Have You Spammed Anyone Today?
If your website has a “contact us” or “Sign me up to your newsletter” form it is possible that a spammer could use it to send spam from your server. This takes up your bandwidth, leaves your ISP with a mess to sort out (and for which they might charge you) and could in severe cases end up with emails from your domain being blocked from sending email.
This articles explains how the spammers use a technique called SMTP Injection to send SPAM from web servers just like yours, how you can check your own forms to see if they are vulnerable, and what you can do to fix them if they are.
There are some technical descriptions in this article, these are mainly aimed at developers, but don't worry if you don't fully understand all the examples.
Email Structure
An email consists of two parts: A header section which contains information about who sent the email, who to send it to, the subject, etc. and a section containing the message body. So a typical email might look like this:
To: recipient@example.com From: sender@example.com Subject: Greetings from me to you Hi, Just a quick email to say “Hi.” Regards, Sender
The three lines at the beginning of the email are the headers. These are followed by a blank line, and following the blank line is the message body.
SMTP Injection
If a spammer can find a way to add – or 'inject' – extra headers into the email, then he can send his message to anyone he pleases. If a form isn't properly validated when it is submitted, he can inject whatever he likes into the headers, simply by adding a specially crafted string into the form fields.
Consider a typical “contact us” form. A simple version might have two fields:
sender (the sender's email address) message (the message to be sent).
Typical PHP code to handle this form might look like this:
<?php
$to="you@yourcompany.com";
if (!isset($_POST["Submit"])){
?>
<form method="POST" action="<?=$_SERVER['PHP_SELF'];?>">
From: <input type="text" name="sender">
Message :
<textarea name="message"></textarea>
<input type="submit" value="Submit">
</form>
<?php
}else{
$from=$_POST['sender'];
$message=$_POST['message'];
mail($to,'Contact me',$message,"From: $from\n");
}
?>
The mail() function in the script accepts four parameters, like this:
mail (to, subject, message, headers)
If a user enters the following:
sender: sender@example.com message: Can you send me your price list please?
Then the mail() function will send an email with the following structure:
To: you@yourcompany.com From: sender@example.com Subject: Contact me Can you send me your price list please?
The problem with this script is that it doesn't clean up the user's input. A spammer can add extra lines into the sender field like so:
sender@example.com%0ABcc:victim@somesite.com,target@hissite.com,...
The %0A will be interpreted by the mail server as a newline, so the headers will now look like this:
To: you@yourcompany.com From: sender@example.com Bcc: victim@somesite.com,target@hissite.com,... Subject: Contact me
And the mail will be sent not just to you, but to all the people in the Bcc line. All the spammer has to do now is add his spam to the message and you have just helped a spammer send a load of spam from your company website.
Are Your Forms Affected?
To find out if you are affected, try this simple test.
Go to your contact form, and enter the following in the “From” field:
you@yourcompany.com%0ACc:nobody@example.com
If the email is sent, it's likely you have a problem. When the email arrives, check to see if the mail has been Cc'ed to nobody@example.com. If it has, you need to fix this problem as soon as possible.
How To Secure Your Forms Against SMTP Injection
The solution to this is to validate the input from the form, and specifically to remove any newlines from anything which will be placed in the headers. We can do this with the following validation code placed just before the mail() function:
$from = urldecode($from);
if (eregi("\r",$from) || eregi("\n",$from)){
die("Spammer detected");
}
This will detect the presence of any newlines in the from field and if detected it will stop the script before the mail is sent.
|
phone: 01908 615176
mobile: 07813 894 858 email: derek@websiterepairs.net |
|
|
||