email injection query

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • mantrid
    #1

    email injection query

    Up to the other day I have not bothered protecting my php script on my
    feedback form against email injection. Howerver, i have had a spammer using
    it to insert email addresses as cc: bc: into my email field. First I was
    puzzled why he was doing it as the message being sent was just jibberish. I
    have recently used a function to protect these fields and send an email back
    to myself with his details. function below

    function spamcheck($spam med_field,$retu rnpage) {
    $spammed_field= strtolower($spa mmed_field);
    if((eregi("cc:" ,$spammed_field ))||(eregi("sub ject:",$spammed _field))) {
    //(eregi("bcc:",$ spammed_field)) ||
    $spamhost=$_SER VER['REMOTE_HOST'];
    $spamrefr=$_SER VER['HTTP_REFERER'];
    $spamaddr=$_SER VER['HTTP_X_FORWARD ED_FOR'];
    if(strlen($spam addr)<7) { $spamaddr=$_SER VER['HTTP_CLIENT_IP ']; }
    if(strlen($spam addr)<7) { $spamaddr=$_SER VER['REMOTE_ADDR']; }
    $thisfile=$_SER VER['SCRIPT_NAME'];
    $spamtext="FILE : $thisfile \nFROM: $spamrefr \nADDR: $spamaddr \nHOST:
    $spamhost \nINFO:\n$spamm ed_field\n";
    mail("spamcheck @mysite.co.uk", "ALERT: $spamaddr",$spa mtext,"From: IDD
    Software Spamcatcher <spamcheck@mysi te.co.uk>\r\n") ;
    //echo();
    die("<br><br><d iv align='center' class='RedWarni ng'>If you are a spammer
    trying to inject script into my input fields, then go away and get a
    life<br>otherwi se<br>Please try again as you may have included some
    incorrect characters.<br> <br><a href='".$return page."'
    class='BodyLink '>Return</a></div>");
    }
    }

    This function should cause the attempt to spam to die and send info about
    the spammer and he injected script to me which it does brillantly. But now
    Im getting more of these notices of spamming than I was getting originally
    spammed messages with many more emails in the cc: bcc: and a proper message
    (just sales stuff about tea oil). Why is he still attempting this if the
    spam is not working and being sent to the recipients. I have an appropriate
    message displayed when the spam is attempted. Is he stupid and just sitting
    there trying to spam my feedback form even though he is getting this message
    telling him to go away, or is do you think there is some sort of automatic
    process being run on my webpage?

    Is there a way to return an email to him everytime its attempted?
    The function returns his address eg ADDR: 203.198.162.124 . but it changes
    everytime. I dont know much about the antics and abilities of spammers (but
    learning). Can anyone tell me why hes doing it still?


    Tags: None
    • Tom
      #2
      Re: email injection query

      Is he stupid and just sitting
      there trying to spam my feedback form even though he is getting this message
      telling him to go away, or is do you think there is some sort of automatic
      process being run on my webpage?
      Almost assuredly the latter. I had a test page I had put up once with
      a form on it. All the form did was email me the textarea contents.
      When I had finished my testing with the form, I commented out (but did
      not delete) the form. Every once in a while I still get a spam message
      from the form.

      I don't know for sure, but I would guess that anybody making any money
      doing this is doing it with bots.

      Maybe you could create an RSS feed from the spams you get? I'd be
      curious to see other responses.

