Web Form Spammers / Email Injection Spamming

I'm not much of an expert about web security, and plus I'm a procrastinator,
so when I started getting weird emails from the contact forms of two of my
websites, I was moderately concerned, but I naively let it go on for a few
weeks before getting annoyed enough to do anything about it.

First I got the IP addresses of two of the spamming sites, and set up a
..htaccess file to block them. Not really a good solution, because it's
probably blocking entire ranges of people who'd like to see my websites. But
it did stop the spamming cold from one of the websites.

The other one kept spamming me, so I finally looked it up on the web about
found out something about web form spamming. I didn't know it, but these
spammers were using a weakness in my web form to spam other people. I guess
they infect a server with a virus, probably a Windows Server, and then the
virus accesses my web form and injects email and mime codes into the
response, and since my script sends me a confirmation email, they use that
to cc or bcc to some other hapless victim.

So I put a spam checker function in my php script,

function checkforspammer($str) {
if (eregi("\r",$str) || eregi("\n",$str) || eregi("multipart",$str) ||
eregi("cc:",$str) || eregi("bcc:",$str) ||
eregi("mywebsite.com",$str)){
$str = "spam";
}
return $str;
}

This may be clumsy, someone else might have something more efficient, but
this one works. Also I started getting the IP address of the sender from
$_SERVER['REMOTE_ADDR'], duh! I always wondered why I should do that.
Anyway, so now the spam still gets mailed, but I run everything through
checkforspammer after I store it in my database, but before it gets mailed,
so it's only mailed to me and only the word "spam" is in the mail.

Then I find out who owns the IP address and email them explaining that their
server might be compromised since it's spamming my web form. For now, I'm
also collecting the addresses in my .htaccess file. Eventually I could be
blocking the whole world, I don't want to do that. But I figure the same way
they figured out I was vulnerable, they'll also figure out they are blocked,
and eventually they'll stop spamming, and then I'll unblock them. How will I
know to unblock? Give it a couple of months?

So is there anything more I can do? Anything I should be doing differently?

Dale

Dale wrote:

> I'm not much of an expert about web security, and plus I'm a
> procrastinator, so when I started getting weird emails from the contact
> forms of two of my websites, I was moderately concerned, but I naively let
> it go on for a few weeks before getting annoyed enough to do anything
> about it.
>
> First I got the IP addresses of two of the spamming sites, and set up a
> .htaccess file to block them. Not really a good solution, because it's
> probably blocking entire ranges of people who'd like to see my websites.
> But it did stop the spamming cold from one of the websites.
>
> The other one kept spamming me, so I finally looked it up on the web about
> found out something about web form spamming. I didn't know it, but these
> spammers were using a weakness in my web form to spam other people. I
> guess they infect a server with a virus, probably a Windows Server, and
> then the virus accesses my web form and injects email and mime codes into
> the response, and since my script sends me a confirmation email, they use
> that to cc or bcc to some other hapless victim.
>
> So I put a spam checker function in my php script,
>
> function checkforspammer($str) {
> if (eregi("\r",$str) || eregi("\n",$str) || eregi("multipart",$str) ||
> eregi("cc:",$str) || eregi("bcc:",$str) ||
> eregi("mywebsite.com",$str)){
> $str = "spam";
> }
> return $str;
> }
>
> This may be clumsy, someone else might have something more efficient, but
> this one works. Also I started getting the IP address of the sender from
> $_SERVER['REMOTE_ADDR'], duh! I always wondered why I should do that.
> Anyway, so now the spam still gets mailed, but I run everything through
> checkforspammer after I store it in my database, but before it gets
> mailed, so it's only mailed to me and only the word "spam" is in the mail.
>
> Then I find out who owns the IP address and email them explaining that
> their server might be compromised since it's spamming my web form. For
> now, I'm also collecting the addresses in my .htaccess file. Eventually I
> could be blocking the whole world, I don't want to do that. But I figure
> the same way they figured out I was vulnerable, they'll also figure out
> they are blocked, and eventually they'll stop spamming, and then I'll
> unblock them. How will I know to unblock? Give it a couple of months?
>
> So is there anything more I can do? Anything I should be doing
> differently?


I remember something about this. What php application are you using? Is it
custom made by you?

Im

Imhotep

"Imhotep" <> wrote in message
news:4fidnSgbMJbLlrTeRVn-...
> Dale wrote:
>
> > I'm not much of an expert about web security, and plus I'm a
> > procrastinator, so when I started getting weird emails from the contact
> > forms of two of my websites, I was moderately concerned, but I naively
let
> > it go on for a few weeks before getting annoyed enough to do anything
> > about it.
[...]
>
> I remember something about this. What php application are you using? Is it
> custom made by you?

Yes, I just made a php script that produces a web form contact page. It
stores the interested party's data in a mysql table, and then sends me a
confirmation email. I didn't know it could be hacked but it's pretty easy to
prevent. Here are a couple of links to explanations of what they're doing
and measures to prevent damage.

http://www.nmmm.nu/spam-form.htm
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
http://www.anders.com/projects/sysad...PostHijacking/

So far I've collected 5 IP addresses.

12.23.84.11 belongs to AT&T
67.110.225.236 belongs to telecom equipment supplier, XO
212.87.26.66 is the server for the Polish Academy of Sciences Medical
Research Center
209.43.25.154 belongs to ISP/Web Hosting supplier, iQuest
161.53.86.10 is SolarWinds.Net Network Management Tools' "secure" admin
server

Dale

Dale wrote:

> "Imhotep" <> wrote in message
> news:4fidnSgbMJbLlrTeRVn-...
>> Dale wrote:
>>
>> > I'm not much of an expert about web security, and plus I'm a
>> > procrastinator, so when I started getting weird emails from the contact
>> > forms of two of my websites, I was moderately concerned, but I naively
> let
>> > it go on for a few weeks before getting annoyed enough to do anything
>> > about it.
> [...]
>>
>> I remember something about this. What php application are you using? Is
>> it custom made by you?
>
> Yes, I just made a php script that produces a web form contact page. It
> stores the interested party's data in a mysql table, and then sends me a
> confirmation email. I didn't know it could be hacked but it's pretty easy
> to prevent. Here are a couple of links to explanations of what they're
> doing and measures to prevent damage.
>
> http://www.nmmm.nu/spam-form.htm
> http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
> http://www.anders.com/projects/sysad...PostHijacking/
>
> So far I've collected 5 IP addresses.
>
> 12.23.84.11 belongs to AT&T
> 67.110.225.236 belongs to telecom equipment supplier, XO
> 212.87.26.66 is the server for the Polish Academy of Sciences Medical
> Research Center
> 209.43.25.154 belongs to ISP/Web Hosting supplier, iQuest
> 161.53.86.10 is SolarWinds.Net Network Management Tools' "secure" admin
> server

So, it sounds like you are correctly checking the parameters now. As far as
how long should you block, I would say it depends. The party responsible
could be some company's server or more commonly someones home pc or even
worse to track down and open proxy.

I think I would attack this in a dynamic fashion. I would look for IPs
trying to spam through you and redirect them to a page saying that their pc
is infected. I would redirect them for, say, a 30 day period. After 30
days, I would remove them from the list (they would be palced back on the
list if they still try to spam through you). You can do this dynamically
with PHP either using a file to store the IP addresses or a MySql,
posgress, etc, etc....

What do you think?

Imhotep

Imhotep