homepage Welcome to WebmasterWorld Guest from 54.235.16.159
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
mail server hacking attempts
marciano




msg:4264405
 10:21 pm on Feb 8, 2011 (gmt 0)

Hello World,

I have revamped my site.
My contact form contains some regular inputs. Some of them have some JS validators (Name:alpha; email)
Method submission is Post and the Action to another php script (mail sender).
This script takes care about passed values with
$var = (get_magic_quotes_gpc()) ? $_POST['var'] : addslashes($_POST['var']);

With the collected data phpMailer sends two mails, one to the sender and one to us.

It seems like automated spies, programs or whatever are accessing sender page and sending testing mails once or twice a day.
I received mails like these. They have the body structure created by the sender script

118.96.14.120 from AUSTRALIA
Contact with ...
Name: ayihvic 947258
E-mail: qpobss@tofhmc.com

SrmREJ <a href="http://imaicmovbcwm.com/">imaicmovbcwm</a>, xaikcuohlqsd [xaikcuohlqsd.com], [link=http://euedorcwpoue.com/]euedorcwpoue[/link], [clidzkjcpkuv.com...]


82.76.164.212 from ROMANIA
Contact with ...

Nombre: plqysro 45020
E-mail: gdevlv@hpxizk.com

3OQyfv <a href="http://popdzyrtavhn.com/">popdzyrtavhn</a>, pmipunnidneh [pmipunnidneh.com], [link=http://qjiqoshdvkty.com/]qjiqoshdvkty[/link], [inzihgthufxt.com...]




How can I avoid those people even sending test mail?

 

SevenCubed




msg:4264488
 1:45 am on Feb 9, 2011 (gmt 0)

If I understand right you think it's only coming from your mail sender page script so you only need to add some code to the top of that page to prevent the script from executing if the referral didn't come from your own contact page.

Something like this at the top of your mail sender page might help take care of the problem:

<?php

$origin="https://www.example.com/contact.php";
$referral=$_SERVER["HTTP_REFERER"];
$refervalid=0;

if($referral==$origin) $refervalid=1;

if(!$refervalid){
echo 'Your Message Was NOT Sent You Bad Bad Bot. Also, For Validation Purposes This Form Requires A Valid HTTP Referrer And Referrer Headers Enabled. There Was An Invalid Referrer Or You Are Using A Browser Plugin That Disables It Please Enable It, Use Your Browser Back Button, And Resubmit Your Request.';
exit;
}

?>

I wouldn't use that just on it's own but that seems to be all you are asking. I would also parse the user input to cleanse it but I think you are saying you already have that in place.

marciano




msg:4264588
 12:17 pm on Feb 9, 2011 (gmt 0)

Hi, thanks for your replay.
This is what I was thinking before posting, to look for http_referer.
I also thought about adding a hiding input in contact.php and check if it exists.
What do you think?

marciano




msg:4264628
 2:13 pm on Feb 9, 2011 (gmt 0)

I've just tried adding a hiding form input and check for it in sender page.
Just after a few minutes I received another of that contact mails.
How is it possible for those people to surpass

if(!isset($_POST['pass']) || $_POST['pass'] != 'yes') exit;
?

I'll try now with referer option.
Thank you

rainborick




msg:4264703
 4:23 pm on Feb 9, 2011 (gmt 0)

The referrer is often spoofed with these spambots, so it's not reliable. A good captcha system helps quite a bit. You can also simply check the user-submitted content for "href=" or "url=", which is almost always spam unless your users are likely to be sending you HTML mark-up examples.

marciano




msg:4264756
 5:33 pm on Feb 9, 2011 (gmt 0)

Hello,
There are two scripts: contact.php and mailsender.php where the form sends the post data.
In contact.php I have some restrictions (prototype) like Name only accepts alpha data.
In my example you can see that Last Names are numeric.
I guess those bots get the name of the action form from contact.php and "work" on mailsender.php directly.
I also have a simple captcha (put the correct sum number...)

What about passing and checking a SESSION var?

marciano




msg:4264767
 5:58 pm on Feb 9, 2011 (gmt 0)

My previous contact form used Mailcode V1.7 from myphpscript.net
I never received those mails from these bots but I guess they were attempting to find holes.
Looking inside mailer.php from Mailcode I don't see the script checking for a valid recipient domain but email address structure.
The main difference I see is that there is a SESSION security code (from captcha) that is compared with a POST security code.

rocknbil




msg:4264785
 6:18 pm on Feb 9, 2011 (gmt 0)

Nah you don't need a captcha, this looks to me like typical link-dropping spam. the concepts here [webmasterworld.com] will reduce it to almost nothing.

