NYCPHP Meetup

[Hans Zaunere]

Rolan Yang wrote on Sunday, September 11, 2005 9:35 AM:
> A few of my web based feedback (contact.php) scripts have been getting
> hammered with some sort of  spam or bot net attack over the past week.
> The scripts are running on different servers at different web hosts, but
> the garbage coming in has been the same. The "from" field is filled in
> with random lower case letters like "kljaogr at domain.com" where "domain"
> is the website address. The body field contains the same email address.
> 
> Sometimes "Content-Type: multipart/mixed;
> boundary=\"===============083392.."
> is appended to the email address in both the "from:" field and also the
> body.
> 
> The submissions are coming from different ip's all over the world.
> Has anyone else been experiencing anything similar?

Yeah - I've been seeing it over the last couple of weeks.

It's a particularly ingenuous method of taking advantage of primarily the MIME standard.  I typically look for the string 'Content-Type:' in any submitted fields, and if it's found, the script records the IP and notifies me.

Since it's my understanding that the exploitation can't happen without the use of Content-Type: (the MIME header that dictates part of a message's structure), something like this has worked well:

foreach( $form_fields as $value )
{
  if( stripos($value,'Content-Type:') !== FALSE )
  {
    mail('admin at my.com','Spam Attempt',$_SERVER['REMOTE_ADDR']);
    exit("{$_SERVER['REMOTE_ADDR']} Has been Recorded");
  }
}

Of course complete input filtering might be the better solution to this.

This is a particularly clever way of exploiting multiple technologies.  I would argue that there is nothing broken in PHP or MIME.  Rather, it's the combination of seemingly innocuous behaviors that create an exploitable situation.


---
Hans Zaunere / President / New York PHP
  www.nyphp.org  /  www.nyphp.com