| Vulnerable Emailer Forms |
| User Opinions |
22%
77%
(9 votes)
|
|
Thank you for rating this answer.
|
The Problem.
Spammers are constantly being blacklisted and kicked off of networks.
Because of this, tricking a non-spamming website into sending spam has
become a high priority. One way for spammers to find vulnerable
webservers is to test for CGI applications that would allow the spammer
to enslave the webserver. Once a vulnerable webserver is found, the
spammer can mask the true source of his spam while the enslaved
webserver does the bulk of the work.
How do they do that?
A common task websites do is send an email to the owner of the website
with whatever data someone has entered into a form. For example, one
such script that does this is called formmail.pl or formmail.cgi from
Mat's Script Archive. In this script (as well as many others like it)
some fields in the form are used directly in the header of an email.
(for example, the Reply-To: field in the email is sometimes set to
whatever the user of the form entered in the field called "email" so the
owner of the website can easily hit "Reply" to that email and send a
response.) If these fields are included unmodified, a spammer can simply
overwrite the remaning header lines and effectivly submit any email they
wish to through the underlying email system, effectivly enslaving the
webserver / email system to send spam.
How exactly do they exploit the script?
The destination of an email is set in its headers. Headers, as
everything else in an email, are just lines of text. What seperates the
headers from the body of an email are just two blank lines. If your
formmail script places anything in the header of an email that is
unmodified from what the web user entered, they could easily add those
two blank lines. This, of course, would just truncate the headers early
and make the body of the email contain some of the headers as well.
However, if the web user decides to throw in a few more headers before
sending the two blank lines, the underlying email system will listen to
those as well. So what the spammers are doing is including a "Bcc:" list
of spam victims to the email. When the email subsystem gets the email,
it blindly follows what is written in the headers and happily sends one
copy of the message to each person listed in the "Bcc:" line. Now of
course spammers will probably also add their own subject line and some
spam content to the email.
In order to find vulnerable webservers to prey on, spammers usually test
the form by sending a sample through that is Bcc'd to and email address
they have access to. Usually this is some throw-away address such as a
hijacked AOL address. Webmasters are usually alerted to this when they
see 5 to 10 trial emails in usually less than one second. They Google
the address and hopefully find a page like this one which explains what
is going on.
So what can be done about it?
The simplest way to mitigate the danger is to disallow any linefeed or
carriage return characters in fields used in email headers therefore
disabeling an attacker's ability to add those two blank lines and trick
your mail system into sending whatever they want. Then the problem
becomes one of cleaning up a little annoyance rather than being enslaved
to do a spammer's bidding.
Huh? How do I do that?
Well, this is where it becomes a little complicated. The answer to that
question depends on what software the form processor on your webserver
is using. If you didn't write your own form processor, your first move
is probably to go ask the people that helped you set up your website.
Most common form mailers have had bug fixes released since this
vulnerability first came out. Have your web hosting provider update
their form post code.
If you know what you are doing, check all fields in forms that are used
in email headers and strip out the carriage return (
) and line feed
(
) characters. In perl, this is done like this:
$field =~ s/
/ /g; $field =~ s/
/ /g;
If you are using PHP, you can do this for each variable used in email
headers:
$_POST['email'] = preg_replace("/
/", "", $_POST['email']);
$_POST['email'] = preg_replace("/
/", "", $_POST['email']);
How do I know if I've been hacked?
As most form to email scripts don't write down what they are doing in a
file somewhere, the best way to tell if your setup has been enslaved to
send spam is to check your mailserver logs. If you are with a web
hosting provider, they can usually check the logs for you.
What should I do if I've been hacked?
You should update your form mailer scripts so continuing attempts are
not successful. (do this as described above) The you might want to chase
down the throw-away spammer email address used to test for the
vulnerability. Most I have seen to date have been addresses at AOL, so
you should complain to abuse at aol.com or, as this is a Terms of
Service violation, to tosgeneral at aol.com. Many people have already
done so with limited effect, so don't expect AOL to come swooping in and
fix everything, but its at least covering the bases.
OK, so I'm clean. Now how do I stop the annoying test emails?
If you have to make the
edits on your own, find some fingerprint in the email that flags it as
obviously bad. Like if the email field contains the characters "Bcc:",
chances are you are looking at a probe for vulnerability. Just put an
"if" statement around the block of code that sends you an email that
tests for that. Don't forget to ignore case so "Bcc:" and "bcc:" are
caught. Alternatively you could just look for the two blank lines,
however you should be careful about "
" and "
" which both
will be interpreted as two blank lines. If you are going to do it this
way, I suggest you kill all "
" characters and then search for "
".
|
| Visitor Comments |
|
No visitor comments posted. Post a comment
|
| Related Questions |
|
No related questions were found.
|
| Attachments |
|
No attachments were found.
|
Search the Knowledgebase
Browse by Category
Print this page
Email this page
Post a comment