LevelTen Apps Support Forum

[flakrat]

Howdy, I received a bunch of emails that were submitted using my L10FmX.php script that were bogus submissions. I looked through the emails and the mail server logs and it looks like they were able to send mail off to recipients outside my domain.

Here's the content of one of the emails delivered to me by Level10 Formmail
(I've replaced my actual domain name with mydomain.com)

Any idea what I can do to prevent this?
==============================================

Reply-To: uwtchvipk@mydomain.com Message-Id: <20050727225559.D84553A8A6@mail.mydomain.com>
Date: Wed, 27 Jul 2005 17:55:59 -0500 (CDT)

Form data
city: uwtchvipk@mydomain.com
firstname: uwtchvipk@mydomain.com
companyname: uwtchvipk@mydomain.com
lastname: uwtchvipk@mydomain.com
address2: uwtchvipk@mydomain.com
eroaversion: uwtchvipk@mydomain.com
zipcode: uwtchvipk@mydomain.com
Content-Type: multipart/mixed; boundary="===============0891407840=="
MIME-Version: 1.0
Subject: ddfee1cb
To: uwtchvipk@mydomain.com
bcc: bergkoch8@aol.com
From: uwtchvipk@mydomain.com
This is a multi-part message in MIME format.

--===============0891407840==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

udyz
--===============0891407840==--

phonenumber: uwtchvipk@mydomain.com
address1: uwtchvipk@mydomain.com
position: uwtchvipk@mydomain.com
email: uwtchvipk@mydomain.com
subject: uwtchvipk@mydomain.com

Generated by LevelTen Formmail

[flakrat]

Wow, look at all the replies :-p

Ok, here's my quirky solution.
I added some php code that replaces some key words with _SPAM_ in the $msg string.

Here's the code
==============================================

$msg = eregi_replace('to:', '_SPAM_', $msg);
$msg = eregi_replace('cc:', '_SPAM_', $msg);
$msg = eregi_replace('bcc:', '_SPAM_', $msg);
$msg = eregi_replace('from:', '_SPAM_', $msg);
$msg = eregi_replace('mime-version:', '_SPAM_', $msg);
$msg = eregi_replace('content-type:', '_SPAM_', $msg);
$msg = eregi_replace('subject:', '_SPAM_', $msg);
$msg = eregi_replace('content-transfer-encoding:', '_SPAM_', $msg);
$msg = eregi_replace('boundary=', '_SPAM_', $msg);

$success = 1;
$success = mail($recipient,$subject,$msg,$extraHeaders);
==============================================

I'm guessing that this should resolve the problem.

[stevebarr]

Hi there this just started happening to me as well - someone is using the script to pass mail through.

I use the script on several sites and so far its happened on 3 of them - renaming the script does not fix the problem - has anyone any ideas?

Below is a sample of a recieved email:

Form Data
Submit: eebgf@mackeys.ie
Name: eebgf@mackeys.ie
telephone: eebgf@mackeys.ie
Comments: eebgf@mackeys.ie
Content-Type: multipart/mixed; boundary=\"===============0339580008==\"
MIME-Version: 1.0
Subject: c1f9a02
To: eebgf@mackeys.ie
bcc: PeiCanteenMc@aol.com
From: eebgf@mackeys.ie

This is a multi-part message in MIME format.

--===============0339580008==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

ztheft
--===============0339580008==--

[flakrat]

You might want to try my solution. I put the following into my L10FmX.php file right above where it invokes the mail() function. It replaces several keywords in the $msg string with _SPAM_ which should prevent it from being able to send malicious emails (unless I'm missing some key words).

eregi_replace is case insensitive, so TO:, to:, To:, and tO:, will all get changed to _SPAM_ in the same call.

[stevebarr]

Thanks for this - I will give it a try and see if it sorts the problem

Cheers
Steve

[flakrat]

Howdy, the one thing I didn't try before I implimented the fix was to reproduce the problem. So you might try that so you can test it again after the fix to make sure the bogus emails don't go out.

I did, however, after putting the fix in, fill the fields of my form with all of the email syntax (To: <> and Cc: and Subject:, etc,...) and clicked submit.

The email that I received (only the correct one went out, none to the bogus addresses) had all of those replaced with _SPAM_, so it looks like it works.

