Attack on The Contact Web Form - madebits.com - software, downloads, tools, technology, free, .NETZ

ARTICLES

Attack on The Contact Web Form

	articles
	groups
	C# aes (CBC)
	numeric sort
	spam attack
	main

Latest software videos!

A Spammer's Attack on The Contact Web Form

An attack was attempted on the contact form of this web site, in order to gain access and send emails from through this site to arbitrary email addresses. The attack demonstrates a simple technique how a spammer tries to gain access to a server to send mass spam emails. The attack failed in our case, but the attack pattern could be common to web email forms. The technical investigation related to the attack could be interesting to be placed in the public domain. A step by step overview of the attack is presented next, illustrated with the original attack data and a few comments.

Details

The web-based contact form in this site looks (looked) simple and innocent. The web page name ends in *.PHP and the submited text looks also like comming out from some standard email form processing script.

The message text send using the contact form looks like as illustrated below. The message contents are presented to the user after submitting the message.

MESSAGE ID: [#1240115967]

IP:         223.119.134.11
BROWSER:    Mozilla/5.0 (Windows; U; Windows NT 5.1;)
Gecko/20060111 Firefox/1.5.0.1

DATE:       2006-Feb-Wed 08:04:01
NAME:       Max Mustermann
EMAIL:      max@web.de
SUBJECT:    .NETZ

MESSAGE:

Hi,
some text
Best Regards

The IP and the BROWSER (user agent) fields data are filled in automatically to provide general background information on the origin of the message. The specific formatting above may have lead the attacker to believe that a simple form processing with a call to PHP mail() is used, and that a break was possible. The PHP code behind the contact form in this web site is immune from these kinds of attacks, but other contact forms on other web sites, that email the results to some email address, may be not. It is interesting to see how the actual attack progressed step-by-step in two days.

Day One

Message #1

The the first attempt was at 2006-Mar-06 11:06:39 EST. All the data shown are original. Only the fake email addresses that contain @ madebits.com used by the attacker (read below) have additional spaces around the at-sign " @ " to avoid automatic processing of this page.

MESSAGE ID: [#1141664799]

IP:         61.109.44.209
BROWSER:

DATE:       2006-Mar-06 11:06:39
NAME:       have6488 @ madebits.com
EMAIL:      house
Content-Type: multipart/alternative;
boundaryfa9a026329de3a29cf176d357788ef
MIME-Version: 1.0
Subject: sind an ambassadure don t know
bcc: bajfla@aol.com

This is a multi-part message in MIME format.

--0efa9a026329de3a29cf176d357788ef
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

he sees people around him gettin a good dale iv injyemint out iv gin
rosity an somewan says hy don t ye, too, be gin rous ome, ol
--0efa9a026329de3a29cf176d357788ef--

.

SUBJECT:    have6488 @ madebits.com

MESSAGE:

have6488 @ madebits.com

The first thing to notice is the absence of the user agent information. Second, the email field contains more than one line, which is impossible to enter directly from the form in the web page. This shows that these data were not entered directly through the form in the web page, but a programmed POST was done, possibly as part of an automated testing script or tool. Programming languages usually do not explicitly set the user agent as part of their HTTP web request library classes. The programmed POST enables the attacker to specify longer strings than the web HTML form allows, and also to have new lines and carriage returns, or other binary characters in the input data.

The @ madebits.com email addresses shown in the examples do not exist and the rely mail server will throw these emails out. The attacker uses the fake madebits.com email addresses because most email servers nowadays are configured not to send emails unless they originate from the legal web site domain. This way the email will be considered as valid by the mail daemon.

The attacker has added data only to the EMAIL field, thinking that probably this field is used to populate a SMTP 'from:' email header. It this were to be true, then the string bcc: added by the attacker will be interpreted as blind carbon copy by the mail server. The email address after the bcc: bajfla@aol.com is a real valid email address used by the attacker. If the attempt would have succeeded a copy of this test email would have been emailed to the bajfla@aol.com and the attacker would learn then that the attempt was a success. Because of the SMTP bcc: field semantics, the blind copy of the email would not be visible to madebits.com. The Content-Type: multipart/alternative makes this easier to hide. The first MIME part will be the bcc: text email (which is different from the second MIME part).

