hey guys noticed a client's form had been exploited by injections, could only be that as the email is hard coded into the processor. So went about finding the code to prevent injections, and found it but wondered, seeing as my php skills go as far as setting up db connection details, if someone could let me know where to place the code i found in my processor. I'll paste the code for the processor first, formmail by lampscripts, and then the fix, and would really appreciate someone pointing out where to place it formmail and this being the apparent fix, looking for linebreaks etc: thanks
Hiya. I know this post was two months ago and I imagine you've got it taken care of by now, but just in case this still helps you or anyone else: What you're seeing is a spammer's testing your form to see if it will act as a spam relay. They inject one "bcc: " on a new line to see if it works. Then they check their AOL address to see which forms are vulnerable (that's why you see your own domain in most of the fields). And then they go back and attack those vulnerable forms with bcc:'s to thousands of addresses. Yes, that "fix" section is looking for line breaks. "\r" is carriage return (ascii 13, hex 0D) and "\n" is linefeed (ascii 10, hex 0A). ------------------------------ $from=$_POST["sender"]; if (eregi("\r",$from) || eregi("\n",$from)){ die("Why ?? "); } ------------------------------ Three things to note: 1. How to make it work in your form script: It's checking the variable "$from", which it is setting from the contents of the variable "sender" which was sent by the form. You have to see what variable YOUR actual form is sending and use that instead. You can find it in your form script by searching for "$_POST" (there will be a $_POST for each field in the form). 2. Where to put it in your script: Wherever your script is validating the variables that it set from the various $_POST values. You could insert it in a logical place in that area, or make it a function and call it from that area (good idea if you're going to use if for multiple variables). 3. What it's missing: You should also check for "%0D", "%0A", "0d", "0a" (those are zeros, not the letter "O") - in case the spammer tried to inject the hex codes for line break. In my own form scripts, I replace "\r" with "[CR]" and "\n" with "[LF]" and let the form send me the e-mail. It looks like crap, but you can see exactly what they injected, as well as prevent their attempt from working. And you can see the Bcc: address that they're using to collect the results of their testing, so you can report them and hopefully keep them from finding out which of their tests were successful. Of course they mostly use AOL, who won't deal with it before the spammer has got their info and abandonned the address. So far this is my validation syntax: ------------------------------------- function nospam($what) { $spam = array("\r\n", "\r", "\n", "%0D", "%0d", "%0A", "%0a"); $fix = array(" [CR/LF] ", " [CR] ", " [LF] ", " [h-CR]", " [h-cr]", "[h-LF] ", "[h-lf] "); return(str_replace($spam, $fix, $what)); } ------------------------------------- and later in the script I just go: $name = nospam($_POST['name']); $email = nospam($_POST[;email']); ...and whatever other variables I want to check ("name" and "email" are the field names in my form.shtml). NOTE: DO NOT use "<>" instead of "[]" because "<CR>" is a valid representation of a carriage return in some contexts (and it messed up my early testing). As you can see I'm even tracking whether they use upper or lower case, just because I'm curious, and slightly insane. If you want to replace every line break character with the same thing, you don't need the $fix array. Here's a simplified function that just replaces them all with "[CR]": function nospam($what) { $spam = array("\r\n", "\r", "\n", "%0D", "%0d", "%0A", "%0a"); return(str_replace($spam, "[CR]", $what)); } You don't really need to look for "\r\n" if you look for both "\r" and "\n" but do be sure to look for them both one way or another. Proper syntax for a new line is carriage return followed by line feed, but e-mail code is simple text and any form of line break will work. My next step is to have the script find the "bcc: " address and automatically send a report to "abuse@xxxxx.com" so at least they are notified as soon as possible. It would also be nice if I could also automatically post the address to somewhere where it will be picked up by an army of spambots and flood their account with a taste of their own medicine. That might even shut them down before the host does. I hope this helps somebody. Cheers, Oak Aged
The problem with emailing abuse departments is the IP addresses you see injecting headers into your forms are usually that of innocent people whose computers have been hijacked by a bot net. If you are keen on tracking any of the abuse you could simply use a modified version of some of the code found at http://au.php.net/mail
Um, yes, the IP is usually from an innocent computer (and in fact the probe usually comes from two or three different countries in the same session), but what I'm talking about is trying to get the spammer's e-mail address shut down before he can harvest the probe's results. That has nothing to do with the IP the probe came froml just the address(es) the results are going to. And even if the e-mail address also belongs (or used to belong) to an innocent victim, they're going to have trouble with it now anyway, so why not have the provider stop the spammer and then do something for their user (like flush the account and change its password, and recommend the user also change to a new address)? Sure, we could simply read through those other guys' long scripts, learn what they're doing and find the portions relevant to what we're doing, translate them to work with our scripts, and retest everything. OR, we could stick with the script we already have, and add the very simple and straightforward idea of removing (or replacing with viewable characters) any form of a new line code. Why would you want to dig through unfamiliar scripts, looking for other versions of the same thing? By the way, there are other things you can do too, like checking to see if HTTP_REFERER is set to your form URL like it should be. But that doesn't show you anything about what was injected. And one thing I forgot to mention is that if you do want to see what was injected, you should check every field, not just the name and email fields, because a lot of these bots take wild guesses at which fields to inject into, and some use the shotgun approach and inject them all. And if anyone has some PHP code that causes the form spammer to catch a horrible disease or other fitting response, please let me know!
