[Full-disclosure] Automated mass abuse of form mailers

Luc Stroobant fd at stroobant.be
Mon Sep 12 13:52:10 BST 2005 

Michael Holzt wrote:
> Automated mass abuse of form mailers
> 
> 2005/09/12, Michael Holzt, kju -at- fqdn.org
> 
> 1. Summary
> 
>    Lately webpage mail forms has become a target of spammers. The attacks
>    seems to be automated and try to exploit the use of untrusted input data
>    in a lot of these form mailers. The attacks inserts newlines into data
>    fields which are used unchecked in header lines of the mail generated.
>    These newlines allow the attacker to add own header lines and message
>    content.

I noticed this too. They started testing our forms few weeks ago and 
it's still going on. They're using zombies, so IP-blocking is pointless.


>    The victim has managed to add his own Cc line (which will be the spam
>    target), a own subject and a own body. The original subject (and other
>    header lines) as well as the original content have been moved into
>    the body of the mail. Examples of real abuse witnessed have shown that
>    the attackers even try to create multipart messages to hide the original
>    content generated by the form mailer.

I used some mod_security filters (To\:, Cc\:, Bcc\: etc...) to analyse 
their POST requests. The multipart tric is in all their tests in our 
case. This is an example:

Content-Type: multipart/mixed; boundary="===============1269369969=="
MIME-Version: 1.0
Subject: e2dae455
To: oirkcyexud at coza.net
bcc: jrubin3546 at aol.com
From: oirkcyexud at coza.net

This is a multi-part message in MIME format.

--===============1269369969==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding:+7bit

dzrgpjy
--===============1269369969==--



>    The abusers also try to track sucessfull attempts. In a number of cases
>    a bcc to an aol email address (jrubin3546 at aol.com) was inserted into
>    the message as well. Other internet users reported such abuse as well.
>    Google shows nearly 72.000 hits when searching for this mail address.

Another address they use is bergkoch8 at aol.com
(noticed aol abuse about this, but I guess that's /dev/null)


>  It is therefore advised to check the relevant data fields for newlines
>  inserted and deny sending the mail if any are found. For example the
>  vulnerable script shown above could be added by a check like this:

In my opinion, part of this filtering should be done by the php mail() 
function. Disallowing the insertion of recipients via additional_headers 
and moving cc: bcc: and from: to an own variable -just as they do with 
"to"- would make it much more abuse-proof.

Luc

Full-Disclosure is hosted and sponsored by Secunia.