A New Kind of Spam Exploit Using Web Forms

Teli Adlam —  September 14, 2005

A couple weeks ago I started to receive weird messages in my website contact form. The email address the sender used was an address on my domain that didn’t exist and the body was filled with what appeared to be gibberish.

-[START SPAM ATTEMPT]-
Submitted on Saturday September 10, 2005 at 11:24am
===========
Name: nrqxvkqcu@telidesign.com
Content-Type: multipart/mixed; boundary="===============0511923761=="
MIME-Version: 1.0
Subject: 7d2259cf
To: nrqxvkqcu@telidesign.com
bcc: jrubin3546@aol.com
From: nrqxvkqcu@telidesign.com

This is a multi-part message in MIME format.

–===============0511923761==
Content-Type: text/plain; charset=”us-ascii”
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

wykbig
–===============0511923761==–

Email: nrqxvkqcu@telidesign.com
Re: nrqxvkqcu@telidesign.com
Message: nrqxvkqcu@telidesign.com

-[END SPAM ATTEMPT]-

Closer inspection of the message showed it wasn’t really gibberish at all. Because their servers and IP addresses are being blacklisted at breakneck speeds, the spammers are attempting to obfuscate their own identities and whereabouts by exploiting weaknesses in the scripts of innocent webmasters.

The flag was seeing “Content-Type: multipart/mixed;” and the huge red flag was seeing “bcc: jrubin3546@aol.com” – the spammer attempting to rewrite the headers in order to blind carbon copy the message to his throw away email drop box.

Once a message was delivered, he would then have a list of compromised scripts he could use to send out his mass mailings and the innocent webmaster and host would be left to catch all the blame and sort through the blacklisted red tape.

This spammer is not only trying to exploit contact form scripts, but also guestbooks, forums, and even blog comment forms. And it’s not limited to just one programming language, cgi, PHP, even ASP forms are being exploited.

Doing a quick search for the email drop box will reveal that quite a few people have already fallen prey to this phishing attempt.

The best solution that I have come across so far, is simply not allowing any carriage returns or new line characters (\r\n) or the phrase “Content-Type:” to be entered into any of your webform fields. In 99% of situations, there is no valid reason for a visitor needing to use them in a contact form.

An ounce of prevention is worth a pound of cure. If you are using a script on your site, especially for contact form purposes, it’s a good idea to check for any security updates or patches. If you wrote the script or understand the scripting language, you should take the initiative to update the script yourself.

Teli Adlam

Posts

4 responses to A New Kind of Spam Exploit Using Web Forms

  1. Thanks for the info, this started happening to me a few weeks ago and found this page amongst others… I stripped out the \r\n and it works a treat… I went a step further as you suggested and disallowed “Content-type:”, so now i’m not even getting the junk mails.
    Thanks again

  2. Hi Garvin,
    I’m glad to hear this post helped. Here’s hoping the ISPs start shutting these jokers down soon.

    ~ Teli

  3. Sandy Pittendrigh January 4, 2009 at 4:30 pm

    So, there are various tricky regular expression and function like
    ways to scrub the user input fields, so users cannot exploit
    the cc and bcc fields, usually by various nefarious suffixes
    to the POSTED From field.

    Why not send all such email (on a contact form) to you,
    from a pseudo address like myadmin@mywebsite.com
    The user’s from address (as posted by the form) can be prepended
    onto the body of the message. You can still reply, but now there
    is no chance to hack the from, cc or bcc fields because they
    are hard-coded by your form.

    Wouldn’t that cover your bases?

  4. how do i do your tips suggest? “The best solution that I have come across so far, is simply not allowing any carriage returns or new line characters (\r\n) or the phrase “Content-Type:” to be entered into any of your webform fields. In 99% of situations, there is no valid reason for a visitor needing to use them in a contact form.”

    i use cforms plugin from delicious day, how to implement in this plugin?