Re: protecting against exploiting mail forms

To: debian-isp@lists.debian.org
Subject: Re: protecting against exploiting mail forms
From: Luiz Felipe <luiz@grupocarvalho.com.br>
Date: Sat, 19 Nov 2005 14:03:20 -0300
Message-id: <[🔎] 437F5AD8.5050507@grupocarvalho.com.br>
In-reply-to: <[🔎] 1425852874.20051119121720@onee.sk>
References: <[🔎] 1425852874.20051119121720@onee.sk>

Intersting idea from those guys who make spams. But here we go ;D

I think that if you strip carriage returns (\r) and liefeed (\n) fromthe fields may help, don't you agree?


Try this one, and, please, report what happened.

Good luck.

Marek Podmaka wrote:

Hello,

 recently one of our customers had a badly written php script for
 mail form and someone exploited this to send some spam. It is
 exploited by injecting entire mail (with additorial recipients) to
 From field - when script doesn't take care of additorial new lines.

 Detailed description of this attack can be found here:
 http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

 Is there any general solution? I was thinking about using
 mod_security, but I'm not sure which string to block - not to cause
 any false positives. The problem is I don't know form field's name,
 so I can test only value. Would "\nTo: " or "\nBcc: " be a good
 choice?


--
Atenciosamente,
Luiz Felipe de souza Gomes
Network Administrator

Reply to:

Follow-Ups:
- Re: protecting against exploiting mail forms
  - From: Marek Podmaka <marki@onee.sk>

References:
- protecting against exploiting mail forms
  - From: Marek Podmaka <marki@onee.sk>

Prev by Date: protecting against exploiting mail forms
Next by Date: Re: protecting against exploiting mail forms
Previous by thread: protecting against exploiting mail forms
Next by thread: Re: protecting against exploiting mail forms
Index(es):
- Date
- Thread