[thelist] Weird bot email [long]

Rich Points rich at richpoints.com
Sat Sep 10 23:15:37 CDT 2005 

I'm glad to hear I'm not the only one out there getting this.  One of my 
sites is getting hit about once a week which usually comes in sets of 
three emails.  So I've been logging IP addresses and blocking them but 
they still keep coming.

Rich



Maximillian Schwanekamp wrote:

> Hey List,
> I have a handrolled php contact form on my site and (with minor 
> variations) on a few of my clients' sites.  Really basic: user fills 
> in the form, POSTs the form data to itself, and sends an email to the 
> site owner via php mail().  The destination for the contact mail is 
> hardcoded into the php and is not exposed in any way, and the script 
> runs stip_tags() on the user-entered data.  This script dates back a 
> ways, and it appears that my security awareness level was still pretty 
> low when I wrote it...
> So anyway now as site owner I am getting email from this script which 
> is always from /[a-z]{3,10}@neptunewebworks.com/ (i.e. 3-10 random 
> alpha chars @ my own domain).  The body of the message appears to be 
> attempting to spoof the headers or something.  I saw a few of these go 
> through last week, and figured it was just some joker.  Now I'm 
> getting 6-8 of these a day, so I figure the bad guys may have found a 
> way in.  I tested my box for open relays, etc, but got nothing.  
> Still, these messages look fishy.  Anyone have any idea what's going 
> on here?
>
> Here's a sample message (overcomeyourstagefright.com is my client's 
> site), with the header/body division marked:
>
> X-Account-Key: account2
> X-UIDL: 1c48cb5ad524725c17d1b3c316265bfe
> X-Mozilla-Status: 0201
> X-Mozilla-Status2: 00000000
> Return-path: <nobody at sequoia.neptunewebworks.com>
> Envelope-to: anaxamaxan at neptunewebworks.com
> Delivery-date: Sat, 10 Sep 2005 05:05:40 -0700
> Received: from neptun2 by sequoia.neptunewebworks.com with local-bsmtp 
> (Exim 4.44)
>    id 1EE472-0006zf-0T
>    for anaxamaxan at neptunewebworks.com; Sat, 10 Sep 2005 05:05:40 -0700
> Received: from nobody by sequoia.neptunewebworks.com with local (Exim 
> 4.44)
>    id 1EE471-0006yV-RR
>    for max at neptunewebworks.com; Sat, 10 Sep 2005 05:05:39 -0700
> To: Max <max at neptunewebworks.com>
> Subject: Randy Contact Form
> From: lfzn at overcomeyourstagefright.com <lfzn at overcomeyourstagefright.com>
> MIME-Version: 1.0
> Content-Type: text/plain; charset=iso-8859-1;
> Message-ID: 
> <d41d8cd98f00b204e9800998ecf8427e--1126353939 at mail.randylubow.com>
> Date: Sat, 10 Sep 2005 05:05:39 -0700
> X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
>    sequoia.neptunewebworks.com
> X-Spam-Level:
> X-Spam-Status: No, score=-5.9 required=5.0 tests=ALL_TRUSTED,BAYES_00
>    autolearn=ham version=3.0.4
>                <--------------------------------------- MESSAGE BODY 
> BEGINS
> lfzn at overcomeyourstagefright.com
> Content-Type: multipart/mixed; boundary="===============0002865402=="
> MIME-Version: 1.0
> Subject: 6d237c20
> To: lfzn at overcomeyourstagefright.com
> bcc: jrubin3546 at aol.com
> From: lfzn at overcomeyourstagefright.com
>
> This is a multi-part message in MIME format.
>
> --===============0002865402==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
>
> jlugklbqaw
> --===============0002865402==--
>
>

More information about the thelist mailing list