email injection query

Is he stupid and just sitting

there trying to spam my feedback form even though he is getting this message
telling him to go away, or is do you think there is some sort of automatic
process being run on my webpage?

Almost assuredly the latter. I had a test page I had put up once with
a form on it. All the form did was email me the textarea contents.
When I had finished my testing with the form, I commented out (but did
not delete) the form. Every once in a while I still get a spam message
from the form.

I don't know for sure, but I would guess that anybody making any money
doing this is doing it with bots.

Maybe you could create an RSS feed from the spams you get? I'd be
curious to see other responses.

Tom

On Dec 4, 11:07 am, "mantrid" <ian.dan...@virgin.netwrote:

Up to the other day I have not bothered protecting my php script on my
feedback form against email injection. Howerver, i have had a spammer using
it to insert email addresses as cc: bc: into my email field. First I was
puzzled why he was doing it as the message being sent was just jibberish. I
have recently used a function to protect these fields and send an email back
to myself with his details. function below

function spamcheck($spammed_field,$returnpage) {
$spammed_field=strtolower($spammed_field);
if((eregi("cc:",$spammed_field))||(eregi("subject: ",$spammed_field))) {
//(eregi("bcc:",$spammed_field))||
$spamhost=$_SERVER['REMOTE_HOST'];
$spamrefr=$_SERVER['HTTP_REFERER'];
$spamaddr=$_SERVER['HTTP_X_FORWARDED_FOR'];
if(strlen($spamaddr)<7) { $spamaddr=$_SERVER['HTTP_CLIENT_IP']; }
if(strlen($spamaddr)<7) { $spamaddr=$_SERVER['REMOTE_ADDR']; }
$thisfile=$_SERVER['SCRIPT_NAME'];
$spamtext="FILE: $thisfile \nFROM: $spamrefr \nADDR: $spamaddr \nHOST:
$spamhost \nINFO:\n$spammed_field\n";
mail("spamch...@mysite.co.uk","ALERT: $spamaddr",$spamtext,"From: IDD
Software Spamcatcher <spamch...@mysite.co.uk>\r\n");
//echo();
die("<br><br><div align='center' class='RedWarning'>If you are a spammer
trying to inject script into my input fields, then go away and get a
life<br>otherwise<br>Please try again as you may have included some
incorrect characters.<br><br><a href='".$returnpage."'
class='BodyLink'>Return</a></div>");
}
}

This function should cause the attempt to spam to die and send info about
the spammer and he injected script to me which it does brillantly. But now
Im getting more of these notices of spamming than I was getting originally
spammed messages with many more emails in the cc: bcc: and a proper message
(just sales stuff about tea oil). Why is he still attempting this if the
spam is not working and being sent to the recipients. I have an appropriate
message displayed when the spam is attempted. Is he stupid and just sitting
there trying to spam my feedback form even though he is getting this message
telling him to go away, or is do you think there is some sort of automatic
process being run on my webpage?

Is there a way to return an email to him everytime its attempted?
The function returns his address eg ADDR: 203.198.162.124. but it changes
everytime. I dont know much about the antics and abilities of spammers (but
learning). Can anyone tell me why hes doing it still?

On Mon, 04 Dec 2006 19:07:17 GMT, mantrid wrote:

<-snip->

Im getting more of these notices of spamming than I was getting originally
spammed messages with many more emails in the cc: bcc: and a proper message
(just sales stuff about tea oil). Why is he still attempting this if the
spam is not working and being sent to the recipients. I have an appropriate
message displayed when the spam is attempted. Is he stupid and just sitting
there trying to spam my feedback form even though he is getting this message
telling him to go away, or is do you think there is some sort of automatic
process being run on my webpage?

Most certainly you're being targeted by a botnet controlled by a spammer.
The 'nonsense' emails you first saw were "proof of concept" testing
before your URL was passed out to hundreds of "working" machines in the
botnet. Most certainly no Real Person is viewing anything that you
present on the screen. At most the http return code(s) and, maybe, some
screen scraping for successful results are sent back upstream to the
slime ball running the botnet.

