Web Form Spammers / Email Injection Spamming

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm not much of an expert about web security, and plus I'm a procrastinator,
so when I started getting weird emails from the contact forms of two of my
websites, I was moderately concerned, but I naively let it go on for a few
weeks before getting annoyed enough to do anything about it.

First I got the IP addresses of two of the spamming sites, and set up a
..htaccess file to block them. Not really a good solution, because it's
probably blocking entire ranges of people who'd like to see my websites. But
it did stop the spamming cold from one of the websites.

The other one kept spamming me, so I finally looked it up on the web about
found out something about web form spamming. I didn't know it, but these
spammers were using a weakness in my web form to spam other people. I guess
they infect a server with a virus, probably a Windows Server, and then the
virus accesses my web form and injects email and mime codes into the
response, and since my script sends me a confirmation email, they use that
to cc or bcc to some other hapless victim.

So I put a spam checker function in my php script,

function checkforspammer($str) {
   if (eregi("\r",$str) || eregi("\n",$str) || eregi("multipart",$str) ||
     eregi("cc:",$str) || eregi("bcc:",$str) ||
     $str = "spam";
   return $str;

This may be clumsy, someone else might have something more efficient, but
this one works. Also I started getting the IP address of the sender from
$_SERVER['REMOTE_ADDR'], duh! I always wondered why I should do that.
Anyway, so now the spam still gets mailed, but I run everything through
checkforspammer after I store it in my database, but before it gets mailed,
so it's only mailed to me and only the word "spam" is in the mail.

Then I find out who owns the IP address and email them explaining that their
server might be compromised since it's spamming my web form. For now, I'm
also collecting the addresses in my .htaccess file. Eventually I could be
blocking the whole world, I don't want to do that. But I figure the same way
they figured out I was vulnerable, they'll also figure out they are blocked,
and eventually they'll stop spamming, and then I'll unblock them. How will I
know to unblock? Give it a couple of months?

So is there anything more I can do? Anything I should be doing differently?

Re: Web Form Spammers / Email Injection Spamming

Dale wrote:

Quoted text here. Click to load it

I remember something about this. What php application are you using? Is it
custom made by you?


Re: Web Form Spammers / Email Injection Spamming

Quoted text here. Click to load it
Quoted text here. Click to load it

Yes, I just made a php script that produces a web form contact page. It
stores the interested party's data in a mysql table, and then sends me a
confirmation email. I didn't know it could be hacked but it's pretty easy to
prevent. Here are a couple of links to explanations of what they're doing
and measures to prevent damage.

http://www.anders.com/projects/sysadmin/formPostHijacking /

So far I've collected 5 IP addresses. belongs to AT&T belongs to telecom equipment supplier, XO is the server for the Polish Academy of Sciences Medical
Research Center belongs to ISP/Web Hosting supplier, iQuest is SolarWinds.Net Network Management Tools' "secure" admin

Re: Web Form Spammers / Email Injection Spamming

Dale wrote:

Quoted text here. Click to load it

So, it sounds like you are correctly checking the parameters now. As far as
how long should you block, I would say it depends. The party responsible
could be some company's server or more commonly someones home pc or even
worse to track down and open proxy.

I think I would attack this in a dynamic fashion. I would look for IPs
trying to spam through you and redirect them to a page saying that their pc
is infected. I would redirect them for, say, a 30 day period.  After 30
days, I would remove them from the list (they would be palced back on the
list if they still try to spam through you). You can do this dynamically
with PHP either using a file to store the IP addresses or a MySql,
posgress, etc, etc....

What do you think?


Site Timeline