[thelist] Weird bot email [long]
sbeam
sbeam at onsetcorps.net
Sun Sep 11 08:40:41 CDT 2005
On Sunday 11 September 2005 12:15 am, Rich Points wrote:
> I'm glad to hear I'm not the only one out there getting this. One of
my
> sites is getting hit about once a week which usually comes in sets of
> three emails. So I've been logging IP addresses and blocking them but
> they still keep coming.
>
> Rich
>
Recently updated a couple contact forms on client sites where the mail
sending script (not written by me) was vulnerable to Mr.
jrubin3546 at aol.com (may he be buried in spam, amen) and his script
kiddie tricks.
He and his ilk are probably running scripts/worms on compromised SOHO
systems with dynamic IPs, so if you block by IP you will block
legitimate traffic. My solution is to
1) strip newlines from all incoming fields
2) bail out if anything contains iffy stings like 'Content-Type:' or
'MIME-Version' - no legitimate reason why someone inquiring about baked
goods, for instance, would mention those things...
3) always have a BCC: sent to myself or the tech. contact at the client,
or log each message, so any abuse attempts will be seen.
And if you see any of this abuse, you should definitely report to their
ISP. If AOL gets reports from everyone who is seeing this then they
might eventually cancel the account (not holding my breath, but... the
guy has been busy http://www.google.com/search?q=jrubin3546%40aol.com )
http://postmaster.aol.com/guidelines/junk.html#abuse
=======================
simple PHP version:
// fields we are sending
$fields = array("name" => "Name",
"email" => 'email',
"phone" => 'Phone #',
"comment" => 'Comments');
/* safety check all submitted data - remove newlines */
foreach ($fields as $k => $v) {
$vals[$k] = preg_replace('/[\n\r]/', ' ', $_POST[$k]);
// dont send anything if there is an abuse attempt
if (ereg('Content-Type:', $vals[$k])) {
header('Location: /inquiry.html');
exit();
}
}
More information about the thelist
mailing list