Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > Mail insertion hack on Send Mail form

Reply
Thread Tools

Mail insertion hack on Send Mail form

 
 
nauticalmac
Guest
Posts: n/a
 
      12-23-2005
I'm using CDO to send mail to the site owner from ASP pages with forms.
Recently one of my forms is occasionally sending email with what seems
to be an insertion which is replacing the plain text part of the email
with something else. Looking at the server sent email source, the
hacked emails have the following:

This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C60610.91D1FFA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: base64
QmVsb3cgaXMgdGhlIHJlc3VsdCBvZiB5b3VyIHJlcXVlc3QgZm 9yIGluZm8gZm9ybS4...etc
.....................S0tLS0tLS0tLS0tLS0tLS0tLS0tLS 0tLS0NCi0tLQ0K
------=_NextPart_000_0001_01C60610.91D1FFA0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
.......the correct html content

On a non-hacked email the content is:

This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C5FD9B.47C9C190
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Below is the result of your request......
.........the correct plain text content
------=_NextPart_000_0001_01C5FD9B.47C9C190
Content-Type: text/html
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
.......the correct html content

How can I prevent this happening?
What is the evil hacker attempting to include?
Apart from the submitter's email address and links to a chinese site,
all the rest of the characters in the submission are non-english
(irrelevant no doubt).
I am changing the form to include a server generated value which will
make it harder for this to be done by posting to the page without going
to the form first. I am clipping all form entries to reasonable sizes.
What can I look for in or strip from the form submission to decide to
trash the attempt?
Colin

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail.SmtpMail.Send won't send to one of my addresses Nathan Sokalski ASP .Net 3 11-23-2005 09:25 PM
javascript form action = send form details to ASP page iam247@gmail.com Javascript 2 08-07-2005 08:16 AM
Help: Flash emailer form with ASP.NET (to send mail) VB Programmer ASP .Net 1 08-04-2005 01:11 PM
submit form, validate form, set cookie, send email, download file mhawkins19@adelphia.net Javascript 1 03-17-2005 08:19 AM
Using a web form to send details to an e-mail Andrew Williams ASP General 2 09-08-2003 11:18 PM



Advertisments