Apart of the bcc: field the attacker has included also a 'Subject: sind an ...' field to make sure that he not only can send an email message, but also that he can send one with a subject of choice. The two new line characters (that show as empty lines in the end) followed by a single point '.' are the standard way of terminating a SMTP mail message. The charset=\"us-ascii\" has been escaped as part of safety PHP code of this web site. The rest of the form fields just contain the email address repeated. The attacker wants to make sure he can find out what really happens.

Message #2

The attacker made the first try on 2006-Mar-06 11:06:39. After waiting in vain nearly an hour for an email to appear in the bajfla@aol.com address, the attacker decided to make a second try at 2006-Mar-06 11:07:57. The attacker is consistent. He repeats all the tricks above, but this time with the NAME field. The hacker thinks that may be this field could be the right one. After all, when someone formats a SMTP from: field the <name> goes in the first, and then the email address. The terryford52@aol.com is again a real valid address used by the attacker. However, it is not wise to email back to him.

MESSAGE ID: [#1141664877]

IP:         192.138.77.36
BROWSER:

DATE:       2006-Mar-06 11:07:57
NAME:       hair
Content-Type: multipart/alternative;
boundary>d335161b6ac9e1c33c7d7f4d349f34
MIME-Version: 1.0
Subject: own
bcc: terryford52@aol.com

This is a multi-part message in MIME format.

--3ed335161b6ac9e1c33c7d7f4d349f34
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

visits they determined upon making the round of the market. he
ammerjunker offered his arm to the mother. tto saw this with secret gladness,
and approached ophie. he accepted him willingly as an attendant they
must indeed get into the throng. s in the iddle ges the various
professions
--3ed335161b6ac9e1c33c7d7f4d349f34--

.

EMAIL:      says1420 @ madebits.com
SUBJECT:    says1420 @ madebits.com

MESSAGE:

says1420 @ madebits.com

Message #3

Again after waiting in vain another hour, or so, to receive the cracked email, the attacker tried it again. This time with the SUBJECT field. The attacker thinks that, after all, the email subject is written after the email addresses in the SMTP email message head. So the SUBJECT field is indeed worth a try. He has to be systematic. The rest of the details are the same as above. The vickiebosworth@aol.com is again a real valid address used by the attacker. It is listed here in plain text so other spammers that collect emails by scanning web pages can easily send spam to him :).

MESSAGE ID: [#1141664886]

IP:         192.165.223.227
BROWSER:

DATE:       2006-Mar-06 11:08:06
NAME:       every488 @ madebits.com
EMAIL:      every488 @ madebits.com
SUBJECT:    th
Content-Type: multipart/alternative;
boundary2f09b90aee7643859895ab7f8b932ed
MIME-Version: 1.0
Subject: enough, he d capture
bcc: vickiebosworth@aol.com

This is a multi-part message in MIME format.

--32f09b90aee7643859895ab7f8b932ed
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

and out, the first judge of these things in reat ritain. es, think know
a little in that way, he returned. here did we get that wretched stuff,
a our from
--32f09b90aee7643859895ab7f8b932ed--

.


MESSAGE:

every488 @ madebits.com

Message #4

The attacker starts to get a bit impatient. Two minutes after the third message, he tries again with the EMAIL field. He thinks possibly there was something wrong the first time he tried it out. One never knows. This time, he reuses an email address that he put in before, vickiebosworth@aol.com, which is a real valid address used by him.

MESSAGE ID: [#1141664898]

IP:         63.146.71.198
BROWSER:

DATE:       2006-Mar-06 11:08:18
NAME:       themselves7959 @ madebits.com
EMAIL:      green
Content-Type: multipart/alternative;
boundary�23af8a1e68b77f6582a9ae4836e1aa
MIME-Version: 1.0
Subject: juggler
bcc: vickiebosworth@aol.com

This is a multi-part message in MIME format.

