[thelist] Weird bot email [long]

Ken Schaefer Ken at adOpenStatic.com
Sat Sep 10 19:44:14 CDT 2005


My guess:

It's targeting those systems where the webpage code generates the email as a
text file - it's an "injection" attack, where they are attempting to inject
additional headers. 

It might work if the backend SMTP server allows relay, it might work if
email's dropped directly into the SMTP server's working queue (bypassing
relay checks), but otherwise, you just end up with crud in the body

Cheers
Ken

: -----Original Message-----
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of Maximillian Schwanekamp
: Sent: Sunday, 11 September 2005 8:14 AM
: To: TheList at Evolt
: Subject: [thelist] Weird bot email [long]
: 
: Hey List,
: 
: I have a handrolled php contact form on my site and (with minor
: variations) on a few of my clients' sites.  Really basic: user fills in
: the form, POSTs the form data to itself, and sends an email to the site
: owner via php mail().  The destination for the contact mail is hardcoded
: into the php and is not exposed in any way, and the script runs
: stip_tags() on the user-entered data.  This script dates back a ways,
: and it appears that my security awareness level was still pretty low
: when I wrote it...
: 
: So anyway now as site owner I am getting email from this script which is
: always from /[a-z]{3,10}@neptunewebworks.com/ (i.e. 3-10 random alpha
: chars @ my own domain).  The body of the message appears to be
: attempting to spoof the headers or something.  I saw a few of these go
: through last week, and figured it was just some joker.  Now I'm getting
: 6-8 of these a day, so I figure the bad guys may have found a way in.  I
: tested my box for open relays, etc, but got nothing.  Still, these
: messages look fishy.  Anyone have any idea what's going on here?
: 
: Here's a sample message (overcomeyourstagefright.com is my client's
: site), with the header/body division marked:
: 
: X-Account-Key: account2
: X-UIDL: 1c48cb5ad524725c17d1b3c316265bfe
: X-Mozilla-Status: 0201
: X-Mozilla-Status2: 00000000
: Return-path: <nobody at sequoia.neptunewebworks.com>
: Envelope-to: anaxamaxan at neptunewebworks.com
: Delivery-date: Sat, 10 Sep 2005 05:05:40 -0700
: Received: from neptun2 by sequoia.neptunewebworks.com with local-bsmtp
: (Exim 4.44)
:     id 1EE472-0006zf-0T
:     for anaxamaxan at neptunewebworks.com; Sat, 10 Sep 2005 05:05:40 -0700
: Received: from nobody by sequoia.neptunewebworks.com with local (Exim
: 4.44)
:     id 1EE471-0006yV-RR
:     for max at neptunewebworks.com; Sat, 10 Sep 2005 05:05:39 -0700
: To: Max <max at neptunewebworks.com>
: Subject: Randy Contact Form
: From: lfzn at overcomeyourstagefright.com <lfzn at overcomeyourstagefright.com>
: MIME-Version: 1.0
: Content-Type: text/plain; charset=iso-8859-1;
: Message-ID:
: <d41d8cd98f00b204e9800998ecf8427e--1126353939 at mail.randylubow.com>
: Date: Sat, 10 Sep 2005 05:05:39 -0700
: X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
:     sequoia.neptunewebworks.com
: X-Spam-Level:
: X-Spam-Status: No, score=-5.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
:     autolearn=ham version=3.0.4
:                 <--------------------------------------- MESSAGE BODY
: BEGINS
: lfzn at overcomeyourstagefright.com
: Content-Type: multipart/mixed; boundary="===============0002865402=="
: MIME-Version: 1.0
: Subject: 6d237c20
: To: lfzn at overcomeyourstagefright.com
: bcc: jrubin3546 at aol.com
: From: lfzn at overcomeyourstagefright.com
: 
: This is a multi-part message in MIME format.
: 
: --===============0002865402==
: Content-Type: text/plain; charset="us-ascii"
: MIME-Version: 1.0
: Content-Transfer-Encoding: 7bit
: 
: jlugklbqaw
: --===============0002865402==--



More information about the thelist mailing list