Automated mass abuse of form mailers

[Michael Holzt <kju-fd () fqdn org>]

Automated mass abuse of form mailers

2005/09/12, Michael Holzt, kju -at- fqdn.org

1. Summary

   Lately webpage mail forms has become a target of spammers. The attacks
   seems to be automated and try to exploit the use of untrusted input data
   in a lot of these form mailers. The attacks inserts newlines into data
   fields which are used unchecked in header lines of the mail generated.
   These newlines allow the attacker to add own header lines and message
   content.

2. Attack vector

   Example of a vulnerable script (shortened) in PHP:

   | $header = "From: " . $_POST["email"];
   | mail("normal.target () do main", "subject",
   |  "This is the original content", $header);

   This script can be exploited by using e.g. the following value in the
   'email' field of the http post request (line break inserted only for
   display purposes):

   | fake.address () do main\nCc:victim () do main\n
   | Subject: Buy Viagra now!\n\nText

   As this content is inserted unchecked into the header, this will result
   in a mail generated which looks like this:

   | From: fake.address () do main
   | Cc: victim () do main
   | Subject: Buy Viagra now!
   |
   | Text
   | Subject: subject
   |
   | This is the original content

   The victim has managed to add his own Cc line (which will be the spam
   target), a own subject and a own body. The original subject (and other
   header lines) as well as the original content have been moved into
   the body of the mail. Examples of real abuse witnessed have shown that
   the attackers even try to create multipart messages to hide the original
   content generated by the form mailer.

   Also these attacks seems to be automated. For a test i renamed the name
   of the form mailer skript. However the attacks continued without major
   delay. In the log files of the web server i could see the abusers to
   first fetch the html page containing the mail form. This page seems to
   be parsed automatically, and the names of the form fields and the script
   extracted. Between the fetch of the html page and the first abuse attempt
   on the renamed script only 4 seconds elapsed.

   The abusers also try to track sucessfull attempts. In a number of cases
   a bcc to an aol email address (jrubin3546 () aol com) was inserted into
   the message as well. Other internet users reported such abuse as well.
   Google shows nearly 72.000 hits when searching for this mail address.

3. Recommendations

   Never use untrusted input data without proper filtering. If special
   characters like newlines are filtered from the input data, this type
   of attack would no longer work.

   The automated exploitation attempts will however likely not be affected
   by this. If your form mailer does not have any type of sanity check on
   the input data (might even not be possible depending on type of usage),
   this will lead to lots of email generated to the "normal" recipient of
   the form mails.

   It is therefore advised to check the relevant data fields for newlines
   inserted and deny sending the mail if any are found. For example the
   vulnerable script shown above could be added by a check like this:

   | if ( eregi("\n",$_POST["email"]) || eregi("\r",$_POST["email"]) )
   | {
   |   header("HTTP/1.0 403 Forbidden");
   |   die("Spam attempt denied");
   | }

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/