| |
Spam attempts via suggestion form |
| |
rich (09:10 22/11/2005)
alpha (10:24 22/11/2005)
rich (11:27 22/11/2005)
Phlamethrower (15:09 22/11/2005)
rich (15:18 22/11/2005)
Matthew (09:11 23/11/2005)
rich (01:20 24/11/2005)
Matthew (23:02 24/11/2005)
|
| |
|
Richard Goodwin |
Message #72001, posted by rich at 09:10, 22/11/2005 |
 Dictator for life
Posts: 6828
|
Looks like someone found a hole in our suggestion form, which I'm passing on to you guys so that you don't get "done" too. Luckily I caught it before too much traffic went through, and according to Spamhaus we've not been put on the naughty list yet. It's a very old script that hasn't been changed in recent years, so I guess it's just one of those things you have to put up with these days 
Basically the suggestion form responded to either POST or GET requests - this means a web page request formed in a certain way would trigger the suggestion sending. I've switched it to just using the POST method for starters, as they seem to be ignoring scripts using this method - presumably because it's slightly harder to generate POST requests. Not hugely, but enough that these guys can't be arsed.
The message that's sent is crafted in such a way as to add headers to the outgoing message, such as changing the subject and adding BCC: with addresses attached. So, if you grep the message for certain tell-tale signs before allowing it to be sent - e.g. MIME-Version:, BCC: and Subject: at the start of a line (case insensitive) - you can catch the bastards before they go through. I'm stripping the content and sending myself their details - IP addresses and suchlike.
I've changed the script to do some other stuff - e.g. better IP reporting - but I doubt blocking IPs would be very productive as I'm sure they're using a botnet of compromised machines. However, if the messages aren't getting through, they'll stop using the script!
________
 Cheers,
Rich.
|
| |
 [ Log in to reply ] |
| |
|
Tim Fountain |
Message #72006, posted by alpha at 10:24, 22/11/2005, in reply to message #72001 |
Forum bod
Posts: 570
|
I've seen this problem on a lot of sites recently. The simplest fix is to prevent newlines on any data which is going to be put directly into the header of the email (e.g. the from name/address). |
| |
[ Log in to reply ] |
| |
|
Richard Goodwin |
Message #72007, posted by rich at 11:27, 22/11/2005, in reply to message #72006 |
Dictator for life
Posts: 6828
|
Ah, good one!
Right, I'll go round doing that too 
________
Cheers,
Rich.
|
| |
[ Log in to reply ] |
| |
|
Jeffrey Lee |
Message #72008, posted by Phlamethrower at 15:09, 22/11/2005, in reply to message #72007 |
 Hot Hot Hot Hot Hot Hot Hot Hot Hot Hot Hot Hot Hot stuff
Posts: 15100
|
/me blames whoever wrote the shoddy script |
| |
[ Log in to reply ] |
| |
|
Richard Goodwin |
Message #72010, posted by rich at 15:18, 22/11/2005, in reply to message #72008 |
Dictator for life
Posts: 6828
|
/me blames the people who are supposed to maintain the scripts 
I didn't write it, if that's what you're getting at; but looking at it, it wasn't that bad a piece of code for the time. It has some content verification, just not enough for this particular "attack". You can't always foresee how desperate and sneaky spammers are going to become.
Looking at the messages that were sent through it (about half a dozen, last night), it looks like someone was "perfecting" their code and only sent one fully mangled message through it - the others didn't have proper subject changing etc. And the "perfect" one was only sent to a couple of dozen AOL users, so f*** 'em
________
Cheers,
Rich.
|
| |
[ Log in to reply ] |
| |
|
Matthew Somerville |
Message #72035, posted by Matthew at 09:11, 23/11/2005, in reply to message #72001 |
Posts: 520
|
presumably because it's slightly harder to generate POST requests. Not hugely, but enough that these guys can't be arsed. Sadly, I've been getting this recently, and having a POST form hasn't stopped them.
However, if the messages aren't getting through, they'll stop using the script! And they still try every few weeks, even though they must know by now it doesn't work. Just more spam to deal with, I guess. |
| |
[ Log in to reply ] |
| |
|
Richard Goodwin |
Message #72063, posted by rich at 01:20, 24/11/2005, in reply to message #72035 |
Dictator for life
Posts: 6828
|
I've only seen one more attempt since I added more security - and it failed 
BTW - just because a form uses a POST method doesn't mean that the code it posts to is set to only work on POST requests. Is this what you mean? because all our forms are POST in the HTML but the problem one responded to whatever you threw at it.
________
Cheers,
Rich.
|
| |
[ Log in to reply ] |
| |
|
Matthew Somerville |
Message #72099, posted by Matthew at 23:02, 24/11/2005, in reply to message #72063 |
Posts: 520
|
BTW - just because a form uses a POST method doesn't mean that the code it posts to is set to only work on POST requests. Is this what you mean? because all our forms are POST in the HTML but the problem one responded to whatever you threw at it. No, my script only accepts POSTed stuff, and it definitely hasn't worked on any email they've tried, and yet they still try. Fuckers. |
| |
[ Log in to reply ] |
| |
|