It can take a long time for some abuse departments to investigate. The most common email addresses used in harvesting the results are ones from a large American company (you know who I'm talking about). It's hard even for them to shut down the abuse quick enough. Anyway, prevention is better than cure. If you've secured your PHP forms then you've made a huge contribution. Once everyone does their bit the spammers will find it increasingly difficult and hopefully die off (until they find a new way to abuse things of course). I was only suggesting it might be worth looking at. The code presented at php.net is simple, neat and does almost everything you're planning for your own code (the difference is, their code actually does it already). If you don't want to learn from others that's fine.
Yeah I know... you're right. But I do hope that at least, if these companies start getting enough of these reports to open their eyes, that they'll do something about it. Probably too much to hope for, but I can't stand the though of letting these bastids get away with it. I agree there too, but I still prefer the idea of catching the bastids in the act and seeing justice done, rather than just knowing that my own site is safe. I guess it's my superhero complex coming through again. Dammit... I knew I shouldn't have sold my superhero costume on eBay! Sorry, I thought you were referring to tracking what they're injecting, which I'm already doing. 'Cause you said: If you meant to say that there is code compatible with my script that will help me automate the abuse reporting back to the e-mail providers, then I apologize, but I didn't get that meaning from what you said. Thanks for the input!
Hehehe.. I know what you mean though. Some of my mates call me Robocop because I want justice so bad.. but at the end of the day it's sometimes just not worth the stress.. What would be great is if there was some type of 'boobytrap' software that could be installed on computers to detect and report when someone is trying to turn them into a zombie.. then somehow map it all back to it's source.. but now that's really dreaming! Sorry, my mistake.. I did actually mean reporting but reading it a 2nd time it's clear I goofed with my choice of words Oh well.. at least we're fighting the same fight (against spammers)
Coolio. So let's get a crack team of programmers together and build "Spammer Zapper 2007", which will ultimately be bought by Miscosuck and renamed "MS Nobot" or bought by Symantec and renamed "Norton Antibotty". We'll be RICH, I tell you.
i'm currently having a spammer attack, i freaked out and called the hosting company ,they took down the site the spammer used my form . and i have no idea how to protect and prevent it .... so the site is down .... any help about how to resolve the problem will be apreciated
Before your host lets your site back up, they're going to want to know that it won't be able to send out spam from their system. Your job is to install adequate security and then convince your host that it's now safe, and ask them to put your site back up. Adequate security means the script(s) that process your form(s) must check the user's input for unwanted content, especially new line codes (carriage return and/or line feed). If you are using a script you got from somebody else, get an updated version or have them update it. If you wrote it yourself, you'll have to learn what needs to be done and do it. The most basic thing is to check every input (at least the ones that will be used in your mail command) for new line codes, and reject the input if found. Do not let your script send out an e-mail, even if it's supposed to go only to you, if it hasn't checked for the codes. The exact syntax of what you need to write will depend on what language you're using. I can help you if it's PHP but not much else. (By the way, your security checks must be done on the server side, NOT the client side - that means Javascript won't do.) There is specific info for PHP in this very thread, plus there are people on the web (including this forum) who can help you with any other language. The important thing is to get your security update, confirm that it does in fact work, update and test your site, and then prove it to your host. If you can't update and test your site because your host has it completely inaccessible even by you, you'll have to make an arrangement with them - maybe put it up with password access so you can work on it, or send them the section of updated script so they can see that you're doing the right thing. In any case, as soon as your site is up, get that script updated and tested ASAP - if you let it happen a second time your host will be harder to convince that you're able to deal with the problem. Good luck!
actually it was the form offered by the host i simply copied the form html code and have put it in the contact us file