More here [webmasterworld.com] if you want to extend it to log your form input in an intelligible format - which you should, so you can see what they are up to. :-)

marciano




msg:4264855
 9:02 pm on Feb 9, 2011 (gmt 0)

Thanks rocknbil for this data.
Have you heard about ZB Block from [spambotsecurity.com...] ?

incrediBILL




msg:4265074
 9:41 am on Feb 10, 2011 (gmt 0)

Simple, block all emails with a URL in the body as most spams contain a URL.

Also, do some simple JS code to verify people are actually typing at the keyboard.

frontpage




msg:4265136
 1:46 pm on Feb 10, 2011 (gmt 0)

One of the simpliest methods of avoiding contact page spam?

1) Rename your contact page to something obscure. Don't use 'contact.php' or 'contactus.php'.

2) Add the 'noindex' meta to your contact page header. You don't want spammers finding your contact page in the SERPS.

This will drastically cut down on automated spam attempts.

marciano




msg:4265139
 1:52 pm on Feb 10, 2011 (gmt 0)

Yes, that is what rocknbill links do.
Thank you

rocknbil




msg:4265246
 5:39 pm on Feb 10, 2011 (gmt 0)

Actually . . . they don't (rely on obscure file names,) not really. What it does starts from the most basic concepts: know thy enemy. It begins with the second link, logging input from your forms to see what they are up to.

You have to keep in mind that most of these are automated. All they need to do is find "contact" or "contact us" on your page. This will lead them to your form, whatever it's named. You can arbitrarily change the file name, they will still find you.

Once they do that, they only need to find the form action. Then they need never visit your page. The automated bot is them pointed at it, set it and forget it. The bot assesses what fields are used, which are required, through several automated queries to the form processor (I have seen this in action, see logging, above.) Once it does that, it's ready to start hammering your scripts.

They are sneaky, too - they will hit you for a week or so, then go away, letting you think whatever action you took to stop them worked. Then at some random interval they will return again.

Part 2 of know thy enemy: if you use a legible logging routine for your forms, certain patterns will start to form. Nearly all of these attacks will come in the forms I mentioned in those links.

Some other ploys that may or may not provide some form of relief:

Empty hidden field: Put a hidden field with an empty value in it. Bots will populate all fields, if this field has a value, stop the script.

SIMPLE challenge/response: Easier than dreaded CAPTCHA, ask "what is three plus five?" and set your script to accept EITHER a case-insensitive eight or 8. Change it as often as you need. I've only had to do this in CMS's that won't allow me to filter input.

Dynamic field generation: Have your script dynamically generate the field names. This will also provide only a temporary relief, bots are fairly wise to it.

Many of these may work permanently, many of them provide only sporadic or temporary relief, but it all comes back to Selena Sol's timeless quote:

Every user input is a potential hack. Every user input is a potential hack. Every user input is a potential hack.


The first job is to accept only the input you want, and throw everything else away. Then you can apply filters to see if someone's up to no good. This works. :-)

frontpage




msg:4265258
 6:07 pm on Feb 10, 2011 (gmt 0)

@ Rocknbill - I don't think you grasp what I wrote.

Many hackers use Google SERPs to find targets for their automated hack attempts. I won't name the software here, but it uses Google serps to populate its database for URL's to attack.

By restricting search engines from indexing your contact page and secondly making sure that your contact page is named something else helps decrease attacks.

You can't be hacked if you are not found in the first place.

However, once someone specifically targets your contact page, then having other measures in place is definitely necessary.

incrediBILL




msg:4265457
 1:14 am on Feb 11, 2011 (gmt 0)

This will lead them to your form, whatever it's named. You can arbitrarily change the file name, they will still find you.


Forms hidden in obfuscated javascript which are decoded and written directly into the HTML are completely safe from automated abuse, until a human stumbles along to hand-code it.

Great tactic to thwart automation except it's a big accessibility problem.

TheMadScientist




msg:4270068
 1:36 pm on Feb 21, 2011 (gmt 0)

SIMPLE challenge/response: Easier than dreaded CAPTCHA, ask "what is three plus five?" and set your script to accept EITHER a case-insensitive eight or 8. Change it as often as you need. I've only had to do this in CMS's that won't allow me to filter input.

Yep, use something similar myself and what incrediBILL says is very true, but I don't always hide the whole form. (See Below)

Once they do that, they only need to find the form action.

I really like action="javascript:void(0);" and attaching a click function dynamically on the load of a js file sometimes. ;)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved