web 'contact us' email form virus/worm/abuse

Forum Moderators: phranque

Message Too Old, No Replies

web 'contact us' email form virus/worm/abuse

web contact email form virus worm abuse

jmorgan

10:33 pm on Mar 8, 2006 (gmt 0)

I've been getting automated virus/worm type gibberish email which seems to be originating from the web form I use on my 'Contact Us' page. I'm not sure if there's an official name for this thing.

Has anyone else received anything like this? Examples below:

imagination
Content-Type: multipart/alternative; boundary=c26ca5ede8b4231db309629417a76509
MIME-Version: 1.0
Subject: have known
bcc: hollowiog1503@aol.com

This is a multi-part message in MIME format.

--c26ca5ede8b4231db309629417a76509
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

certainly, said tto, with a deep sigh. efore his friend he no longer stood pure and guiltless. hey slept. tto s sleep was only a hateful dream. ... ie entzuckend
--c26ca5ede8b4231db309629417a76509--

kaled

12:29 am on Mar 9, 2006 (gmt 0)

Yes, I've had the same problem.

It seems to be caused by an attempt to use my form mail script to send spam. However, since the destination cannot be set other than from a configuration file on the server, I receive all the various attempts.

So far as I am aware, the security of my script has not been breached (i.e. no spam has been sent out). It sounds like your script is ok too.

Kaled.

Mokita

1:10 am on Mar 9, 2006 (gmt 0)

This problem has been occuring for a quite a while. There is a very good description and solution here:
[anders.com...]

MatthewHSE

1:25 am on Mar 9, 2006 (gmt 0)

This is known as form injection spamming. They're trying to inject additional e-mail headers so they can send their spam messages to a list of their choice. (Notice the bcc: section of what they tried to submit.) Just because the message is being sent to an address specified in the configuration file doesn't mean you're safe. If any of your form's input fields affect the e-mail being sent, particularly the message headers, the form is vulnerable.

There are several ways to secure forms against this type of attack. My choice is to remove terms such as bcc: cc: to: and Content-Type and replace them with non-dangerous equivalents. Here's a PHP function I cobbled together from several sources, including some of my own work, that will do this for you:

function NoSpam() { 
 // Define "bad" data: Original Value will be found and replaced with the New Value. 
 $BadStrings = array( // New value   Original Value 
            "Cntnt_Type" => "Content-Type:", 
            "MIME_Vrsn" => "MIME-Version:", 
            "Cntnt_Trnsfr_Encdng" => "Content-Transfer-Encoding", 
            "b_c_c" => "bcc:", 
            "c_c" => "cc:", 
            "t_o" => "to:" 
           ); 
 foreach ($_POST as $k => $v) { 
  foreach ($BadStrings as $bk => $bv) { 
   $found = 'false'; 
   if (strpos($v, $bv)!== false && $found!= true) { 
    $_POST[$k] = eregi_replace($bv, $bk, $v); 
    $found = 'true'; 
   } 
  } 
 } 
 unset ($BadStrings, $k, $v, $bk, $bv, $found); 
 /* Visual confirmation that it worked - delete  
  this before using the function on a production site. */ 
 foreach ($_POST as $k => $v) { 
  echo '<b>' . "$k" . ' - </b>' . "$v" . '<br>'; 
 } 
}

Just call the function whenever you want to cleanse all form input.

Yes, I know certain aspects of this could be made more elegant, but I haven't had time to work it all out yet. Suggestions and refinements will be welcome! ;)