[thelist] Site getting spammed SOLVED

Robert Vreeland vreeland at studioframework.com
Fri Nov 18 12:09:39 CST 2005

Well not solved yet, but thanks for the heads up on the email injection. I'm
adding some additional validation routines on the server to squash this.

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Ken Robinson
Sent: Friday, November 18, 2005 12:20 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Site getting spammed

Quoting Robert Vreeland <vreeland at studioframework.com>:

> Hello List,
> One of my client's web site is getting spammed, or something like it. 
> It appears as though someone is using a script to auto-fill their 
> email newsletter registration form; every field is being filled in 
> with the same bogus email address using my client's domain name. For
> Email : 245she at clients_domain.com
> confirm email : 245she at clients_domain.com Name : : 
> 245she at clients_domain.com Address : 245she at clients_domain.com
> City: : 245she at clients_domain.com
> etc..
> Does anyone have any idea what this is meant to do? Are they phishing 
> for a reply address or seeing if they can get a database error?

These people are trying to use your email form to send spam. I'm assuming
the web site uses PHP. This is one of the reasons to always verify user
input matches what your script is expecting.

I use the following code at the start of my scripts that process these types

if (!empty($_POST)) {
     foreach ($_POST as $k=>$v) {
         if (strpos($v,'Content-Type') !== FALSE) { //
//   reject the post as bogus
//   optionally make a record of the bogus post

These people are first doing a screen scrape of a show source to get all
possible $_GET or $_POST variables. Then they use a program to send the
bogus post to your script. The biggest potential problem is that they are
trying to inject a MIME 'Content-Type' message into the email you send with
a different Subject and a BCC address.

Take a look at <http://www.phpsec.org/> for more information and tests.

Ken Robinson


* * Please support the community that supports you.  * *

For unsubscribe and other options, including the Tip Harvester and archives
of thelist go to: http://lists.evolt.org Workers of the Web, evolt ! 

More information about the thelist mailing list