[thelist] Weird bot email [long]

sbeam sbeam at onsetcorps.net
Sun Sep 11 08:40:41 CDT 2005

On Sunday 11 September 2005 12:15 am, Rich Points wrote:
> I'm glad to hear I'm not the only one out there getting this.  One of 
> sites is getting hit about once a week which usually comes in sets of 
> three emails.  So I've been logging IP addresses and blocking them but 
> they still keep coming.
> Rich

Recently updated a couple contact forms on client sites where the mail 
sending script (not written by me) was vulnerable to Mr. 
jrubin3546 at aol.com (may he be buried in spam, amen) and his script 
kiddie tricks.

He and his ilk are probably running scripts/worms on compromised SOHO 
systems with dynamic IPs, so if you block by IP you will block 
legitimate traffic. My solution is to

1) strip newlines from all incoming fields
2) bail out if anything contains iffy stings like 'Content-Type:' or 
'MIME-Version' - no legitimate reason why someone inquiring about baked 
goods, for instance, would mention those things...
3) always have a BCC: sent to myself or the tech. contact at the client, 
or log each message, so any abuse attempts will be seen.

And if you see any of this abuse, you should definitely report to their 
ISP. If AOL gets reports from everyone who is seeing this then they 
might eventually cancel the account (not holding my breath, but... the 
guy has been busy http://www.google.com/search?q=jrubin3546%40aol.com )

simple PHP version:
// fields we are sending
$fields = array("name" => "Name",
                "email" => 'email',
                "phone" => 'Phone #',
                "comment" => 'Comments');

/* safety check all submitted data - remove newlines */
foreach ($fields as $k => $v) {
    $vals[$k] = preg_replace('/[\n\r]/', ' ', $_POST[$k]);

    // dont send anything if there is an abuse attempt
    if (ereg('Content-Type:', $vals[$k])) {
        header('Location: /inquiry.html');

More information about the thelist mailing list