[ic] Mail forms under attack!!

Daniel Davenport DDavenport at newagedigital.com
Thu Jan 19 22:48:15 EST 2006


> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org 
> [mailto:interchange-users-bounces at icdevgroup.org] On Behalf 
> Of Kevin Walsh
> Sent: 2006 January 18 -- Wednesday 8:45 PM
> To: interchange-users at icdevgroup.org
> Subject: Re: [ic] Mail forms under attack!!
> maillists <lists at gmnet.net> wrote:
> > Thanks for your reply! The spam is targeted at OTHERS!! (makes me 
> > really
> > upset!) My sendmail/Mailscanner is not a relay. Only localhost 
> > (apache) can send mail.
> > 
> > I realize that this might not really be an Interchange thing, so I 
> > have posted for help on other lists as well. I'm not even 
> sure that it 
> > is a problem with the mail forms, but I want to tighten them up as 
> > much as possible.
> > 
> > I am using Redhat Linux, IC5.4, Mailscanner, and Sendmail. 
> This is a 
> > new line item in my daily Logwatch that just started to appear:
> > 
> > <snip>
> > Authentication warnings:
> >     apache set sender to info at gmnet.net using -f: 7 
> Times(s) </snip> 
> > (info at gmnet.net is a real user on my sys.)
> > 
> > Any help would be really appreciated. Until then, I am 
> keeping a close 
> > eye on my mqueue and even shutting down sendmail when needed...
> > 
> > Sorry if any of you are getting spam from this... Yesterday 
> I got over 
> > 23,000 undeliverables in my inbox...
> > 
> Spam could be sent from your form if you don't sanitise your 
> input CGI variables prior to passing them to the [email] tag. 
>  For instance, if a variable has an embedded CR character 
> then that could be used to provide extra email headers, such 
> as CC or BCC.

Also keep in mind, any form mailer that has the "To" address in a CGI
field is by its very nature prone to abuse.  The destination address
should _never_ be directly settable by the user; if you must make the
address selectable, at least check it against a short list of allowed

For reference....just because the field is hidden in a form, that
doesn't mean that it can't be set at will by a hacker or by a bot
designed to abuse email-us pages.  If you already know who the email
will go to, it's better to set the address as a scratch variable -- or
even hard-code it into the page -- than to allow Joe User the chance to
hijack your contact form.

I haven't seen the form in question, so this is all just a cautionary
note.  I've just seen way too many form mailers and contact pages that
had similar weaknesses.

Daniel Davenport
New Age Digital

More information about the interchange-users mailing list