      Tom

      On Dec 4, 11:07 am, "mantrid" <ian.dan...@vir gin.netwrote:
      Up to the other day I have not bothered protecting my php script on my
      feedback form against email injection. Howerver, i have had a spammer using
      it to insert email addresses as cc: bc: into my email field. First I was
      puzzled why he was doing it as the message being sent was just jibberish. I
      have recently used a function to protect these fields and send an email back
      to myself with his details. function below
      >
      function spamcheck($spam med_field,$retu rnpage) {
      $spammed_field= strtolower($spa mmed_field);
      if((eregi("cc:" ,$spammed_field ))||(eregi("sub ject:",$spammed _field))) {
      //(eregi("bcc:",$ spammed_field)) ||
      $spamhost=$_SER VER['REMOTE_HOST'];
      $spamrefr=$_SER VER['HTTP_REFERER'];
      $spamaddr=$_SER VER['HTTP_X_FORWARD ED_FOR'];
      if(strlen($spam addr)<7) { $spamaddr=$_SER VER['HTTP_CLIENT_IP ']; }
      if(strlen($spam addr)<7) { $spamaddr=$_SER VER['REMOTE_ADDR']; }
      $thisfile=$_SER VER['SCRIPT_NAME'];
      $spamtext="FILE : $thisfile \nFROM: $spamrefr \nADDR: $spamaddr \nHOST:
      $spamhost \nINFO:\n$spamm ed_field\n";
      mail("spamch... @mysite.co.uk", "ALERT: $spamaddr",$spa mtext,"From: IDD
      Software Spamcatcher <spamch...@mysi te.co.uk>\r\n") ;
      //echo();
      die("<br><br><d iv align='center' class='RedWarni ng'>If you are a spammer
      trying to inject script into my input fields, then go away and get a
      life<br>otherwi se<br>Please try again as you may have included some
      incorrect characters.<br> <br><a href='".$return page."'
      class='BodyLink '>Return</a></div>");
      }
      }
      >
      This function should cause the attempt to spam to die and send info about
      the spammer and he injected script to me which it does brillantly. But now
      Im getting more of these notices of spamming than I was getting originally
      spammed messages with many more emails in the cc: bcc: and a proper message
      (just sales stuff about tea oil). Why is he still attempting this if the
      spam is not working and being sent to the recipients. I have an appropriate
      message displayed when the spam is attempted. Is he stupid and just sitting
      there trying to spam my feedback form even though he is getting this message
      telling him to go away, or is do you think there is some sort of automatic
      process being run on my webpage?
      >
      Is there a way to return an email to him everytime its attempted?
      The function returns his address eg ADDR: 203.198.162.124 . but it changes
      everytime. I dont know much about the antics and abilities of spammers (but
      learning). Can anyone tell me why hes doing it still?

        Comment

        • Allodoxaphobia
          #3
          Re: email injection query

          On Mon, 04 Dec 2006 19:07:17 GMT, mantrid wrote:

          <-snip->
          Im getting more of these notices of spamming than I was getting originally
          spammed messages with many more emails in the cc: bcc: and a proper message
          (just sales stuff about tea oil). Why is he still attempting this if the
          spam is not working and being sent to the recipients. I have an appropriate
          message displayed when the spam is attempted. Is he stupid and just sitting
          there trying to spam my feedback form even though he is getting this message
          telling him to go away, or is do you think there is some sort of automatic
          process being run on my webpage?
          Most certainly you're being targeted by a botnet controlled by a spammer.
          The 'nonsense' emails you first saw were "proof of concept" testing
          before your URL was passed out to hundreds of "working" machines in the
          botnet. Most certainly no Real Person is viewing anything that you
          present on the screen. At most the http return code(s) and, maybe, some
          screen scraping for successful results are sent back upstream to the
          slime ball running the botnet.
          Is there a way to return an email to him everytime its attempted?
          No. The machine address you see is a cracked box. Most likely running
          an unpatched Micro$oft OS. There'll be no MTA on that machine. Who
          ever (wrongly believes they) owns it, probably has an ISP that is
          unrelated to the IP address you see.
          The function returns his address eg ADDR: 203.198.162.124 . but it changes
          everytime. I dont know much about the antics and abilities of spammers (but
          learning). Can anyone tell me why hes doing it still?
          Because he can.

          I have a PHP message board I wrote. I have deployed it to 3 sites on a
          domain I own. In robots.txt I correctly specified a Disallow for 2 of
          those URLs (sub-directories). For the third one I slipped up and never
          got it covered by my robots.txt. That's the one they hit (with their
          http://replica_rolex/designer_handba...hentermine/etc.
          spam.) Obviously they found it because Google found it. It's easier
          for the spammers to use Google to find their targets that to manually slog
          through the web. My checking showed it *was* indexed by Google and the
          other 2 were not.

