Form abuse on website

Hi , I have a website with contact forms on them, pretty basic forms, I use Javascript Validation for e-mail and phone and no blank name etc. Reciently I have been getting someone has been messing with my forms.. meaning I get like 20 + submissions at the same time, so It must be some kinda bot or something They look like this:

sswyk@domainame.com
Content-Type: multipart/mixed; boundary=\"===============0643992131==\"
MIME-Version: 1.0
Subject: 8ab51b10
To: sswyk@domainame.com
bcc: mhkoch321@aol.com
From: sswyk@domainame.com

This is a multi-part message in MIME format.

--===============0643992131==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

lxgs
--===============0643992131==--
other_than_domain
sswyk@domainame.com

Submit
sswyk@domainame.com

how
sswyk@domainame.com

lname
sswyk@domainame.com

phone
sswyk@domainame.com

qualify
sswyk@domainame.com

details
sswyk@domainame.com

fname
sswyk@domainame.com
Content-Type: multipart/mixed; boundary=\"===============0643992131==\"
MIME-Version: 1.0
Subject: 8ab51b10
To: sswyk@domainame.com
bcc: mhkoch321@aol.com
From: sswyk@domainame.com

This is a multi-part message in MIME format.

--===============0643992131==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

lxgs
--===============0643992131==--


email
sswyk@domainame.com

Code (markup):

But this is not what they are suppose to look like .. fields like qualify are from a select box .. so there is no way the field should be an e-mail address. Has anyone ever had someone mess with their contact forms?

Thanks
Red.

 

I am using POST in the form and the email address is added in the form proccess file.

I Have however found out that I am not the only one with this problem i yahoo'd and googled this email which came in the form submission "mhkoch321@aol.com" and came up with few threads about it and alot of guestbooks affected by this. anyways. How are they doing this , and what does it mean. They could be using the registered globals vunrebility? Or just Spammers. Thanks for you help

EDIT: just found this ... http://securephp.damonkohler.com/index.php/Email_Injection

 

I have also seen this kind of probing. My site does not allow users to specify the from or to email address, so hopefully these emails didn't get out.

Here's what I received: (note the bcc: and IP of posting: 216.72.177.4

Url:
Link_Url:
Next:
Content-Type: multipart/mixed; boundary=\"===============0626292099==\"
MIME-Version: 1.0
Subject: dba04fdb
To:
bcc:
From:

This is a multi-part message in MIME format.

--===============0626292099==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

ulgntwtle
--===============0626292099==--

B1:
email:
Subject:

IP: 216.72.177.4

 

Here is how to fix it... looks like this will work.

http://www.phpfreaks.com/forums/index.php?showtopic=66987&st=0&p=272101&#entry272101

 

You wouldn't believe how long I've been looking for the code on how to fix this, I think Google was thinking of banning mr from it search page because of repertition of searches!

Thnaks a million.

Ian

 

There's a mass probing script kiddie tool in the wild, I've heard a lot of similar "attacks" have been reported...

Edited: Have a look at http://www.google.com/search?q=mhkoch321@aol.com

 

I have added some code to my website's contact form proceess scripts to attempt to strip out the headers . I Hope these changes will make the spam e-mails harmless. I am still not totally conviced however that I have solved this problem.

Red.

 

Ok .. how about this... I am still getting many contact form submissions from this spammer or whatever/whoever they are. What if before I send the emails I can check to see if the IP address of the person sending the form resolves with a reverse DNS lookup. I still do not have the IP of whatever is sending these forms, but i would think that it is spoofed anyways. SO.. if the IP does not have reverse dns lookup, then either it is from a missconfigured server, or it is spoofed ?
As you can see I am getting desperate.

Thanks for the help

Red.

 

Red, The rob is being sent from infected machines, and also could be using a proxy so no good banning IP addresses.

I've just finished putting my code together with a lot of help from about 5 other forums it's not tested 100% if you want you can see it is here: Note my last reply in removing the else from the else if statement which is where the error occurs.

http://forums.digitalpoint.com/showthread.php?t=26583

Ian

 

Ah , yes thanks ... good point. I guess that there is no way to stop it from submitting 20 or so forms a day... :-( , besides taking down the forms.

 

Yes if you implement the code on the page I linked too, it stops all / \ % : ; ' in which ever field you want thuis preventing the injection. It can also stop the code from running if it finds Content-Type or any other set of characters.

Ian

 

Thanks, so just make the code die, if it finds those characters in any of the fields. I am using phpMailer for alot of my forms http://phpmailer.sourceforge.net/ ... I don't know if that has this kind of protection built into it, if not it would be a great addition to the project ...

 

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

That's a big thread on this too...recently I have a bot hitting one of my forms as well. I wonder about this...I prefer not to say what I really suspect is happening but I suggest if you are getting this type of probing to look well at your server for other activity. Please look in your tmp directories where PHP uses for temp uploading.

Also consider adding image validation for your forms...this of course would kill any bot activity immediately.

 

Hi, Thanks for your Post, that is some really usefull information on this situation, looks like there is many others with this same problem, I have all my form fields all checked for /r /n , and Content-Type bcc: cc: and all that, if it finds anything like that then the script dies. It seems to be working so far, as I have not recieved the 30+ emails I was getting when this whole thing started.
Question for you ... What am I looking for in my tmp directories? Most of my forms do not have input type="file" but there are a couple that do. If you prefer not to say publically in the forum perhaps you could PM me?
Thanks
Red.

 

Hi

Loads of reports and info on this topic here too:
http://www.anders.com/cms/75
I have a working form that seems to have culled it now using stripslashes in PHP. Drop me a line if you the code for a basic contact form.

Mike

 

Yup, I've had the same problem on a couple of different forms. The tips here have worked so far. I'm also curious about the possible tmp directory problems with file upload forms. I haven't had any problems with those forms yet (at least that I know about) and hopefully won't.

Chris

 

I like this Idea ... I wonder how hard something like that would be to implement?

 

It's not too difficult. Look into different php captcha implementations, for instance: http://www.captchas.net/sample/php/

Captchas can be defeated, but probably not by the run of the mill script kiddie.

Incidentally, is there a way to just in general to reject a form submission like this that doesn't come from an actual form submission on your site? I.E. someone codes a bot to submit to a form, and it rejects it, while it accepts the form input if it comes from the actual page on your site?

 

Hi I got email but i've also got his AOL userid. Is this going to be them and is worth reporting?