Email Injection & PHP

Seth Brundle

A site of mine yesterday suffered an attempt at an email spam injection. For those unaware, the spammer types out a bcc field with addresses into one of the forms text boxes. Something like:-

mvx@mydomain.com Content-Type: multipart/mixed; boundary="===============1543680057==" MIME-Version: 1.0 Subject: 2d2d30a9 To: mvx@mydomain.com bcc: bergkoch8@aol.com From: mvx@mydomain.com This is a multi-part message in MIME

Searching google, bergkoch8@aol.com seems to pop up quite a bit for this problem - do AOL not suspend accounts? :rolleyes:
Anyhow, he didn't manage to get it working AFAIK based on the function below that I found ages ago which parses all fields. However, Im curious to know what others use to prevent this kind of stuff.

function stopInjection($foobar){
	$parsed = $foobar;
	$parsed = htmlentities($parsed);
	$parsed = strip_tags($parsed);
	$parsed = stripslashes($parsed);
	$parsed = trim($parsed);
	return $parsed;
	}

$senderName = sanitize($_POST['email']);
$email = stopInjection($email);

DonkeyStyle \o/

Well for feedback forms that are only ever meant to reach the sites owners, I set the recipient manually in the script itself and ignore any other input, even invisible form elements designed to set these values in the calling html.
So no matter what's sent to the script, it'll only ever send the mail to one fixed address.
I'm no security expert, but it seems like a good move if you only need the functionality of sending form data to a single/fixed address in the first place.

Seth Brundle

Mine was the same - the visitor completed a few standard fields (name, email, etc.) and the form was sent to my address within the php code.
However, the spammers add "bcc: bergkoch8@aol.com From: mvx@mydomain.com This is a..." into say the 'email' field and if your PHP isn't set up to tackle it, then in theory the spammer can send loads of emails this way.

Have a look at this - www.anders.com/cms/75/Crack.Attempt/Spam.Relay

Seth Brundle

resurrecting this again...

I keep getting emails by this spammer trying and Im wondering if my function above isn't working
email headers

Return-Path: <nobody@jet18.hasweb.com>
Received: from tweedledee.esatclear.ie (tweedledee.esatclear.ie [194.145.128.6])
	by fargo.iolfree.ie (8.11.6/8.9.3) with ESMTP id j8FCEqO09088
	for <kbannon@iolfree.ie>; Thu, 15 Sep 2005 13:14:52 +0100
Received: from [69.41.248.250] (helo=genuineasp.com)
	by tweedledee.esatclear.ie with esmtp (Exim 4.14)
	id 1EFsdg-0000It-Hm
	for kbannon@iolfree.ie; Thu, 15 Sep 2005 13:14:52 +0100
Received: with MailEnable Postoffice Connector; Thu, 15 Sep 2005 08:14:36 -0400
Received: from ([127.0.0.1]) with MailEnable ESMTP; Thu, 15 Sep 2005 08:14:35 -0400
Received: from nobody by jet18.hasweb.com with local (Exim 4.44)
	id 1EFsdW-000855-U1
	for info@kbannon.com; Thu, 15 Sep 2005 08:14:42 -0400
To: info@kbannon.com
Subject: BMW Car Club Ireland General Query
From: orc@bmwcarclubireland.com
Message-Id: <E1EFsdW-000855-U1@jet18.hasweb.com>
Date: Thu, 15 Sep 2005 08:14:42 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - jet18.hasweb.com
X-AntiAbuse: Original Domain - kbannon.com
X-AntiAbuse: Originator/Caller UID/GID - [99 32003] / [47 12]
X-AntiAbuse: Sender Address Domain - jet18.hasweb.com
X-Source: 
X-Source-Args: /usr/local/apache/bin/httpd -DSSL 
X-Source-Dir: bmwcarclubireland.com:/public_html
X-UIDL: 9Qd!!pRN!!/O5"!NJ4"!

Name: orc@bmwcarclubireland.com
Email: orc@bmwcarclubireland.com
Address: orc@bmwcarclubireland.com
Phone: orc@bmwcarclubireland.com
Content-Type: multipart/mixed; boundary=&quot;===============1454301426==&quot;
MIME-Version: 1.0
Subject: 243390d8
To: orc@bmwcarclubireland.com
bcc: PeiCanteenMc@aol.com
From: orc@bmwcarclubireland.com

This is a multi-part message in MIME format.

--===============1454301426==
Content-Type: text/plain; charset=&quot;us-ascii&quot;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

squwlsi
--===============1454301426==--
Car: orc@bmwcarclubireland.com

Message:
orc@bmwcarclubireland.com

Can someone verify that this mail is not being sent to the aol address

[in case you are trying to figure out the route the mail took to reach me, all mails @ bmwcarclubireland.com [on hasweb server] are sent to my kbannon.com a/c which is currently being moved to a different host and therefore I have told the domain registrar to forward to my old iolfree a/c]

Seth Brundle

Incidentally, the form only takes in Name, Email, Address, Car, Telephone & Query

richardo

Another line of defense is to use code similar to:

$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$_POST = preg_replace($find, "", $_POST);
$_POST = preg_replace($find, "", $_POST);
etc.....

I have been plagued with these f***ers for a few weeks now. Also every day I get w**kers signing up to my forums [fora?] in order to promote their various 'medical aids' sites. Oh, what I'd give to line 'em up against a wall and let rip with my trusty AK-47 :mad:

wheres me jumpa

i have just started recieving emails like this. they are coming from a feedback form where the recipient is set in the script. does this mean i can just ignore these emails as they are only being sent to my address?

Seth Brundle

nope - if you read the first post in the thread, the idea is that the spammer types something like bcc:info@me.ie;1234@me.ie;5678@me.ie - even though your to field is declared within the php - they try and rebuild your email coding.
If the php does not capture and escape all this then it is possible that using your feedback form they can spam people from your site.
Looking at the headers of my mail above (and the several hundred others I have recieved), it appears that the spammer is just testing the script (daily!). I don't think they got it working but thats why I resurrected this thread today.

Fionn

i've experienced similar stuff, except it was for guestbooks. Spammers are all over the place!!
I asked about a potential solution to my prob here (http://www.boards.ie/vbulletin/showthread.php?t=301309) nobody came up with an answer tho!!
so i haven't tried that. I have been looking at image verification and i think thats a good way of slowing down the spammers.