[ic] Mail forms under attack!!
DDavenport at newagedigital.com
Thu Jan 19 22:48:15 EST 2006
> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org
> [mailto:interchange-users-bounces at icdevgroup.org] On Behalf
> Of Kevin Walsh
> Sent: 2006 January 18 -- Wednesday 8:45 PM
> To: interchange-users at icdevgroup.org
> Subject: Re: [ic] Mail forms under attack!!
> maillists <lists at gmnet.net> wrote:
> > Thanks for your reply! The spam is targeted at OTHERS!! (makes me
> > really
> > upset!) My sendmail/Mailscanner is not a relay. Only localhost
> > (apache) can send mail.
> > I realize that this might not really be an Interchange thing, so I
> > have posted for help on other lists as well. I'm not even
> sure that it
> > is a problem with the mail forms, but I want to tighten them up as
> > much as possible.
> > I am using Redhat Linux, IC5.4, Mailscanner, and Sendmail.
> This is a
> > new line item in my daily Logwatch that just started to appear:
> > <snip>
> > Authentication warnings:
> > apache set sender to info at gmnet.net using -f: 7
> Times(s) </snip>
> > (info at gmnet.net is a real user on my sys.)
> > Any help would be really appreciated. Until then, I am
> keeping a close
> > eye on my mqueue and even shutting down sendmail when needed...
> > Sorry if any of you are getting spam from this... Yesterday
> I got over
> > 23,000 undeliverables in my inbox...
> Spam could be sent from your form if you don't sanitise your
> input CGI variables prior to passing them to the [email] tag.
> For instance, if a variable has an embedded CR character
> then that could be used to provide extra email headers, such
> as CC or BCC.
Also keep in mind, any form mailer that has the "To" address in a CGI
field is by its very nature prone to abuse. The destination address
should _never_ be directly settable by the user; if you must make the
address selectable, at least check it against a short list of allowed
For reference....just because the field is hidden in a form, that
doesn't mean that it can't be set at will by a hacker or by a bot
designed to abuse email-us pages. If you already know who the email
will go to, it's better to set the address as a scratch variable -- or
even hard-code it into the page -- than to allow Joe User the chance to
hijack your contact form.
I haven't seen the form in question, so this is all just a cautionary
note. I've just seen way too many form mailers and contact pages that
had similar weaknesses.
New Age Digital
More information about the interchange-users