Is there a way to return an email to him everytime its attempted?

No. The machine address you see is a cracked box. Most likely running
an unpatched Micro$oft OS. There'll be no MTA on that machine. Who
ever (wrongly believes they) owns it, probably has an ISP that is
unrelated to the IP address you see.

The function returns his address eg ADDR: 203.198.162.124. but it changes
everytime. I dont know much about the antics and abilities of spammers (but
learning). Can anyone tell me why hes doing it still?

Because he can.

I have a PHP message board I wrote. I have deployed it to 3 sites on a
domain I own. In robots.txt I correctly specified a Disallow for 2 of
those URLs (sub-directories). For the third one I slipped up and never
got it covered by my robots.txt. That's the one they hit (with their
http://replica_rolex/designer_handba...hentermine/etc.
spam.) Obviously they found it because Google found it. It's easier
for the spammers to use Google to find their targets that to manually slog
through the web. My checking showed it *was* indexed by Google and the
other 2 were not.

I have since moved _that_ message board to a different sub-directory and
updated robots.txt to properly Disallow it by robots. (Yes, I know --
there are good bots and evil bots. But, after 4 years with these
message boards up there, only this 'exposed' one was hit.)

I continue to 'run' the spammer-targeted message board as a 'test bed'.
It's given me the knowledge to "harden" my PHP message board, and
I've added logging of all activity to that URL. I give the spammer(s) a
lot of phoney, positive feedback on the posting attempts from the
botnet(s). (I now believe there are at least two different botnets
visiting my message board. I suppose these sewage slugs exchange
information amongst themselves v-a-v 'useable' message boards.

My 'test bed' message board is now un-linked from anywhere -- 'they' are
using the deep link to get at it. I now have most of RIPE and APNIC in
my 'deny from' in my .htaccess in that sub-directory -- a lot of
sub-nets in LACNIC, too -- and quite a few cracked machines in the ARIN
ranges.

Since all 3 message boards are for purposes that are U.S.A.-centric, I
move that .htaccess into the 3 'good' message boards sub-directories as
I update it.

One interesting observation: A great majority of the URL's that they
(attempt to) post on my message board are redirecting URL's on cracked
..edu machines. There seems to be a fairly popular piece of software out
there that many colleges and universities put up for instructor-student
discussion purposes. (My guess...) There are A LOT of URL's -- to wit:

sched.sbu.edu/faculty/czuck/ce660/_disc3/0000265c.htm
students.concord.edu/tah/_reqdis/000006b9.htm
matcmadison.edu/ald/_discussion/000003f7.htm
svanpatt.asp.radford.edu/_disc1/0000071e.htm
http://www.biotech.sfasu.edu/bt/btc5...n/00006a90.htm
forums.maxwell.syr.edu/geo595/_disc1/00000374.htm
student.ttuhsc.edu/sota/_disc3/00009bb0.htm
org.jsr.vccs.edu/flpg/_disc1/00004f6b.htm
http://www.biotech.sfasu.edu/bt/btc5...n/00006a90.htm
lanic.utexas.edu/pyme/esp/discus/messages/7/cheap-cialis.html

... and on, and on, and on -- ad nauseam.... 100's of different ones.
Every one I bothered to click on resulted in an instant redirect to the
spam URL elsewhere.

Keep up The Good Fight
Jonesy
--
Marvin L Jones | jonz | W3DHJ | linux
38.24N 104.55W | @ config.com | Jonesy | OS/2
*** Killfiling google posts: <http//jonz.net/ng.htm>

"Allodoxaphobia" <bi********@config.comwrote in message
news:sl***********************@shell.config.com...

On Mon, 04 Dec 2006 19:07:17 GMT, mantrid wrote:

<-snip->

Im getting more of these notices of spamming than I was getting

originally

spammed messages with many more emails in the cc: bcc: and a proper

message

(just sales stuff about tea oil). Why is he still attempting this if the
spam is not working and being sent to the recipients. I have an

appropriate

message displayed when the spam is attempted. Is he stupid and just

sitting

there trying to spam my feedback form even though he is getting this

message

telling him to go away, or is do you think there is some sort of

automatic

process being run on my webpage?

