Someone trying to exploit script to relay spam

[auren]

Hi all,

I have been using the FormMail script for a few months and it has been fantastic for our website however, over the last week and a half, someone has been trying to hack the script and use it to relay spam. I was first alerted when I kept receiving many incorrect form submission emails with the email address entered as one that is supposed to belong to our domain i.e. dfgsdfg@artdiscount.co.uk.

This went on for a couple of days but then the last email confirmation in the batch came to me like this -


To: xxxx.xxxx@granthams.co.uk

From: FormMail@www.artdiscount.co.uk

The following error occurred in FormMail [M18]:

missing_fields

Error=The form required some values that you did not seem to provide. [M87] ligt@artdiscount.co.uk

Submit: 'ligt@artdiscount.co.uk Content-Type: multipart/mixed; boundary='===============1504588820==' MIME-Version: 1.0 Subject: b73bd5c0 To: ligt@artdiscount.co.uk bcc: jrubin3546@aol.com From: ligt@artdiscount.co.uk This is a multi-part message in MIME format. --===============1504588820== Content-Type: text/plain; charset='us-ascii' MIME-Version: 1.0 Content-Transfer-Encoding: 7bit wcllzki --===============1504588820==--

I went looking on the net to see if anyone else had this problem on found a page of people who are all under the same attack. The page can be found here - http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

Here is a sample of what they are talking about -

I'm seeing an interesting new attack on my website where the attacker is hoping to exploit unchecked fields in a "web to email" form. The attack works by assuming a field used in an email header (such as the "From:" address or the "Subject:") is passed unchecked to the mail subsystem. Appending a newline character and a few more carefully crafted header lines with a BCC list and a spam message body might trick the underlying mail system into relaying spam for the attacker. An initial test sending a BCC copy to killerhamster@punkass.com has been used on most forms on my site to phish for vulnerable scripts. I had an old perl script which didn't check for new lines in the "email" field which alerted me to the problem and allowed me to quickly fix it. If you run a site, you should check and strip fields for carriage return and newline characters used directly in email headers.

Has anyone else had this problem and more importantly, does anyone know how I can put a stop to this...Please!!

Kind regards

[russellr]

Hi,

Yes, we've been seeing the same attack.

Don't worry, no spam is getting out from your server because FormMail checks the $TARGET_EMAIL pattern(s) for "To", "CC", and "BCC" fields.

The only person it's annoying is you.

You can switch off Alerts by setting DEF_ALERT to an empty string:

PHP Code:

define("DEF_ALERT",""); 


But, then you won't see any real errors that you may want to know about.

A future version of FormMail will allow you to configure the level of alerts you want to receive.

[auren]

Thanks Russell.

That is a relief as my main worry is that our hosting company would not take it too kindly if we were being used to send out spam.

Our host offer no help whatsoever regarding form mail so luckily, I found you guys.

I think I will just switch off the alert.

Cheers again

Auren

[russellr]

Hi,

It's a good time to check that you've got $TARGET_EMAIL set correctly too.

It's possible to set it so that it allows any email address, but if you've read the doco above it and used the samples, then you should be fine.

[auren]

Hi,

I have it set to just the one address -

$TARGET_Email = array("^ouraddress@artdiscount\.co.uk$");

I take it this is ok?

Regards

Auren

[russellr]

Hi,

Yes, that's very safe.

[mdegan]

Hi,

I have been using the great FormMail for months now and have had no problems what so ever.

But the last few day i have been getting spammed to.

Good to hear that it's not getting out, thanks to "target_email"