--d623af8a1e68b77f6582a9ae4836e1aa
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

white threads, were articles of luxury. he other two boys had neither
hat nor shoes, but their clothes were whole and clean. he youngest
appeared six or seven years old
--d623af8a1e68b77f6582a9ae4836e1aa--

.

SUBJECT:    themselves7959 @ madebits.com

MESSAGE:

themselves7959 @ madebits.com

Message #5

After ten minutes, at 2006-Mar-06 11:08:23, the attacker is again impatient. He tries again. This time, guess what, he uses the only field left he did not try before the MESSAGE itself. One never knowns, the web masters are sometimes really that dull. The attacker resuses this time, his real email address from Message 2, the terryford52@aol.com.

MESSAGE ID: [#1141664903]

IP:         217.19.54.75
BROWSER:

DATE:       2006-Mar-06 11:08:23
NAME:       the4542 @ madebits.com
EMAIL:      the4542 @ madebits.com
SUBJECT:    the4542 @ madebits.com

MESSAGE:

rested
Content-Type: multipart/alternative;
boundarycc2f05d169656647dce441340c800b1
MIME-Version: 1.0
Subject: says all janiuses was unhappily
bcc: terryford52@aol.com

This is a multi-part message in MIME format.

--63c2f05d169656647dce441340c800b1
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

the stranger, has almost a supernatural appearance when seen from the
water, on that fanciful and aeriel bridge. ow very unlucky, said the
olonel, that no accommodating fisherman places himself there for le bien
du spectacle. r. exter, said ady ingleton, would you be afraid to make
the attempt
--63c2f05d169656647dce441340c800b1--

.

Message #6

This is similar to Message #3 but with the real email address from Message #2 and #5. The attacker is not sure any more. He understands the messages are losing, but he does not understand why. It was supposed to be simple. This possibly has worked before with other sites. The attacker just double-tests with SUBJECT field after ten minutes to make sure he has done no errors.

MESSAGE ID: [#1141664912]

IP:         70.32.173.100
BROWSER:

DATE:       2006-Mar-06 11:08:32
NAME:       myself1521 @ madebits.com
EMAIL:      myself1521 @ madebits.com
SUBJECT:    her
Content-Type: multipart/alternative;
boundary�ac0a1731aecc8b7218192b67f09a5e
MIME-Version: 1.0
Subject: aints eter and
bcc: terryford52@aol.com

This is a multi-part message in MIME format.

--d4ac0a1731aecc8b7218192b67f09a5e
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

a side room, which was quite dark, there stood in a corner on the right
--d4ac0a1731aecc8b7218192b67f09a5e--

.


MESSAGE:

myself1521 @ madebits.com

Message #7

Half hour later on. No message has been delivered to his addresses. Just one more try, this time no hacks, just a normal email to see what happens. No luck. Lets forget this web site for today.

MESSAGE ID: [#1141664950]

IP:         210.87.251.41
BROWSER:

DATE:       2006-Mar-06 11:09:10
NAME:       explanation3529 @ madebits.com
EMAIL:      explanation3529 @ madebits.com
SUBJECT:    explanation3529 @ madebits.com

MESSAGE:

explanation3529 @ madebits.com

If the previous attempts would have succeeded, a message similar to this would have been received. However, because of safe message processing code behind of the web form and on the additional analysis of additional web server logs it is known that this did not happen.

Day Two

The early bird caches the worm. In day one, the attack started at 2006-Mar-06 11:06:39 EST. In day two, the attacker started working at 2006-Mar-07 07:07:55 EST, four hours before the previous day. Day two repeats basically the same attack patterns as in the day one. The attacker wants to try once more, just to be sure. The web form looks so simple. It cannot be possible, that it is resisting so much to him.

Message #1

The attacker re-tries with the NAME field. The real email address here is new Voiettag@aol.com.

MESSAGE ID: [#1141736875]

IP:         192.138.77.36
BROWSER:

DATE:       2006-Mar-07 07:07:55
NAME:       hands
Content-Type: multipart/alternative;
boundary.70769a22fc0c2533640a0decbe2924
MIME-Version: 1.0
Subject: of little
bcc: Voiettag@aol.com

This is a multi-part message in MIME format.

