Exploiting mail() Forms

timbr8ks

Okay, gang, I've pulled out almost all my hair, so I need some help.

I have several sites with very normal looking contact us forms on them. Fill them out, and the content is mailed to the Web site owner using the mail() function. In recent months, however, these forms have been exploited. It is unclear if they are being used to send SPAM or if this only is the intent, but I occasionally will get three or four contact forms in a row that clearly are being hit by some script.

These emails came across with some fields blank. So I required all fields.

The emails had random characters typed in, so I required that the email address be authentic. The emails send a reply to the person completing the form. The reply comes from my address. However, now I'm getting the replies with my address in the TO address and the FROM address.

So, I started getting the IP Address of the sender, requiring it, and putting that at the bottom of the emails. I try it, and it works. When these SPAMMING scripts hit it, the email that comes to me has MY EMAIL ADDRESS where the IP address is supposed to be.

All of my headers end with \r\n. And yet I'm still getting these scripted replies. I changed the file names in case they were coded in some place, and I even took the contact us form off the menu, leaving it as a link inside one page. No luck. They're still coming.

My code that prepares and sends the mail is below. Anyone have any suggestions?

	if (@$_POST['emailAddress']) {
		if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $_POST['emailAddress'])) {
			$emailto2 = $_POST['emailAddress'];
			$subject2 = "Thank you for contacting Us";
			$headers="From: [my email address] \r\n";
			$headers.="Return-Path: [my email address]" . "\r\n";
			$message2 = "Blah blah blah blah ...


$_POST[ip]";

		mail($emailto2, $subject2, $message2, $headers);
	}
}

Diveloperz

I don't think IP tracking is a good solution. How would you deal with proxies?

_theworks

You need to validate the form before you send it in the mail.

ie :


if (strlen(trim($_POST['msg'])) != "" ) {

 $msg = strip_tags(trim($_POST['msg']));

}else {
echo 'Not a valid post!';
}

Your prolly guna want to do a bit more 'Extensive' validation than that though.

MarkR

The spammers exploit scripts which allow them to customise the "From", "Subject" or other headers.

They do this by injecting newlines into the fields when posting them. This isn't possible from a normal browser (assuming it's not a textarea).

The fix is to ensure that in your global mail function (you ARE using one, aren't you?) you never allow newlines in the to, from, or subject, and never allow newlines to be injected into any other headers.

Provided they can't inject stuff into the headers, you're totally safe. What they put in the body is not really a problem.

Spammers won't want to spam people with stock messages from your site, so providing anything which is sent to the user contains only stock content, that's fine too.

The problem I've found is things like oscommerce putting the spammer's provided email address in the "To:" field. Not only does this break SPF mail sender authentication, but it also doesn't check for newlines, so it can be used to send spam.

Mark

timbr8ks

Okay, I confess that I don't know what this means:

"The fix is to ensure that in your global mail function (you ARE using one, aren't you?) you never allow newlines in the to, from, or subject, and never allow newlines to be injected into any other headers."

How does one disallow new lines?

rincewind456

Take a look at this link it came up in a post I saw a few days ago, haven't tried it yet as I haven't had the need. http://www.anders.com/projects/sysadmin/formPostHijacking/

dalecosp

timbr8ks wrote:
Okay, I confess that I don't know what this means:

"The fix is to ensure that in your global mail function (you ARE using one, aren't you?) you never allow newlines in the to, from, or subject, and never allow newlines to be injected into any other headers."

How does one disallow new lines?

Quid pro quo #1: I haven't looked at your code, above.

What he means is m/l this: you shouldn't be calling mail() directly. You should have your own user-defined function for sending mail. It should accept the needed parameters, check that the data is valid, disallow or remove newlines, etc., and then piece together the mail message and call mail() itself once everything is nice and clean.

As for disallowing newlines, probably you'd just have a call to something like stristr() (or ereg or preg_match) in your mail function. If you find "\n" in a header field, your function returns FALSE and no mail is sent. Spammers won't like that.... 😉

SupermanInNY

Hi Y'all,

I've been hit with the spammers attacking my server again and again.
Through the logs I found they access the contactus.php page directly.
Changing the name of the file at least stopped them cold as they use old results for the name of the file with the mail() function.
But, that is only a band-aid.

Looking into the suggested solution, I saw there was a small script that 'cleans' the headers.
Please note, that I'm using Hebrew.
Also, please note that I'm a semi-newbie, so I may added garbage into the plain text for the mail function.

/* To send HTML mail, you can set the Content-type header. */
$headers  = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=windows-1255\r\n";

/* additional headers */


$headers .= "To: $username <$email>\r\n";
$headers .= "From: Oldael <oldcars@somemaili.com>\r\n";
$headers .= "Cc: \r\n";
$headers .= "Bcc: [email]y@davidsampel.com[/email]\r\n";


/* ANTI HACK CLEAN UP OF VARIABLES   */

$_POST['email'] = preg_replace("/\r/", "", $_POST['email']);
$_POST['email'] = preg_replace("/\n/", "", $_POST['email']);

$_POST['mailsubject'] = preg_replace("/\r/", "", $_POST['mailsubject']);
$_POST['mailsubject'] = preg_replace("/\n/", "", $_POST['mailsubject']);

$_POST['hebmsg'] = preg_replace("/\r/", "", $_POST['hebmsg']);
$_POST['hebmsg'] = preg_replace("/\n/", "", $_POST['hebmsg']);

$_POST['headers'] = preg_replace("/\r/", "", $_POST['headers']);
$_POST['headers'] = preg_replace("/\n/", "", $_POST['headers']);


mail($email, $mailsubject, $hebmsg, $headers)

Is that what I need to do to 'clean' the headers/variables that go into the mail function?
Thanks for the help.

-Alon.

execute

yep i think you got it.

<?php
foreach($_POST as $key => $val){
 // Execute's anti-mail header spam code (www.designplanet.biz)
 $val = eregi_replace("\r", "", $val);
 $val = eregi_replace("\n", "", $val);
 $$key = $val;
}
?>

MarkR

The above is exceptionally naive, because it also removes legitimate newlines which appear in post data.

For example, when I'm posting this message, I'm sending several newlines legitimately to the site.

I have a request validation function which bans all control characters except \r\n and \t from appearing in any post field anywhere on my site.

I don't remove them, but instead throw an error.

Remember the fail-fast principle: If something is wrong, you should make it blow up quickly and loudly, then, rather than "brushing it under the carpet", it might actually get fixed.

Mark

Weedpacket

Indeed; instead of stripping newlines from every field, innocent or not, they need only be stripped from the stuff that's to be inserted into headers (Better: truncate the alleged header at the first newline character).

izann

How do you truncate at the first line. Is there an example script available?

bradgrafelman

You could also stop them cold I'm sure by implementing a CAPTCHA. 😉