Secure Your Php Web Forms From Email Injections, Don't let spammers abuse your domain Options

[robwatts]

How would you feel if you found out that your domains and accounts were being used to send out UCE (email spam) in bucket loads?

It might well be happening!

I was alerted to this by a high incidence of returned mail in the shape of 'mail delivery subsystem' type subject emails, notifications of undeliverable emails etc. For some time I'd just dismissed them as spammers faking email addresses and that mine happened to be one of zillions in their lists. The other week I looked at the headers of one of these ( twas a slow day) and was shocked to see that it was actually sent from a server that I control. This caused me to wonder how this had happened, so after a little investigation I came across this email injection exploit.

In a nutshell, it enables a spammer to inject spam messages via unsecured php web forms and send out 1000's of emails at a time from the server that hosts the mail script using PHP's mail() function

If you are writing your own web forms and email scripts, or have some old ones kicking about, then you might want to look at tightening them up a little.

Failure to do so could mean that your server will be used to send out mass email spam. If that wasn't bad enough then think of the hog on your server resources and bandwidth. And of course, the obvious question of why should these people be allowed to profit from something that is relatively straightforward to fix. However, and this could be the biggest sting in the tail, you really don't want your web host closing your account down due to your account email spamming!

The code below is an adaptation of some code found in a very useful and comprehensive article here.

http://www.phpbuilder.com/columns/ian_gilf...p3?print_mode=1

CODE

//insert into the head of the scripts that use mail()
  function logBadRequest() {  

/*Its a good idea to recordas much info as possible. This way you can for example, record the IP addresses, or set up a system whereby you use some kind of writable htaccess that adds errant proxy IP's and blocks subsequent visits. I use an email notification, but it could well write this info to a text file or other type of database. */
  $BODY= $_SERVER['HTTP_USER_AGENT'].$_SERVER['REMOTE_ADDR'].$_SERVER['REMOTE_PORT'].$_SERVER['REQUEST_METHOD'].UKSITE.$_SERVER['REQUEST_URI'];
 @mail("robert@*******.com","Spammer Bot Attempt", $BODY ,"From: Alert <alert@*******.com>\r\n");
  }
$badStrings = array("Content-Type:",
                    "MIME-Version:",
  "content-type:",
                   "mime-version:",
                "multipart/mixed",
 "content-transfer-encoding:",
      "to:",
"Content-Transfer-Encoding:",
                    "bcc:",
                       "\n",
                       "\r",
                    "cc:");

// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
  foreach($badStrings as $v2){
      if(strpos($v, $v2) !== false){
          logBadRequest();
          header("HTTP/1.0 403 Forbidden");
              exit;
      }
  }
}
foreach($_GET as $k => $v){
  foreach($badStrings as $v2){
      if(strpos($v, $v2) !== false){
          logBadRequest();
          header("HTTP/1.0 403 Forbidden");
              exit;
      }
  }
}

Most commercially available mailforms should be covering this sort of stuff, so you should be ok there, but do check, just in case.

[linux_lover]

All that you need to do is:

a ) check for your domain string in the referer (not infalibale but helps)
b ) strip out unneccessary input from email body and email address string
c ) No Ip address can send more than X emails in X hours

You have to watch for ';' in the email string as that can be used to send to multiple recipiencents at one time e.g me@somewhere.com;me2@somewhere.com.

[MaKa]

I had the same problem a couple of months ago and had to update all my sites after one of my hosting companies alerted me to the problem.

Good idea to make other people aware of the possible risk.

[robwatts]

All that you need to do is:

a ) check for your domain string in the referer (not infalibale but helps)
b ) strip out unneccessary input from email body and email address string
c ) No Ip address can send more than X emails in X hours

You have to watch for ';' in the email string as that can be used to send to multiple recipiencents at one time e.g me@somewhere.com;me2@somewhere.com.

Thats great! I'm pleased that you've encountered it already and have access to the means of taking the necessary steps to reduce such occurrences.

That said, not everyone knows how to do most of what you suggest. The point of the post was to advise and proffer a means of taking active, relatively simple steps that address the issue. (IMG:http://www.highrankings.com/forum/style_emoticons/default/smile.gif)

[linux_lover]

Yeah... I could post examples but I am too busy atm (IMG:http://www.highrankings.com/forum/style_emoticons/default/sad.gif)

Basically, regular expressions rule all (IMG:http://www.highrankings.com/forum/style_emoticons/default/smile.gif)

[Randy]

This previous thread may be helpful. There is some code included to check for stuff like BCC: and CC: injections.

Just a note that doing a referrer check that fails without any other option would be nice to have, but is troublesome. Several firewall packages --nost notably Norton's-- block referrer data as a default action. Which will keep the form from working properly for those real users. You'll need to give them some option.

One freebie I ran across the other day but haven't had a chance to check out yet is Mike Cherim's Secure and Accessible PHP Contact Form. Like I said, I haven't found the time yet to check it out, so can't recommend it. But if it does everything it advertises, it might be quite good. Both to keep the spammers and bots away, as well as in giving full options to real users.

One other trick I use...