Most certainly you're being targeted by a botnet controlled by a spammer.
The 'nonsense' emails you first saw were "proof of concept" testing
before your URL was passed out to hundreds of "working" machines in the
botnet. Most certainly no Real Person is viewing anything that you
present on the screen. At most the http return code(s) and, maybe, some
screen scraping for successful results are sent back upstream to the
slime ball running the botnet.

Thanks
Very informative reply.
The function I have uses eregi() to check POST data for "cc:" and "subject:"
what other checks should I be using in my function to tighten my security
further?
Ian

On Tue, 05 Dec 2006 17:23:11 GMT, mantrid wrote:

"Allodoxaphobia" <bi********@config.comwrote in message
news:sl***********************@shell.config.com...

>On Mon, 04 Dec 2006 19:07:17 GMT, mantrid wrote:

<-snip->

Im getting more of these notices of spamming than I was getting

originally

spammed messages with many more emails in the cc: bcc: and a proper

message

(just sales stuff about tea oil). Why is he still attempting this if the
spam is not working and being sent to the recipients. I have an

appropriate

message displayed when the spam is attempted. Is he stupid and just

sitting

there trying to spam my feedback form even though he is getting this

message

telling him to go away, or is do you think there is some sort of

automatic

process being run on my webpage?

Most certainly you're being targeted by a botnet controlled by a spammer.
The 'nonsense' emails you first saw were "proof of concept" testing
before your URL was passed out to hundreds of "working" machines in the
botnet. Most certainly no Real Person is viewing anything that you
present on the screen. At most the http return code(s) and, maybe, some
screen scraping for successful results are sent back upstream to the
slime ball running the botnet.

Thanks
Very informative reply.
The function I have uses eregi() to check POST data for "cc:" and "subject:"
what other checks should I be using in my function to tighten my security
further?
Ian

I can't be of much help to you there, since my focus is on a message
board and controlling the content that gets posted there -- versus your
email process where you want to control inappropriate usage. Where I
need to worry about html tags in the message(s), javascript insertion,
and detecting URL's, you need to be concerned about the injection of
'extra' email headers, etc.

You certainly can control access if your audience is geographically
'constrained'. Using .htaccess in your sub-directory, you can
"deny from" most or all of RIPE, and/or APNIC, etc. That should
cut down on the volume.
Reference: http://www.iana.org/assignments/ipv4-address-space

There's a lot more I need to understand and learn -- both on the
incomimg sewage side, and on the managing and controlling side.

One thing you should feel certain about is that the slimeball spammers
are wallowing in their septic tanks and reading these discussions.
If you control the software (in my case I wrote my PHP message board)
you should be circumspect about tactics you design and employ. It
sounds selfish, and it'll raise the hackles of the "Don't Do Security
Through Obscurity" crowd, but it'll help you tread water better.
Since my tactics of using .htaccess "deny from" and disallowing URL's in
the postings (URL's are not at all necessary in my message boards) can
not be thwarted ("he says innocently"), I'm willing to disclose that.

Disallowing any URL's in the payload of your email might be something
you could employ. As well, disallowing multi-part construction and
image injection might be something you could employ, too.

gl and keep up The Good Fight.
Jonesy
--
Marvin L Jones | jonz | W3DHJ | linux
38.24N 104.55W | @ config.com | Jonesy | OS/2
*** Killfiling google posts: <http//jonz.net/ng.htm>

..oO(mantrid)

>The function I have uses eregi()

eregi() should be avoided. The preg_* functions are faster and much more
flexible. Additionally in PHP 6 the ereg extension will be removed from
the core and moved to PECL, so it might not be available by default.

>to check POST data for "cc:" and "subject:"
what other checks should I be using in my function to tighten my security
further?

I wouldn't check for any particular header field at all, but for all
kinds of line breaks, which are required to inject malicious headers.

Micha