--2e70769a22fc0c2533640a0decbe2924
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

said he. hat voice have not heard for a year and a day replied the old
woman, and raised her head, as if she would see him with her dead eyes.
re not you ajor hostrup s tto ou
--2e70769a22fc0c2533640a0decbe2924--

.

EMAIL:      but3999 @ madebits.com
SUBJECT:    but3999 @ madebits.com

MESSAGE:

but3999 @ madebits.com

Message #2

The attacker re-tries with the EMAIL field only three minutes later. The real email address here is the same Voiettag@aol.com.

MESSAGE ID: [#1141737069]

IP:         208.44.246.70
BROWSER:

DATE:       2006-Mar-07 07:11:09
NAME:       and7017 @ madebits.com
EMAIL:      has
Content-Type: multipart/alternative;
boundary9b166ce7169e2539ad48de2954bb24
MIME-Version: 1.0
Subject: since have
bcc: Voiettag@aol.com

This is a multi-part message in MIME format.

--069b166ce7169e2539ad48de2954bb24
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

strand in his district but this have never heard myself. ut with regard
to what is related of murdering, why, the fishermen
--069b166ce7169e2539ad48de2954bb24--

.

SUBJECT:    and7017 @ madebits.com

MESSAGE:

and7017 @ madebits.com

Message #3

The attacker re-tries with the SUBJECT field. The real email address here is new hollowiog1503@aol.com.

MESSAGE ID: [#1141737126]

IP:         192.138.77.36
BROWSER:

DATE:       2006-Mar-07 07:12:06
NAME:       to1046 @ madebits.com
EMAIL:      to1046 @ madebits.com
SUBJECT:    then
Content-Type: multipart/alternative;
boundary�c636cf3da79dc1586bf3fbf3e5b8c0
MIME-Version: 1.0
Subject: world directs its attention to one person
bcc: hollowiog1503@aol.com

This is a multi-part message in MIME format.

--fcc636cf3da79dc1586bf3fbf3e5b8c0
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

is really put in prison, and will be taken to morrow to dense, to the
red house by the river. t is what she has deserved said tto. did not
bring it about. no answered einrich in a certain way we
--fcc636cf3da79dc1586bf3fbf3e5b8c0--

.


MESSAGE:

to1046 @ madebits.com

Message #4

The attacker gave up with only four tries in the day two. The standard email addresses test. No luck with this web site, so forget it. May be another time.

MESSAGE ID: [#1141737235]

IP:         208.44.246.69
BROWSER:

DATE:       2006-Mar-07 07:13:55
NAME:       danger2127 @ madebits.com
EMAIL:      danger2127 @ madebits.com
SUBJECT:    danger2127 @ madebits.com

MESSAGE:

danger2127 @ madebits.com

The IP Addresses

The attacker is probably a US citizen as he uses a lot of AOL email addresses :). No one outside USA has a high opinion on AOL, in order to trust it for such a dirty business :).

Using the http:// www.geobytes.com/ IpLocator.htm? GetLocation site some interesting data show up. The IPs seem to be other victim web sites used by the attacker, so it makes no sense to investigate them further. One of them is a US military web server. One of the IPs (D1M5) has also an valid HTTP server on port 80 with a suspicious web site.

