Web Form Spammers / Email Injection Spamming

Discussion in 'Computer Security' started by Dale, Sep 15, 2005.

  1. Dale

    Dale Guest

    I'm not much of an expert about web security, and plus I'm a procrastinator,
    so when I started getting weird emails from the contact forms of two of my
    websites, I was moderately concerned, but I naively let it go on for a few
    weeks before getting annoyed enough to do anything about it.

    First I got the IP addresses of two of the spamming sites, and set up a
    ..htaccess file to block them. Not really a good solution, because it's
    probably blocking entire ranges of people who'd like to see my websites. But
    it did stop the spamming cold from one of the websites.

    The other one kept spamming me, so I finally looked it up on the web about
    found out something about web form spamming. I didn't know it, but these
    spammers were using a weakness in my web form to spam other people. I guess
    they infect a server with a virus, probably a Windows Server, and then the
    virus accesses my web form and injects email and mime codes into the
    response, and since my script sends me a confirmation email, they use that
    to cc or bcc to some other hapless victim.

    So I put a spam checker function in my php script,

    function checkforspammer($str) {
    if (eregi("\r",$str) || eregi("\n",$str) || eregi("multipart",$str) ||
    eregi("cc:",$str) || eregi("bcc:",$str) ||
    eregi("mywebsite.com",$str)){
    $str = "spam";
    }
    return $str;
    }

    This may be clumsy, someone else might have something more efficient, but
    this one works. Also I started getting the IP address of the sender from
    $_SERVER['REMOTE_ADDR'], duh! I always wondered why I should do that.
    Anyway, so now the spam still gets mailed, but I run everything through
    checkforspammer after I store it in my database, but before it gets mailed,
    so it's only mailed to me and only the word "spam" is in the mail.

    Then I find out who owns the IP address and email them explaining that their
    server might be compromised since it's spamming my web form. For now, I'm
    also collecting the addresses in my .htaccess file. Eventually I could be
    blocking the whole world, I don't want to do that. But I figure the same way
    they figured out I was vulnerable, they'll also figure out they are blocked,
    and eventually they'll stop spamming, and then I'll unblock them. How will I
    know to unblock? Give it a couple of months?

    So is there anything more I can do? Anything I should be doing differently?
     
    Dale, Sep 15, 2005
    #1
    1. Advertising

  2. Dale

    Imhotep Guest

    Dale wrote:

    > I'm not much of an expert about web security, and plus I'm a
    > procrastinator, so when I started getting weird emails from the contact
    > forms of two of my websites, I was moderately concerned, but I naively let
    > it go on for a few weeks before getting annoyed enough to do anything
    > about it.
    >
    > First I got the IP addresses of two of the spamming sites, and set up a
    > .htaccess file to block them. Not really a good solution, because it's
    > probably blocking entire ranges of people who'd like to see my websites.
    > But it did stop the spamming cold from one of the websites.
    >
    > The other one kept spamming me, so I finally looked it up on the web about
    > found out something about web form spamming. I didn't know it, but these
    > spammers were using a weakness in my web form to spam other people. I
    > guess they infect a server with a virus, probably a Windows Server, and
    > then the virus accesses my web form and injects email and mime codes into
    > the response, and since my script sends me a confirmation email, they use
    > that to cc or bcc to some other hapless victim.
    >
    > So I put a spam checker function in my php script,
    >
    > function checkforspammer($str) {
    > if (eregi("\r",$str) || eregi("\n",$str) || eregi("multipart",$str) ||
    > eregi("cc:",$str) || eregi("bcc:",$str) ||
    > eregi("mywebsite.com",$str)){
    > $str = "spam";
    > }
    > return $str;
    > }
    >
    > This may be clumsy, someone else might have something more efficient, but
    > this one works. Also I started getting the IP address of the sender from
    > $_SERVER['REMOTE_ADDR'], duh! I always wondered why I should do that.
    > Anyway, so now the spam still gets mailed, but I run everything through
    > checkforspammer after I store it in my database, but before it gets
    > mailed, so it's only mailed to me and only the word "spam" is in the mail.
    >
    > Then I find out who owns the IP address and email them explaining that
    > their server might be compromised since it's spamming my web form. For
    > now, I'm also collecting the addresses in my .htaccess file. Eventually I
    > could be blocking the whole world, I don't want to do that. But I figure
    > the same way they figured out I was vulnerable, they'll also figure out
    > they are blocked, and eventually they'll stop spamming, and then I'll
    > unblock them. How will I know to unblock? Give it a couple of months?
    >
    > So is there anything more I can do? Anything I should be doing
    > differently?