          I have since moved _that_ message board to a different sub-directory and
          updated robots.txt to properly Disallow it by robots. (Yes, I know --
          there are good bots and evil bots. But, after 4 years with these
          message boards up there, only this 'exposed' one was hit.)

          I continue to 'run' the spammer-targeted message board as a 'test bed'.
          It's given me the knowledge to "harden" my PHP message board, and
          I've added logging of all activity to that URL. I give the spammer(s) a
          lot of phoney, positive feedback on the posting attempts from the
          botnet(s). (I now believe there are at least two different botnets
          visiting my message board. I suppose these sewage slugs exchange
          information amongst themselves v-a-v 'useable' message boards.

          My 'test bed' message board is now un-linked from anywhere -- 'they' are
          using the deep link to get at it. I now have most of RIPE and APNIC in
          my 'deny from' in my .htaccess in that sub-directory -- a lot of
          sub-nets in LACNIC, too -- and quite a few cracked machines in the ARIN
          ranges.

          Since all 3 message boards are for purposes that are U.S.A.-centric, I
          move that .htaccess into the 3 'good' message boards sub-directories as
          I update it.

          One interesting observation: A great majority of the URL's that they
          (attempt to) post on my message board are redirecting URL's on cracked
          ..edu machines. There seems to be a fairly popular piece of software out
          there that many colleges and universities put up for instructor-student
          discussion purposes. (My guess...) There are A LOT of URL's -- to wit:

          sched.sbu.edu/faculty/czuck/ce660/_disc3/0000265c.htm
          students.concor d.edu/tah/_reqdis/000006b9.htm
          matcmadison.edu/ald/_discussion/000003f7.htm
          svanpatt.asp.ra dford.edu/_disc1/0000071e.htm
          https://www.biotech.sfasu.edu/bt/btc575/_discussion/00006a90.htm

          forums.maxwell. syr.edu/geo595/_disc1/00000374.htm
          student.ttuhsc. edu/sota/_disc3/00009bb0.htm
          org.jsr.vccs.ed u/flpg/_disc1/00004f6b.htm
          https://www.biotech.sfasu.edu/bt/btc575/_discussion/00006a90.htm

          lanic.utexas.ed u/pyme/esp/discus/messages/7/cheap-cialis.html

          ... and on, and on, and on -- ad nauseam.... 100's of different ones.
          Every one I bothered to click on resulted in an instant redirect to the
          spam URL elsewhere.

          Keep up The Good Fight
          Jonesy
          --
          Marvin L Jones | jonz | W3DHJ | linux
          38.24N 104.55W | @ config.com | Jonesy | OS/2
          *** Killfiling google posts: <http//jonz.net/ng.htm>

            Comment

            • mantrid
              #4
              Re: email injection query

              "Allodoxaphobia " <bit-bucket@config.c omwrote in message
              news:slrnen9c5b .vad.bit-bucket@shell.co nfig.com...
              On Mon, 04 Dec 2006 19:07:17 GMT, mantrid wrote:
              >
              <-snip->
              >
              Im getting more of these notices of spamming than I was getting
              originally
              spammed messages with many more emails in the cc: bcc: and a proper
              message
              (just sales stuff about tea oil). Why is he still attempting this if the
              spam is not working and being sent to the recipients. I have an
              appropriate
              message displayed when the spam is attempted. Is he stupid and just
              sitting
              there trying to spam my feedback form even though he is getting this
              message
              telling him to go away, or is do you think there is some sort of
              automatic
              process being run on my webpage?
              >
              Most certainly you're being targeted by a botnet controlled by a spammer.
              The 'nonsense' emails you first saw were "proof of concept" testing
              before your URL was passed out to hundreds of "working" machines in the
              botnet. Most certainly no Real Person is viewing anything that you
              present on the screen. At most the http return code(s) and, maybe, some
              screen scraping for successful results are sent back upstream to the
              slime ball running the botnet.
              Thanks
              Very informative reply.
              The function I have uses eregi() to check POST data for "cc:" and "subject:"
              what other checks should I be using in my function to tighten my security
              further?
              Ian