Day/Msg	IP	Details
D1M1	61.109.44.209
D1M2	192.138.77.36	US, USAMITC, 2710 Howitzer Street, Bldg 2372, Ft Sam Houston, TX, US, Cliff Manis, +1-210-295-3175, 78234-5087, cliff.manis@amedd.army.mil - (http:// lacnic.net/ cgi-bin/ lacnic/ whois? lg=EN&query=192.138.77.36)
D1M3	192.165.223.227
D1M4	63.146.71.198	Datapro, 19480 8th Street E, Sonoma, CA, 95479, RON THOMAS, +1-707-935-6316, (http:// lacnic.net/ cgi-bin/ lacnic/ whois? lg=EN&query=63.146.71.198)
D1M5	217.19.54.75	http:// www.b2bautover.com/ index1024prd.php
D1M6	70.32.173.100	Adelphia Cable Communications, 1 North Main Street, Coudersport, PA, 16915, US, Carolyn Kio, +1-888-512-5111 (http:// lacnic.net/ cgi-bin/ lacnic/ whois? lg=EN&query=70.32.173.100)
D1M7	210.87.251.41	PCCW Business Internet Access, Hong-Kong ( http:// lacnic.net/ cgi-bin/ lacnic/ whois? lg=EN&query=210.87.251.41)
D2M1	192.138.77.36	same as D1M2
D2M2	208.44.246.70	MULTIMEDIA GAMES, 1000 JOHN ROGERS DR, BIRMINGHAM, AL, 35210, US, Adam Berliner, +1-512-334-7600 (http:// lacnic.net/ cgi-bin/ lacnic/ whois? lg=EN&query=208.44.246.70)
D2M3	192.138.77.36	same as D1M2, D2M1
D2M4	208.44.246.69	same network as 208.44.246.70 - D2M2

How to be Protected

Simple character escaping will protect from this type of attach. The exact escaping depends on what is done with the submitted form data. For example, if the submitted data were to be saved to a relational database, the above attack has no effect even if no escaping is present. In general, a few quick escaping tips may apply in most cases (the list is by no means complete):

Make sure the single line fields, such as NAME, or EMAIL have no new lines or carriage returns in them.
Make sure the length of the text in fields is appropriate for the field. Trim long text, or fail with an error message.
Make sure single email address fields have really a single email address and not more than one.
Remove spaces from email address fields.
Escape generic characters in non email address fields, depending on what the technology used to manipulate the data. For example, for emails the at-sign @, :, ", -- could be escaped. For SQL databases, *, --, #, ', ", DELETE, DROP should be escaped in all input fields.
In order to confuse the attacker, it is a good idea if both email and SQL special characters are escaped, even thought only one type of data processing is used.
When possible, add input independent audition logging. For example, for every message, log or email some data that are independent of the input data.
If possible add a CAPTCHA. While there is no 100% security by using a CAPTCHA, it will keep off the average spammers. If you understand how CAPTCHAs are supposed to work then a proper homemade one is better if you can do it. Otherwise use some ready available CAPTCHA code from web. It is better than using nothing.

Update: A New Attack

After this article was written, a new attack in the same style was attempted a few weeks later. This means either the attacker has not seen this page, or he is just trying again the chance. A 'no spam please' link that points to this page is now added to the contact form page.

It could be a possibility that the attacks are somehow automated, but this probability is very low because the way attacks are carried is too irregular for an automated tool. The attacks are, however, also a bit dumb for a real person, but one never really knows :).

The message trials of the new attack are listed below for completeness with the original dates without any additional comments. The special characters used are shown as escaped by the security code of the contact form. The --- lines are added just to separate the messages.

--------------------------------------
MESSAGE ID: [#1148286211]

IP:         194.165.130.92
BROWSER:
DATE:       2006-May-Mon 03:23:31

NAME:       my
 Content-Type\: multipart/alternative;
boundaryd5779d3b64bb7
EMAIL:      after9099(at)madebits.com
SUBJECT:    after9099(at)madebits.com

MESSAGE:

after9099(at)madebits.com

--------------------------------------
MESSAGE ID: [#1148286198]

IP:         200.49.176.138
BROWSER:
DATE:       2006-May-Mon 03:23:18

NAME:       said491(at)madebits.com
EMAIL:      goin
 Content-Type\: multipart/alternative;
boundary+b7b6a2db3d
SUBJECT:    said491(at)madebits.com

MESSAGE:

said491(at)madebits.com

--------------------------------------

MESSAGE ID: [#1148286179]

IP:         204.157.6.109
BROWSER:
DATE:       2006-May-Mon 03:22:59

NAME:       is2989(at)madebits.com
EMAIL:      is2989(at)madebits.com
SUBJECT:    the
 Content-Type\: multipart/alternative;
boundaryd12d66b1169

MESSAGE:

is2989(at)madebits.com

--------------------------------------

MESSAGE ID: [#1148286146]

