Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Email Injection & PHP

  • 24-08-2005 2:08pm
    #1
    Moderators, Politics Moderators Posts: 41,223 Mod ✭✭✭✭


    A site of mine yesterday suffered an attempt at an email spam injection. For those unaware, the spammer types out a bcc field with addresses into one of the forms text boxes. Something like:-
    mvx@mydomain.com Content-Type: multipart/mixed; boundary="===============1543680057==" MIME-Version: 1.0 Subject: 2d2d30a9 To: mvx@mydomain.com bcc: bergkoch8@aol.com From: mvx@mydomain.com This is a multi-part message in MIME
    Searching google, bergkoch8@aol.com seems to pop up quite a bit for this problem - do AOL not suspend accounts? :rolleyes:
    Anyhow, he didn't manage to get it working AFAIK based on the function below that I found ages ago which parses all fields. However, Im curious to know what others use to prevent this kind of stuff.
    function stopInjection($foobar){
    	$parsed = $foobar;
    	$parsed = htmlentities($parsed);
    	$parsed = strip_tags($parsed);
    	$parsed = stripslashes($parsed);
    	$parsed = trim($parsed);
    	return $parsed;
    	}
    
    $senderName = sanitize($_POST['email']);
    $email = stopInjection($email);
    


Comments

  • Closed Accounts Posts: 7,145 ✭✭✭DonkeyStyle \o/


    Well for feedback forms that are only ever meant to reach the sites owners, I set the recipient manually in the script itself and ignore any other input, even invisible form elements designed to set these values in the calling html.
    So no matter what's sent to the script, it'll only ever send the mail to one fixed address.
    I'm no security expert, but it seems like a good move if you only need the functionality of sending form data to a single/fixed address in the first place.


  • Moderators, Politics Moderators Posts: 41,223 Mod ✭✭✭✭Seth Brundle


    Mine was the same - the visitor completed a few standard fields (name, email, etc.) and the form was sent to my address within the php code.
    However, the spammers add "bcc: bergkoch8@aol.com From: mvx@mydomain.com This is a..." into say the 'email' field and if your PHP isn't set up to tackle it, then in theory the spammer can send loads of emails this way.

    Have a look at this - www.anders.com/cms/75/Crack.Attempt/Spam.Relay


  • Moderators, Politics Moderators Posts: 41,223 Mod ✭✭✭✭Seth Brundle


    resurrecting this again...

    I keep getting emails by this spammer trying and Im wondering if my function above isn't working
    email headers
    Return-Path: <nobody@jet18.hasweb.com>
    Received: from tweedledee.esatclear.ie (tweedledee.esatclear.ie [194.145.128.6])
    	by fargo.iolfree.ie (8.11.6/8.9.3) with ESMTP id j8FCEqO09088
    	for <kbannon@iolfree.ie>; Thu, 15 Sep 2005 13:14:52 +0100
    Received: from [69.41.248.250] (helo=genuineasp.com)
    	by tweedledee.esatclear.ie with esmtp (Exim 4.14)
    	id 1EFsdg-0000It-Hm
    	for kbannon@iolfree.ie; Thu, 15 Sep 2005 13:14:52 +0100
    Received: with MailEnable Postoffice Connector; Thu, 15 Sep 2005 08:14:36 -0400
    Received: from ([127.0.0.1]) with MailEnable ESMTP; Thu, 15 Sep 2005 08:14:35 -0400
    Received: from nobody by jet18.hasweb.com with local (Exim 4.44)
    	id 1EFsdW-000855-U1
    	for info@kbannon.com; Thu, 15 Sep 2005 08:14:42 -0400
    To: info@kbannon.com
    Subject: BMW Car Club Ireland General Query
    From: orc@bmwcarclubireland.com
    Message-Id: <E1EFsdW-000855-U1@jet18.hasweb.com>
    Date: Thu, 15 Sep 2005 08:14:42 -0400
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - jet18.hasweb.com
    X-AntiAbuse: Original Domain - kbannon.com
    X-AntiAbuse: Originator/Caller UID/GID - [99 32003] / [47 12]
    X-AntiAbuse: Sender Address Domain - jet18.hasweb.com
    X-Source: 
    X-Source-Args: /usr/local/apache/bin/httpd -DSSL 
    X-Source-Dir: bmwcarclubireland.com:/public_html
    X-UIDL: 9Qd!!pRN!!/O5"!NJ4"!
    
    Name: orc@bmwcarclubireland.com
    Email: orc@bmwcarclubireland.com
    Address: orc@bmwcarclubireland.com
    Phone: orc@bmwcarclubireland.com
    Content-Type: multipart/mixed; boundary=&quot;===============1454301426==&quot;
    MIME-Version: 1.0
    Subject: 243390d8
    To: orc@bmwcarclubireland.com
    bcc: PeiCanteenMc@aol.com
    From: orc@bmwcarclubireland.com
    
    This is a multi-part message in MIME format.
    
    --===============1454301426==
    Content-Type: text/plain; charset=&quot;us-ascii&quot;
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    
    squwlsi
    --===============1454301426==--
    Car: orc@bmwcarclubireland.com
    
    Message:
    orc@bmwcarclubireland.com
    
    Can someone verify that this mail is not being sent to the aol address

    [in case you are trying to figure out the route the mail took to reach me, all mails @ bmwcarclubireland.com [on hasweb server] are sent to my kbannon.com a/c which is currently being moved to a different host and therefore I have told the domain registrar to forward to my old iolfree a/c]


  • Moderators, Politics Moderators Posts: 41,223 Mod ✭✭✭✭Seth Brundle


    Incidentally, the form only takes in Name, Email, Address, Car, Telephone & Query


  • Registered Users, Registered Users 2 Posts: 236 ✭✭richardo


    Another line of defense is to use code similar to:

    $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
    $_POST = preg_replace($find, "", $_POST);
    $_POST = preg_replace($find, "", $_POST);
    etc.....

    I have been plagued with these f***ers for a few weeks now. Also every day I get w**kers signing up to my forums [fora?] in order to promote their various 'medical aids' sites. Oh, what I'd give to line 'em up against a wall and let rip with my trusty AK-47 :mad:


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 4,479 ✭✭✭wheres me jumpa


    i have just started recieving emails like this. they are coming from a feedback form where the recipient is set in the script. does this mean i can just ignore these emails as they are only being sent to my address?


  • Moderators, Politics Moderators Posts: 41,223 Mod ✭✭✭✭Seth Brundle


    nope - if you read the first post in the thread, the idea is that the spammer types something like bcc:info@me.ie;1234@me.ie;5678@me.ie - even though your to field is declared within the php - they try and rebuild your email coding.
    If the php does not capture and escape all this then it is possible that using your feedback form they can spam people from your site.
    Looking at the headers of my mail above (and the several hundred others I have recieved), it appears that the spammer is just testing the script (daily!). I don't think they got it working but thats why I resurrected this thread today.


  • Registered Users, Registered Users 2 Posts: 2,370 ✭✭✭Fionn


    i've experienced similar stuff, except it was for guestbooks. Spammers are all over the place!!
    I asked about a potential solution to my prob here (http://www.boards.ie/vbulletin/showthread.php?t=301309) nobody came up with an answer tho!!
    so i haven't tried that. I have been looking at image verification and i think thats a good way of slowing down the spammers.


Advertisement