I haven't had a spam problem since.

[stevebarr]

Gave it a try and little effect mails soon started to come back through again - this one is not restricted to level10 either - I tried another 2 scripts on different sites with this problem and both forms are now also breeched - there is an interesting forum here about the problem which seems to be spreading rapidly accross the internet

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

Cheers
Steve

[flakrat]

Sorry, I forgot to mention that I also added this to my code:
// strip out new line characters
$firstname = str_replace("\r\n", " ", $firstname);
$lastname = str_replace("\r\n", " ", $lastname);
$email = str_replace("\r\n", " ", $email);
...etc...

Although it looks like I should be doing something more like
$firstname = str_replace("\r", " ", $firstname);
$firstname = str_replace("\n", " ", $firstname);
$lastname = str_replace("\r", " ", $lastname);
$lastname = str_replace("\n", " ", $lastname);
$email = str_replace("\r", " ", $email);
$email = str_replace("\n", " ", $email);
...etc...

[flakrat]

Although, I still don't understand why the original code wouldn't resolve the problem? It basically replaced all of the header keywords with _SPAM_ which should result in, worst case, the header just being complete bogus gobledeegoop that gets rejected by the mail server.

I've modified mine to separately remove \n and \r for each field. Thanks for that link.

[HECTOR]

Orlando, Florida, September 19th, 2005.

Email Injection TRAP

I am recording who these guys are, from where they
are coming from, they can't hurt me no more, and if they show up, I
put them to sleep for an hour.
Sounds good, doesn't it.

I am visited every 5 or 6 days, with the exception of August 31st and
September 1rst.
If someone is touched every day and can implement this script will
be awesome. Post the results. Thank you.

I am assuming..,
As Barbara from UK posted:
Barbara from UK
#275 | Wed, Sep 14, 2005 08:37 AM
http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

That the spam-bot has the url address of my cgi script form handlers
and is injecting whatever he/she want exploiting the poor cgi programming
made. (For other will be PHP, or ASP, who knows)

THESE IS NOT A DEFINITIVE SOLUTIONS, IT IS JUST A WAY TO FIGHT BACK
WHEN THEY SHOWS UP. BETTER FORM HANDLERS IS WHAT WE NEED.

Here is what I made.

Hello, like many others on the internet I was hit
by these guys that deserve being in jail big time.

here are the records I have of total visits.

bergkoch8@aol.com Wed, 31 Aug 2005 21:06:24 -0400
Form processed at Wed Aug 31 21:06:24 EDT 2005
From IP: 146.83.216.207
TOTAL 45 EMAIL SPAM RECEIVED

jrubin3546@aol.com Thu, 1 Sep 2005 19:16:03 -0400
Form processed at Thu Sep 1 19:16:03 EDT 2005
From IP: 194.117.20.30
TOTAL 47 EMAIL SPAM RECEIVED

jrubin3546@aol.com Tue, 6 Sep 2005 06:54:54 -0400
Form processed at Tue Sep 6 06:54:54 EDT 2005
From IP: 82.67.11.110
TOTAL 48 EMAIL SPAM RECEIVED

jrubin3456@aol.com Mon, 12 Sep 2005 04:28:11 -0400
Form processed at Mon Sep 12 04:28:11 EDT 2005
From IP: 216.194.16.226
TOTAL 94 EMAIL SPAM RECEIVED

Homeiragtime@aol.com Sat, 17 Sep 2005 19:27:05
-0400
Form processed at Sat Sep 17 19:27:04 EDT 2005
From IP: 170.148.96.108
TOTAL 45 EMAIL SPAM RECEIVED

I discovered that about 8 cgi script in my site are
potentially evolved in the risk of been hijacked and
used as source of spam. Really they are very poor in
programming security. (Usually called on the "action" field
in a form)
Beside these I have more script that must be fixed
ASAP.
example:

http://www.mywebsite.com/cgi-bin/script-1.cgi
http://www.mywebsite.com/cgi-bin/script-2.cgi
http://www.mywebsite.com/cgi-bin/script-3.cgi
http://www.mywebsite.com/cgi-bin/script-4.cgi
http://www.mywebsite.com/cgi-bin/script-5.cgi
http://www.mywebsite.com/cgi-bin/script-6.cgi
http://www.mywebsite.com/cgi-bin/script-7.cgi
http://www.mywebsite.com/cgi-bin/script-8.cgi


First thing I made was change script's names and, of
Course, I changed also the call's name from my html forms.

