[thelist] Site getting spammed

Ken Robinson kenrbnsn at rbnsn.com
Fri Nov 18 11:20:12 CST 2005


Quoting Robert Vreeland <vreeland at studioframework.com>:

> Hello List,
>
> One of my client's web site is getting spammed, or something like it. It
> appears as though someone is using a script to auto-fill their email
> newsletter registration form; every field is being filled in with the same
> bogus email address using my client's domain name. For example:
> Email : 245she at clients_domain.com
> confirm email : 245she at clients_domain.com
> Name : : 245she at clients_domain.com
> Address : 245she at clients_domain.com
> City: : 245she at clients_domain.com
>
> etc..
>
> Does anyone have any idea what this is meant to do? Are they phishing for a
> reply address or seeing if they can get a database error?
>

These people are trying to use your email form to send spam. I'm assuming the
web site uses PHP. This is one of the reasons to always verify user input
matches what your script is expecting.

I use the following code at the start of my scripts that process these 
types of
forms:

<?php
if (!empty($_POST)) {
     foreach ($_POST as $k=>$v) {
         if (strpos($v,'Content-Type') !== FALSE) {
//
//   reject the post as bogus
//   optionally make a record of the bogus post
//
         }
     }
}
?>

These people are first doing a screen scrape of a show source to get all
possible $_GET or $_POST variables. Then they use a program to send the bogus
post to your script. The biggest potential problem is that they are trying to
inject a MIME 'Content-Type' message into the email you send with a different
Subject and a BCC address.

Take a look at <http://www.phpsec.org/> for more information and tests.

Ken Robinson




More information about the thelist mailing list