Looks like classic link spam. Those are just complex URIs. Nothing too sinister (for spam).
Nothing to worry about. I used to get similar emails, but now I filter out any email with "<a href=" or "[url=" in it.
|Is there any mechanism thru which a hacker can cause damage to your site or even hijack it thru the php response form? |
Not with this sort of spam but you ought to be aware of the potential security holes that exist. You should make sure that the PHP option register_globals is off and that your script does not require it, and that any input data is properly escaped before being processed (the classic mistake being to take input data and use it in an SQL query without ensuring all special characters are escaped).
If as you say your form is secure then the developer will have thought about these matters, but if, for example, the forms were developed by a skilled developer then adapted by a novice for your particular purpose it is entirely possible that loopholes will have been introduced.
Very much appreciate your replies - seems that this might just be a pathetic attempt at link spam
I have received some more today and it becomes increasingly more bizarre:
"hamContent-Transfer-Encoding: quoted-printableContent-Type: text/htmlSubject: that time itbcc: firstname.lastname@example.org cured hams require a prolonged period of rehydration prior to consumptio=n=2E wet cured ham has been cured with a brine, either by immersion or inje=ction. he679c4c6da97a5d98679c46e1634a8c40."
Is there a big market for cured ham on the web?
Curiously theyve targetted only one page on a large site to send in these nonsensical forms
Had a few that mention "transfer-encoding" and I dont like seeing the word "inje=ction" but right now Im not going to lose any sleep over it.
[edited by: jatar_k at 2:25 pm (utc) on Jan. 5, 2007]
[edit reason] examplified [/edit]
Many spam agents send out what I call 'recon units' with the intent of finding valid email addresses or working forms to hijack. One of my clients was getting spam through their email form. I fixed it easily by changing the field names to something really bizarre...then, the bots didn't know what to put where, or that it was even a form that would email.
it looks like standard spam, a lot of gibberish (though well constructed gibberish) to beat email anti spam filters.
you should look at the message source from some of the spam you get, you will see tons of this kind of stuff.
Sorry to drag this out but Ive seen a new development today that does worry me
On my enquiry form email response that we receive from the customer I have a subject line that is different on every page - so for example you would have:
Widget enquiry - BLUE
Widget enquiry - RED
Now today Ive seen that the spammers are somehow managing to amend the subject line text which is embedded within the html on the page -its not hidden at all but is simply quoted within the >name="postedfrom" value=< attribute
Is this something that needs fixing? If they can change this does it suggest a wider problem or is the subject line in this context easy to adjust provided its visible on the html of the page?
It really makes no sense to me but I guess these aholes may be wrongly assuming that the form is a "comment" blog form and therefore links will be enabled on posting
Thanks for all your comments so far
take a look through these threads from our PHP Library [webmasterworld.com]
Combatting Webform Hijack [webmasterworld.com]
PHP Security [webmasterworld.com]
it looks like you aren't properly cleaning the form input. If they are changing the subjects then that is a rather serious problem.
I scan my forms for headers in the subject and body. To addresses cannot be entered directly, but are matched up to database entries after the fact.
If I find any headers, the email doesn't get sent, and a "Tastes Like SPAM" message is shown. The same for blank subjects and bodies (the typical "ping" message from spammers testing the waters).
Also check for form processing requests from an alien domain/IP (like a request for the result page from an address that didn't also request the form page). Sometimes spammers take a copy of a form page and attempt to modify and use it from their own server, processing it through your server, if possible. If you can, on the result page, check to make sure the request came from your server's IP only and reject any other requests.
Thanks again for the replies
Business levels are normal and forms are still coming in so Im shocked that the issues raised are serious. Clearly though Im not going to sit here and wait for things to go bang.
Main problem I have is that I am not a programmer and I have insufficient knowledge to deal with these key security issues myself.
Instead I will need to outsource and my preference is to simply start over with a new form. Its cheaper and I think Id feel more comfortable doing this.
I have been speaking to some programmers about a more advanced form and as usual you are torn between losing customers because the form is too complex or keeping things secure by adding for example image verification etc. Im going to opt for the latter because I cant risk any more problems like this.
Can anyone recommend a secure form mechanism - CAPTCHA has been mentioned to me as one such option
There is a resourceful thread in the Accessibility and Usability Forum [webmasterworld.com] here at WebmasterWorld that answers the question Is < CAPTCHA > accessible and usable? [webmasterworld.com] In that discussion there are alternatives and links to discussions on the alternatives.
Many thanks coopster