Is this attack harmless or harmful?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Some jerk wrote a robot to attack one of my contact forms. Once a day,
it hits my form about 10 times in a couple of seconds. It adds email
header info into a textarea box as printed below:

Content-Type: multipart/mixed; boundary="===============0845246937=="
MIME-Version: 1.0
Subject: a7a679bf

This is a multi-part message in MIME format.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit


I tried manually entering this into the field and substituting my own
address. It didn't seem to generate an email to me.

I'm using PHP4's mail() function to add $_POST[] contents to the
message body, so this never does make it into the header section.
However, since I really don't want my domains to come up on some
"frequent spammers" list, I'd like to be certain.

Am I in trouble here?

Also, if I just do a str_replace() to change any occurance of "MIME"
into something innocuous, will that fortify my defenses?


Re: Is this attack harmless or harmful?

"" wrote:

Quoted text here. Click to load it

The world is full of jerks. What's happening here is that someone is trying
to insert additional headers (Subject, To, From, etc.) into the email
generated by your form. The multipart/mixed business is there to split the
email up so that whatever you *think* you're putting in the email is never
actually seen. Instead the spammer has complete control over the content of
the email.

Fortunately PHP seems to have detected this and is refusing to send the
email. But really you should never *ever* take user-generated data straight
from a POST or GET request and put it into an email (or a database, or
anything else for that matter).

For example, the following script is unsafe because the "from" field can be
used to insert other headers (like "Cc", for example) to send email
anonymously to other recipients.

   $to = '';
   $from = $_POST['from'];
   $subj = $_POST['subject'];
   $msg = $_POST['msg'];
   mail($to, $subj, $msg, 'From: ' . $from);

So basically you need to make damn sure your email script doesn't send
anything unless you're COMPLETELY satisfied that the data provided by the
user is genuine and safe to use. Treat *everything* with suspicion.

Quoted text here. Click to load it


phil [dot] ronan @ virgin [dot] net

Site Timeline