Then I Used the Mod_Rewrite Apache Directive to
redirect whoever is looking for my scripts names
(the old names) to a script that will log visitors
http environment) information and put them to sleep for
an hour or so.

Please if you don't understand what it's going on
here, call somebody who does.

[File created]
.htaccess (Write this file in Pure ascii, notepad is ok)

RewriteEngine on
Options +FollowSymlinks
RewriteBase /
RewriteRule ^\old-script-1.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-2.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-3.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-4.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-5.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-6.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-7.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}
RewriteRule ^\old-script-8.cgi$ /cgi-bin/death-meat.cgi?%{REQUEST_URI}

As you can see all the requests are re-directed
(Internally, trough Apache system)
to a script called death-meat.cgi (sample name, you can use anything you want)
##############################################################################
# NOTE, DO THIS AT YOUR RISK:
# Upload the file to your cgi-bin directory, Please be careful, don't
# make any mistake, check with your web master or ISP before uploading
# this file, if you are already using .htaccess file, just add the above lines.
# do it wrong and your site will disappear from the web until your ISP delete
# or replace the .htaccess file. (I know it for my own past experience).
##############################################################################
The following script is not my creation, I just
modified one I am using for other purposes.

Those who have access to the features below will be
able to help in the capture of these bastards or at least make
their brilliant ideas more difficult to implement.

My site is stored under Linux OS, Apache webserver.
I have access to cgi scripts, I can write the
.htaccess file and upload it.
and obviously I can run CGI scripts.

Upload the file below to your cgi-bin directory in
ascii (text) only Use a simple text editor, notepad is fine, after
uploaded change chdmod 755

Create a folder inside cgi-bin, stats >chdmod 777,
and inside stats the file igotyou.log (I don’t know if
it will be created
automatically)

[death-meat.cgi file name]

#!/usr/bin/perl
# If required, adjust line above to point to Perl 5.
######################################################
# THIS IS WHAT IS GOING TO HAPPEND,
# AFTER THIS SCRIPT COLLECT SOME VISITOR'S INFORMATION
# WHICH IT MAY BE USEFULL OR NOT, DEPENDING IF THEY DO NOT
# MAKE ANY MISTAKE AND ALLWAYS SEND THE BOT TROUGH A ANONIMUS PROXY
# OTHERWISE WE GOT THE REAL PHISICAL ADDRESS.
# THE SCRIPT WILL PUT THE VISITOR TO SLEEP FOR ABOUT AN HOUR
#
$stats_dir = "stats";
$log_file = "igotyou.log";

$sleeptime = 3600;

$remote_host = "$ENV{'REMOTE_HOST'}";
$remote_addr = "$ENV{'REMOTE_ADDR'}";
$user_agent = "$ENV{'HTTP_USER_AGENT'}";
$referer = "$ENV{'HTTP_REFERER'}";
$document_name = "$ENV{'QUERY_STRING'}";

&get_date;

&log_hits
("$date $remote_host $remote_addr $user_agent $referer
$document_name\n");

print "Content-type: text/plain\n\n";
print @TEXT;

######## THE SPIDER-BOT OR THE BROWSER GET TRAPPED HERE FOR AN HOUR
sleep ($sleeptime);
######## WAITING..., WAITING...,WAITING....
exit;

sub get_date {
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst)=localtime();
$mon++;
$sec = sprintf ("%02d", $sec);
$min = sprintf ("%02d", $min);
$hour = sprintf ("%02d", $hour);
$mday = sprintf ("%02d", $mday);
$mon = sprintf ("%02d", $mon);
$year = scalar localtime;
$year =~ s/.*?(\d{4})/$1/;
$date="$year-$mon-$mday, $hour:$min:$sec";
}

sub log_hits {
open (HITS, ">>$stats_dir/$log_file");
print HITS @_;
close (HITS);
}

############################################

I am testing the urls trying to reach the cgi script
and it work perfectly.

I hope somebody else can try it and post the results.

Good Luck,

Hector Gonzalo
hector2561@yahoo.com