                Comment

                • Allodoxaphobia
                  #5
                  Re: email injection query

                  On Tue, 05 Dec 2006 17:23:11 GMT, mantrid wrote:
                  "Allodoxaphobia " <bit-bucket@config.c omwrote in message
                  news:slrnen9c5b .vad.bit-bucket@shell.co nfig.com...
                  >On Mon, 04 Dec 2006 19:07:17 GMT, mantrid wrote:
                  >>
                  > <-snip->
                  >>
                  Im getting more of these notices of spamming than I was getting
                  originally
                  spammed messages with many more emails in the cc: bcc: and a proper
                  message
                  (just sales stuff about tea oil). Why is he still attempting this if the
                  spam is not working and being sent to the recipients. I have an
                  appropriate
                  message displayed when the spam is attempted. Is he stupid and just
                  sitting
                  there trying to spam my feedback form even though he is getting this
                  message
                  telling him to go away, or is do you think there is some sort of
                  automatic
                  process being run on my webpage?
                  >>
                  >Most certainly you're being targeted by a botnet controlled by a spammer.
                  >The 'nonsense' emails you first saw were "proof of concept" testing
                  >before your URL was passed out to hundreds of "working" machines in the
                  >botnet. Most certainly no Real Person is viewing anything that you
                  >present on the screen. At most the http return code(s) and, maybe, some
                  >screen scraping for successful results are sent back upstream to the
                  >slime ball running the botnet.
                  >
                  Thanks
                  Very informative reply.
                  The function I have uses eregi() to check POST data for "cc:" and "subject:"
                  what other checks should I be using in my function to tighten my security
                  further?
                  Ian
                  I can't be of much help to you there, since my focus is on a message
                  board and controlling the content that gets posted there -- versus your
                  email process where you want to control inappropriate usage. Where I
                  need to worry about html tags in the message(s), javascript insertion,
                  and detecting URL's, you need to be concerned about the injection of
                  'extra' email headers, etc.

                  You certainly can control access if your audience is geographically
                  'constrained'. Using .htaccess in your sub-directory, you can
                  "deny from" most or all of RIPE, and/or APNIC, etc. That should
                  cut down on the volume.
                  Reference: http://www.iana.org/assignments/ipv4-address-space

                  There's a lot more I need to understand and learn -- both on the
                  incomimg sewage side, and on the managing and controlling side.

                  One thing you should feel certain about is that the slimeball spammers
                  are wallowing in their septic tanks and reading these discussions.
                  If you control the software (in my case I wrote my PHP message board)
                  you should be circumspect about tactics you design and employ. It
                  sounds selfish, and it'll raise the hackles of the "Don't Do Security
                  Through Obscurity" crowd, but it'll help you tread water better.
                  Since my tactics of using .htaccess "deny from" and disallowing URL's in
                  the postings (URL's are not at all necessary in my message boards) can
                  not be thwarted ("he says innocently"), I'm willing to disclose that.

                  Disallowing any URL's in the payload of your email might be something
                  you could employ. As well, disallowing multi-part construction and
                  image injection might be something you could employ, too.

                  gl and keep up The Good Fight.
                  Jonesy
                  --
                  Marvin L Jones | jonz | W3DHJ | linux
                  38.24N 104.55W | @ config.com | Jonesy | OS/2
                  *** Killfiling google posts: <http//jonz.net/ng.htm>

                    Comment

                    • Michael Fesser
                      #6
                      Re: email injection query

                      ..oO(mantrid)
                      >The function I have uses eregi()
                      eregi() should be avoided. The preg_* functions are faster and much more
                      flexible. Additionally in PHP 6 the ereg extension will be removed from
                      the core and moved to PECL, so it might not be available by default.
                      >to check POST data for "cc:" and "subject:"
                      >what other checks should I be using in my function to tighten my security
                      >further?
                      I wouldn't check for any particular header field at all, but for all
                      kinds of line breaks, which are required to inject malicious headers.

                      Micha

                        Comment

                        Previous template Next
                        Working...