    I remember something about this. What php application are you using? Is it
    custom made by you?

    Im
     
    Imhotep, Sep 15, 2005
    #2
    1. Advertising

  3. Dale

    Dale Guest

    "Imhotep" <> wrote in message
    news:...
    > Dale wrote:
    >
    > > I'm not much of an expert about web security, and plus I'm a
    > > procrastinator, so when I started getting weird emails from the contact
    > > forms of two of my websites, I was moderately concerned, but I naively

    let
    > > it go on for a few weeks before getting annoyed enough to do anything
    > > about it.

    [...]
    >
    > I remember something about this. What php application are you using? Is it
    > custom made by you?


    Yes, I just made a php script that produces a web form contact page. It
    stores the interested party's data in a mysql table, and then sends me a
    confirmation email. I didn't know it could be hacked but it's pretty easy to
    prevent. Here are a couple of links to explanations of what they're doing
    and measures to prevent damage.

    http://www.nmmm.nu/spam-form.htm
    http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
    http://www.anders.com/projects/sysadmin/formPostHijacking/

    So far I've collected 5 IP addresses.

    12.23.84.11 belongs to AT&T
    67.110.225.236 belongs to telecom equipment supplier, XO
    212.87.26.66 is the server for the Polish Academy of Sciences Medical
    Research Center
    209.43.25.154 belongs to ISP/Web Hosting supplier, iQuest
    161.53.86.10 is SolarWinds.Net Network Management Tools' "secure" admin
    server
     
    Dale, Sep 15, 2005
    #3
  4. Dale

    Imhotep Guest

    Dale wrote:

    > "Imhotep" <> wrote in message
    > news:...
    >> Dale wrote:
    >>
    >> > I'm not much of an expert about web security, and plus I'm a
    >> > procrastinator, so when I started getting weird emails from the contact
    >> > forms of two of my websites, I was moderately concerned, but I naively

    > let
    >> > it go on for a few weeks before getting annoyed enough to do anything
    >> > about it.

    > [...]
    >>
    >> I remember something about this. What php application are you using? Is
    >> it custom made by you?

    >
    > Yes, I just made a php script that produces a web form contact page. It
    > stores the interested party's data in a mysql table, and then sends me a
    > confirmation email. I didn't know it could be hacked but it's pretty easy
    > to prevent. Here are a couple of links to explanations of what they're
    > doing and measures to prevent damage.
    >
    > http://www.nmmm.nu/spam-form.htm
    > http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
    > http://www.anders.com/projects/sysadmin/formPostHijacking/
    >
    > So far I've collected 5 IP addresses.
    >
    > 12.23.84.11 belongs to AT&T
    > 67.110.225.236 belongs to telecom equipment supplier, XO
    > 212.87.26.66 is the server for the Polish Academy of Sciences Medical
    > Research Center
    > 209.43.25.154 belongs to ISP/Web Hosting supplier, iQuest
    > 161.53.86.10 is SolarWinds.Net Network Management Tools' "secure" admin
    > server


    So, it sounds like you are correctly checking the parameters now. As far as
    how long should you block, I would say it depends. The party responsible
    could be some company's server or more commonly someones home pc or even
    worse to track down and open proxy.

    I think I would attack this in a dynamic fashion. I would look for IPs
    trying to spam through you and redirect them to a page saying that their pc
    is infected. I would redirect them for, say, a 30 day period. After 30
    days, I would remove them from the list (they would be palced back on the
    list if they still try to spam through you). You can do this dynamically
    with PHP either using a file to store the IP addresses or a MySql,
    posgress, etc, etc....

    What do you think?

    Imhotep
     
    Imhotep, Sep 16, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    5
    Views:
    28,561
    James Harris
    Dec 27, 2005
  2. Smoker

    Email address on Web site to avoid spammers

    Smoker, Aug 7, 2004, in forum: Computer Support
    Replies:
    14
    Views:
    679
    Paul - xxx
    Aug 8, 2004
  3. Darren Green
    Replies:
    1
    Views:
    4,012
    parry26
    Feb 15, 2007
  4. chintan
    Replies:
    0
    Views:
    1,744
    chintan
    Dec 19, 2007
  5. Max Burke
    Replies:
    8
    Views:
    503
    Gurble
    Jul 2, 2004
Loading...

Share This Page