IP:         198.136.32.81
BROWSER:
DATE:       2006-May-Mon 03:22:26

NAME:       ridrick
 Content-Type\: multipart/alternative;
boundary�a2ee60c
EMAIL:      man8895(at)madebits.com
SUBJECT:    man8895(at)madebits.com

MESSAGE:

man8895(at)madebits.com

--------------------------------------

MESSAGE ID: [#1148286127]

IP:         194.165.130.92
BROWSER:
DATE:       2006-May-Mon 03:22:07

NAME:       as4(at)madebits.com
EMAIL:      from
 Content-Type\: multipart/alternative;
boundary�f6d3ec8164
SUBJECT:    as4(at)madebits.com

MESSAGE:

as4(at)madebits.com

--------------------------------------

MESSAGE ID: [#1148286109]

IP:         66.223.204.38
BROWSER:
DATE:       2006-May-Mon 03:21:49

NAME:       axles7543(at)madebits.com
EMAIL:      axles7543(at)madebits.com
SUBJECT:    axles7543(at)madebits.com

MESSAGE:

for
Content-Type\: multipart/alternative; boundary
4f7dd2fe004bc3751d2fdf5173744e
MIME-Version\: 1.0
Subject\: of thought in the open
bcc\: Deepawar(at)aol.com

This is a multi-part message in MIME format.

~204f7dd2fe004bc3751d2fdf5173744e
Content-Type\: text/plain; charset=\"us-ascii\"
MIME-Version\: 1.0
Content-Transfer-Encoding\: 7bit

tto. es, he understands languages, said the fisherman
and thus he
~204f7dd2fe004bc3751d2fdf5173744e~

.

--------------------------------------

MESSAGE ID: [#1148286049]

IP:         200.87.19.124
BROWSER:
DATE:       2006-May-Mon 03:20:49

NAME:       mouths546(at)madebits.com
EMAIL:      mouths546(at)madebits.com
SUBJECT:    mouths546(at)madebits.com

MESSAGE:

mouths546(at)madebits.com

--------------------------------------

MESSAGE ID: [#1148286039]

IP:         165.229.192.48
BROWSER:
DATE:       2006-May-Mon 03:20:39

NAME:       at7935(at)madebits.com
EMAIL:      at7935(at)madebits.com
SUBJECT:    may
 Content-Type\: multipart/alternative;
boundaryyd3bfaf842e4

MESSAGE:

at7935(at)madebits.com

--------------------------------------

MESSAGE ID: [#1148286036]

IP:         165.229.192.48
BROWSER:
DATE:       2006-May-Mon 03:20:36

NAME:       axles7543(at)madebits.com
EMAIL:      axles7543(at)madebits.com
SUBJECT:    axles7543(at)madebits.com

MESSAGE:

for
Content-Type\: multipart/alternative; boundary
4f7dd2fe004bc3751d2fdf5173744e
MIME-Version\: 1.0
Subject\: of thought in the open
bcc\: Deepawar(at)aol.com

This is a multi-part message in MIME format.

~204f7dd2fe004bc3751d2fdf5173744e
Content-Type\: text/plain; charset=\"us-ascii\"
MIME-Version\: 1.0
Content-Transfer-Encoding\: 7bit

tto. es, he understands languages, said the fisherman
and thus he
~204f7dd2fe004bc3751d2fdf5173744e~

--------------------------------------

MESSAGE ID: [#1148286335]

IP:         204.157.6.109
BROWSER:
DATE:       2006-May-Mon 03:25:35

NAME:       at7935(at)madebits.com
EMAIL:      at7935(at)madebits.com
SUBJECT:    may
 Content-Type\: multipart/alternative;
boundaryyd3bfaf842e4

MESSAGE:

at7935(at)madebits.com

--------------------------------------

Have your say and comment on this article.

What Others Say

Thank you for your wonderful article. I have recently had the same type of attack attempted on my site(with one of the same email addresses that you noted!). I had no idea this kind of spamming was taking place. After some research my fear was that I was missing something and this spammer was somehow using our comment form as an open relay. After reading your article I am secure in the fact that my validation has saved our site a world of grief. - Diana

Have your say and comment on this article.