?

Kold

Yes, it's amazing how easy it is to be a complete PITA if you ever wanted to be, with a little programming know-how, and a bit of imagination...

Google shows a number of attacks; http://www.google.co.uk/search?q=bergkoch8 Lots of results, mainly shout boxes (as they display entries).

With a bit of refinned searching I ended up here; http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay - Just what you said, with the same conclusion.

Thank you very much for the info, and giving me more to think about for future scripts!
K.

justsomeone

Glad to be of help.

chinto

A site I administer was attacked by the same people using a BCC to bergkoch8@aol.com. After doing some searching online I was quick to find out I wasnt the only one. Quite the pain in the rear. I found some fixes in PHP to stripslashes etc. But Im not sure that will stop the spam pouring into my mailbox due to the fact that the recipient is hardcoded. Anyway, this particular bot uses the syntax of gyberish@yourdomain.com. So I used a little email validater to eliminate the form from submitting.

Basically you require a field to be filled out, in my case I used the contact name field. Then I ran an email validater on it and if it was an email address entered into that field it will not submit the form.

Example:

if( eregi("^{[a-z0-9]+([\.-][a-z0-9]+)".} "@([a-z0-9]+([.-][a-z0-9]+))$",$POST[ContactName])) {
echo "Error: This message has been flagged as a possible mail injection attack." ;
exit;
}

Bye bye spam attack. It might not work across the board on all attacks but stops this one dead in its tracks.

justsomeone

Interesting insights.

Just one thought, though. Why tell the spammer that you've caught him? Once you display an error like the above, it lets him know that you're onto him, and helps him work out how your defenses work. Never give out any more info than you have to.

Kold

Rather than show that you've found them out - redirect them to another page with lots and lots of fields (which send to a basic "thanks" page). A link can be placed to a similar page (the same page that is able to move itself to copy itself to a new location (deleting the old one first) just so the URL changes slightly in case it logs pages its been to.

Assuming you dont have to pay anything for bandwidth, it should keep the script busy for a little while 🙂

I tried this once with random email addresses being generated, and links to other similar pages in the 'network' we made up. You need patience though, after about a week I got fed up with leaving my PC turned on, with no hits at all. lol. 😃