A couple weeks ago I started to receive weird messages in my website contact form. The email address the sender used was an address on my domain that didn’t exist and the body was filled with what appeared to be gibberish.
-[START SPAM ATTEMPT]-
Submitted on Saturday September 10, 2005 at 11:24am
===========
Name: nrqxvkqcu@telidesign.com
Content-Type: multipart/mixed; boundary="===============0511923761=="
MIME-Version: 1.0
Subject: 7d2259cf
To: nrqxvkqcu@telidesign.com
bcc: jrubin3546@aol.com
From: nrqxvkqcu@telidesign.com
This is a multi-part message in MIME format.
–===============0511923761==
Content-Type: text/plain; charset=”us-ascii”
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
wykbig
–===============0511923761==–
Email: nrqxvkqcu@telidesign.com
Re: nrqxvkqcu@telidesign.com
Message: nrqxvkqcu@telidesign.com
-[END SPAM ATTEMPT]-
Closer inspection of the message showed it wasn’t really gibberish at all. Because their servers and IP addresses are being blacklisted at breakneck speeds, the spammers are attempting to obfuscate their own identities and whereabouts by exploiting weaknesses in the scripts of innocent webmasters.
The flag was seeing “Content-Type: multipart/mixed;” and the huge red flag was seeing “bcc: jrubin3546@aol.com” - the spammer attempting to rewrite the headers in order to blind carbon copy the message to his throw away email drop box.
Once a message was delivered, he would then have a list of compromised scripts he could use to send out his mass mailings and the innocent webmaster and host would be left to catch all the blame and sort through the blacklisted red tape.
This spammer is not only trying to exploit contact form scripts, but also guestbooks, forums, and even blog comment forms. And it’s not limited to just one programming language, cgi, PHP, even ASP forms are being exploited.
Doing a quick search for the email drop box will reveal that quite a few people have already fallen prey to this phishing attempt.
The best solution that I have come across so far, is simply not allowing any carriage returns or new line characters (\r\n) or the phrase “Content-Type:” to be entered into any of your webform fields. In 99% of situations, there is no valid reason for a visitor needing to use them in a contact form.
An ounce of prevention is worth a pound of cure. If you are using a script on your site, especially for contact form purposes, it’s a good idea to check for any security updates or patches. If you wrote the script or understand the scripting language, you should take the initiative to update the script yourself.
Thanks for the info, this started happening to me a few weeks ago and found this page amongst others… I stripped out the \r\n and it works a treat… I went a step further as you suggested and disallowed “Content-type:”, so now i’m not even getting the junk mails.
Thanks again
# May 19th, 2006
Hi Garvin,
I’m glad to hear this post helped. Here’s hoping the ISPs start shutting these jokers down soon.
~ Teli
# May 22nd, 2006