lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <432579FA.9020909@stroobant.be>
Date: Mon Sep 12 13:50:20 2005
From: fd at stroobant.be (Luc Stroobant)
Subject: Automated mass abuse of form mailers

Michael Holzt wrote:
> Automated mass abuse of form mailers
> 
> 2005/09/12, Michael Holzt, kju -at- fqdn.org
> 
> 1. Summary
> 
>    Lately webpage mail forms has become a target of spammers. The attacks
>    seems to be automated and try to exploit the use of untrusted input data
>    in a lot of these form mailers. The attacks inserts newlines into data
>    fields which are used unchecked in header lines of the mail generated.
>    These newlines allow the attacker to add own header lines and message
>    content.

I noticed this too. They started testing our forms few weeks ago and 
it's still going on. They're using zombies, so IP-blocking is pointless.


>    The victim has managed to add his own Cc line (which will be the spam
>    target), a own subject and a own body. The original subject (and other
>    header lines) as well as the original content have been moved into
>    the body of the mail. Examples of real abuse witnessed have shown that
>    the attackers even try to create multipart messages to hide the original
>    content generated by the form mailer.

I used some mod_security filters (To\:, Cc\:, Bcc\: etc...) to analyse 
their POST requests. The multipart tric is in all their tests in our 
case. This is an example:

Content-Type: multipart/mixed; boundary="===============1269369969=="
MIME-Version: 1.0
Subject: e2dae455
To: oirkcyexud@...a.net
bcc: jrubin3546@....com
From: oirkcyexud@...a.net

This is a multi-part message in MIME format.

--===============1269369969==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding:+7bit

dzrgpjy
--===============1269369969==--



>    The abusers also try to track sucessfull attempts. In a number of cases
>    a bcc to an aol email address (jrubin3546@....com) was inserted into
>    the message as well. Other internet users reported such abuse as well.
>    Google shows nearly 72.000 hits when searching for this mail address.

Another address they use is bergkoch8@....com
(noticed aol abuse about this, but I guess that's /dev/null)


>  It is therefore advised to check the relevant data fields for newlines
>  inserted and deny sending the mail if any are found. For example the
>  vulnerable script shown above could be added by a check like this:

In my opinion, part of this filtering should be done by the php mail() 
function. Disallowing the insertion of recipients via additional_headers 
and moving cc: bcc: and from: to an own variable -just as they do with 
"to"- would make it much more abuse-proof.

Luc

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