Automated mass abuse of form mailers 2005/09/12, Michael Holzt, kju -at- fqdn.org
1. Summary Lately webpage mail forms has become a target of spammers. The attacks seems to be automated and try to exploit the use of untrusted input data in a lot of these form mailers. The attacks inserts newlines into data fields which are used unchecked in header lines of the mail generated. These newlines allow the attacker to add own header lines and message content. 2. Attack vector Example of a vulnerable script (shortened) in PHP: | $header = "From: " . $_POST["email"]; | mail("[EMAIL PROTECTED]", "subject", | "This is the original content", $header); This script can be exploited by using e.g. the following value in the 'email' field of the http post request (line break inserted only for display purposes): | [EMAIL PROTECTED]:[EMAIL PROTECTED] | Subject: Buy Viagra now!\n\nText As this content is inserted unchecked into the header, this will result in a mail generated which looks like this: | From: [EMAIL PROTECTED] | Cc: [EMAIL PROTECTED] | Subject: Buy Viagra now! | | Text | Subject: subject | | This is the original content The victim has managed to add his own Cc line (which will be the spam target), a own subject and a own body. The original subject (and other header lines) as well as the original content have been moved into the body of the mail. Examples of real abuse witnessed have shown that the attackers even try to create multipart messages to hide the original content generated by the form mailer. Also these attacks seems to be automated. For a test i renamed the name of the form mailer skript. However the attacks continued without major delay. In the log files of the web server i could see the abusers to first fetch the html page containing the mail form. This page seems to be parsed automatically, and the names of the form fields and the script extracted. Between the fetch of the html page and the first abuse attempt on the renamed script only 4 seconds elapsed. The abusers also try to track sucessfull attempts. In a number of cases a bcc to an aol email address ([EMAIL PROTECTED]) was inserted into the message as well. Other internet users reported such abuse as well. Google shows nearly 72.000 hits when searching for this mail address. 3. Recommendations Never use untrusted input data without proper filtering. If special characters like newlines are filtered from the input data, this type of attack would no longer work. The automated exploitation attempts will however likely not be affected by this. If your form mailer does not have any type of sanity check on the input data (might even not be possible depending on type of usage), this will lead to lots of email generated to the "normal" recipient of the form mails. It is therefore advised to check the relevant data fields for newlines inserted and deny sending the mail if any are found. For example the vulnerable script shown above could be added by a check like this: | if ( eregi("\n",$_POST["email"]) || eregi("\r",$_POST["email"]) ) | { | header("HTTP/1.0 403 Forbidden"); | die("Spam attempt denied"); | } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/