[thelist] Weird bot email [long]

Maximillian Schwanekamp lists at neptunewebworks.com
Sat Sep 10 17:14:20 CDT 2005 

Hey List, 

I have a handrolled php contact form on my site and (with minor 
variations) on a few of my clients' sites.  Really basic: user fills in 
the form, POSTs the form data to itself, and sends an email to the site 
owner via php mail().  The destination for the contact mail is hardcoded 
into the php and is not exposed in any way, and the script runs 
stip_tags() on the user-entered data.  This script dates back a ways, 
and it appears that my security awareness level was still pretty low 
when I wrote it... 

So anyway now as site owner I am getting email from this script which is 
always from /[a-z]{3,10}@neptunewebworks.com/ (i.e. 3-10 random alpha 
chars @ my own domain).  The body of the message appears to be 
attempting to spoof the headers or something.  I saw a few of these go 
through last week, and figured it was just some joker.  Now I'm getting 
6-8 of these a day, so I figure the bad guys may have found a way in.  I 
tested my box for open relays, etc, but got nothing.  Still, these 
messages look fishy.  Anyone have any idea what's going on here?

Here's a sample message (overcomeyourstagefright.com is my client's 
site), with the header/body division marked:

X-Account-Key: account2
X-UIDL: 1c48cb5ad524725c17d1b3c316265bfe
X-Mozilla-Status: 0201
X-Mozilla-Status2: 00000000
Return-path: <nobody at sequoia.neptunewebworks.com>
Envelope-to: anaxamaxan at neptunewebworks.com
Delivery-date: Sat, 10 Sep 2005 05:05:40 -0700
Received: from neptun2 by sequoia.neptunewebworks.com with local-bsmtp 
(Exim 4.44)
    id 1EE472-0006zf-0T
    for anaxamaxan at neptunewebworks.com; Sat, 10 Sep 2005 05:05:40 -0700
Received: from nobody by sequoia.neptunewebworks.com with local (Exim 4.44)
    id 1EE471-0006yV-RR
    for max at neptunewebworks.com; Sat, 10 Sep 2005 05:05:39 -0700
To: Max <max at neptunewebworks.com>
Subject: Randy Contact Form
From: lfzn at overcomeyourstagefright.com <lfzn at overcomeyourstagefright.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1;
Message-ID: 
<d41d8cd98f00b204e9800998ecf8427e--1126353939 at mail.randylubow.com>
Date: Sat, 10 Sep 2005 05:05:39 -0700
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
    sequoia.neptunewebworks.com
X-Spam-Level:
X-Spam-Status: No, score=-5.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
    autolearn=ham version=3.0.4
                <--------------------------------------- MESSAGE BODY BEGINS
lfzn at overcomeyourstagefright.com
Content-Type: multipart/mixed; boundary="===============0002865402=="
MIME-Version: 1.0
Subject: 6d237c20
To: lfzn at overcomeyourstagefright.com
bcc: jrubin3546 at aol.com
From: lfzn at overcomeyourstagefright.com

This is a multi-part message in MIME format.

--===============0002865402==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

jlugklbqaw
--===============0002865402==--


-- 
Max Schwanekamp
http://www.neptunewebworks.com/

More information about the thelist mailing list