I've noticed over the last year or so that a lot of the spambots click on every button the see in a form rather than trying to determine which is a Submit and which is a Reset button. Several months ago I set up a check in the contact form I use --which is based off of Jack's PHP Formmail script with a few custom tweaks-- so that the backend mailer will actively look to see if the Reset button was pressed at the time of submission. If it was, the script doesn't send anything and gives a simple error page.

A simple little thing really. But giving that Reset button a value and checking for it stopped ~90% of the spambot submissions I used to get via my web forms. (IMG:http://www.highrankings.com/forum/style_emoticons/default/wink.gif)

[linux_lover]

How about additionally checking for as session if the referer is blocked? I guess if they block cookies and referers then you are stuffed.

Additionally I like captuas, but simple ones - like please type the name of the above colour or what does this word say etc I think the normal captuas are a nightmare for accessiblity.

[Randy]

That's sort of what I had in mind and would like to see someone develop LiLo. Something that puts a lot of restrictions on the base form, but if someone doesn't pass say a Referrer test (or whatever) they get a fallback that requires CAPTCHA to fire everything off.

Something as simple as that should cover 99.9% I would think, yet still wouldn't be anything special for the vast majority of users.

[robwatts]

Duh, looks like I missed that previous thread (IMG:http://www.highrankings.com/forum/style_emoticons/default/biggrin.gif)

(IMG:http://www.highrankings.com/forum/style_emoticons/default/cheers.gif)

[lyn]

Duh, looks like I missed that previous thread (IMG:http://www.highrankings.com/forum/style_emoticons/default/biggrin.gif)

You mean you don't read and memorize every word that's written in HRF? (IMG:http://www.highrankings.com/forum/style_emoticons/default/eek.gif)

tsk , tsk!

(Guess I missed it too, Rob, so I'm glad you brought it up again! (IMG:http://www.highrankings.com/forum/style_emoticons/default/goodjob.gif) )

L.

[robwatts]

You mean you don't read and memorize every word that's written in HRF? (IMG:http://www.highrankings.com/forum/style_emoticons/default/eek.gif)

tsk , tsk!

(Guess I missed it too, Rob, so I'm glad you brought it up again!  (IMG:http://www.highrankings.com/forum/style_emoticons/default/goodjob.gif) )

L.

Yay me! (IMG:http://www.highrankings.com/forum/style_emoticons/default/biggrin.gif)

Ha! Maybe I need a little more RAM (IMG:http://www.highrankings.com/forum/style_emoticons/default/wink.gif)

[Randy]

Ha! Maybe I need a little more RAM (IMG:http://www.highrankings.com/forum/style_emoticons/default/wink.gif)

(IMG:http://www.highrankings.com/forum/style_emoticons/default/hysterical.gif) Don't we all...

From the server admin side of things, I do often add one other thing into the mix. Not every time, but definitely if I suspect any funny business.

You can add an X-Mailer header to your backend script and have it contain pretty much anything you want. So it could be something like X_Mailer: somedomain.com, effectively tying it back to the domain on which the script resides. Since it's added by the backend there is nothing a spammer can do that'll cause it to not appear in the email headers.

It won't bother email delivery or the text people see in the body of the email at all. But makes it quite simple to spot an unsecure script by reviewing the mail headers.

FWIW, since I already know my scripts are reasonably secure and have a lot of REGEX filtering set up on my own email addresses, this X-Mailer: line makes it very simple for me to give a free pass to these form-sent emails. Let's the email get right on past my email filters even if something else would have normally kicked them into the junk pile.

[robwatts]

Thanks Randy. Xmailer would have been damn handy previously, but as ive now plugged the holes perhaps it can wait til the next round ;-)

Unless..theres a way to make Apache add it at send level. Its maddening to have to go back and fix things up for issues coming out of the blue. Still, makes you work a little harder and think a little deeper on security issues subsequently, so not all bad!

The problem I had was borne out of an issue that when most of my scripts were written (some back in 2001), the exploit concerned was either unknown or un thought of even!

[Randy]

There are ways to make your server's mailer add reference lines like this Rob. I've not done it with my own servers, but it can be done. How depends upon your server, what mailer it's using (sendmail, qmail, etc) and how it's all configured.

If you've ever noticed, most of the bigger email providers do in fact have their servers add in an additional tracking line or two. AOL adds a Message-ID header, Hotmail uses an X-Originating-IP header. I actually use those in my Eurdora filters to automatically dump any mail from forged aol.com or hotmail.com addresses. (IMG:http://www.highrankings.com/forum/style_emoticons/default/wink.gif)

[linux_lover]

That's sort of what I had in mind and would like to see someone develop LiLo.  Something that puts a lot of restrictions on the base form, but if someone doesn't pass say a Referrer test (or whatever) they get a fallback that requires CAPTCHA to fire everything off.

Something as simple as that should cover 99.9% I would think, yet still wouldn't be anything special for the vast majority of users.

I have seen that on a few sites... it can be as simple as 'what does the above word say'... or 'please type in the word continue' to continue...

I dislike the silly jumbled letter captuas - I can barely make them out and I have good sight!