robots roaming my site for email addresses

[tippytarka]

i put together a script on a web page that allows people to submit a question. their question is inserted into my database and an email notification is sent to me. a month ago i had removed this page link from my main menu so it was on the server but not visible to my site visitors, but today i received an email telling me that someone had submitted a question. this really scared me and here's the email that i received...

use Content-Type: multipart/alternative; boundary=29a3e9cc6b3cd91bc375752199e50b97 X-Mailer: CompuServe 7.0 for Windows US sub 10501 Subject: can be legally applied to such things as turkey ham bcc: adugg80@yahoo.com,dinotto2@aol.com,bboygrow@yahoo.com, ali_ajdari@msn.com,patriciakrah@mindspring.com,ljlkj@charter.net --29a3e9cc6b3cd91bc375752199e50b97 Content-Transfer-Encoding: base64 Content-Type: text/plain aGlzIGlzIHJlcHJvZHVjZWQsIHdvcmQgZm9yIHdvcmQsIGZyb20gdGhlIG9yaWdpbmFsIHNvdXJj ZSB3aXRoIGFkZGVkIG5vdGVkIGluIHBhcmVudGhlc2VzLiBpbmVnYXIgaXMgbm90IHR5cGljYWxs eSB1c2VkIGluIGhhbSBjdXJpbmcgaW4gdGhlIHByZXNlbnQgZGF5Likgb3IgZWFjaCBoYW0= --29a3e9cc6b3cd91bc375752199e50b97-- . would like to know...

message1: in1951@fightworldmag.com

message2: in1951@fightworldmag.com

message3: in1951@fightworldmag.com

email: in1951@fightworldmag.com

here's another one...

merica1017@fightworldmag.com would like to know...

message1: merica1017@fightworldmag.com

message2: merica1017@fightworldmag.com

message3: adhere Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Mailer: NetMail ModWeb Module Subject: is the basin of the cc: rshurelds@tir.com cc: jguerrero@yahoo.com cc: bjlarge2000@uky.edu cc: zrlegolas@adelphia.net cc: topcopl2@aol.com cc: jurabals@cableone.net cc: davemojo@yahoo.com by the north winds coming from the high tips of ierra evada. eruel, cured at least 800 meters above sea level, with a c143c2fc84324f101da3683776eb9d9c .

email: merica1017@fightworldmag.com

can anyone shed some light on what these people are trying to do? as you can see they have collected some emails along the way. is it just a robot collecting emails or trying to do something more malicious? i'm confused why it would submit info on my form? what can i do to better protect myself?

 

[thedaver]

I would suggest removing/renaming the script.

Spammers often use CGI or turnkey mailer scripts that websites put up through trial and error. The websites want the email sent to their admin, but sometimes the spammers can contort the incoming message to send to spam recipients instead.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[jpadie]

people are trying to use your web form to send spam. they do this by exploiting weaknesses in the coding of web based contact forms.

for example if you were to include the email address entered into the form as the From address of the mail, this could be easily exploited

$from = $_POST['emailaddress'];
$comment = $_POST['comment'];
$to = "me@example.com";
mail ($to, "Test Subject", $comment, $from);

this might look anodyne but consider if someone entered the following into the email address field

someaddress@example.com \r\nBcc: lotsofspamaddresses@example.com \r\nSubject: some subject \r\n\r\n lots of message content
[\code]

unless your code was protecting against these injections, the text in the email address box would cause your mta to send the spam content to all the addresses listed in the box.

basic rule: never trust user input - parse it to hell and back before using it.

 

[audiopro]

I had the same problem a while ago on a site which sends an email to the client and a confirmation email to the visitor. I cured the problem by including a security number, displayed in an image, which has to be entered into a field on the form.
No security number and the form is not processed.
I have a log file of the failed submissions and the attempted submissions make interesting reading.
One of these autobot things attempted over 100 submissions within a space of 20 seconds, each time using a diffrent, fake, HTTP REFERRER, making barring the sender almost impossible.
An additional measure I included was to check that the email field contains only 1 '@' symbol thus limiting them to 1 email per submission.

Keith

http://www.studiosoft.co.uk

 

[dkdude]

tippytarka,

Like thedaver suggest - rename the script. You could replace it with a new script the redirects to a page of your desire. You could even try to log the visitor IPs if you wanna persue this legally.

The first message header is multipart. I tried to base64_decode() the attachement, which reads

his is reproduced, word for word, from the original source with added noted in parentheses. inegar is not typically used in ham curing in the present day.) or each ham

;-) funny piece of text, there. Looks like it could come from a "real" user of the site?

By the way -are those the email addresses you recieved? If they are, I would advice you to remove this thread

 

[jpadie]

you don't need to change the script names or anything. that does not solve the problem, just delay its recurrence.

all you need do is improve the form parse code and mail sending. this is trivial and we can help you do it in this forum if you are not confident of getting it right yourself.

here is some code as a proof of concept

<?php
function showForm($msg = "") {

	$senderEmailAddress = isset ($_POST['senderEmailAddress']) ? $_POST['senderEmailAddress'] : "";
	$senderName = isset ($_POST['senderName']) ? $_POST['senderName'] : "";
	$senderQuestion = isset ($_POST['senderQuestion']) ? $_POST['senderQuestion'] : "";

	echo <<<EOL
	<div id="message">$msg</div>
	<form method="post" action="{$_SERVER['PHP_SELF']}">
	<fieldset>
	Your Name: <input type="text" name="senderName" value="$senderName" /><br/>
	Your Email Address: <input type="text" name="senderEmailAddress" value="$senderEmailAddress" /><br/>
	Your Question: <textarea name="senderQuestion">$senderQuestion</textarea><br/>
	<input type="reset" name="reset" value="Reset" /><input type="submit" name="submit" value="Submit" />
	</fieldset>
	</form>
EOL;
}
function validateInput(){
	$msg = "";
	//check for empty fields
	$mandatoryFields = array("senderEmailAddress"=>"You must provide an Email Address", "senderQuestion"=>"You have not asked a question");
	$emailAddressFields = array ("senderEmailAddress"=>"You have not provided a valid sender email address");
	foreach ($mandatoryFields as $mField=>$mMsg){
		if (empty($_POST[$mField])){
			$msg .= $mMsg . "<br/>";
		}
	}
	//check for valid email address

	foreach ($emailAddressFields as $eAF=>$eAFMsg){
		if (!eregi ("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,6}$", trim($_POST[$eAF]))){
			$msg .= $eAFMsg;
		}
	}
	
	return (empty($msg)) ? TRUE : $msg;
}
function sendMail(){

	$to = "justin.adie@adieandco.com";
	$from = trim($_POST['senderEmailAddress']);
	$name = trim($_POST['senderName']);
	$subject = "Question from Web Site";
	$question = trim($_POST['senderQuestion']);
	$time = date ("j M, Y H:i:s");
	$message = <<<EOL
A question was left at $time by $name (email address: $from).
The question was:
$question

EOL;
	return (mail ($to, $subject, $message, "From: $from\r\n Return-Path: $from\r\n"));
}
function showSuccessPage(){
	unset ($_POST); //to reset the form
	showForm("Your question has been successfully sent");
}

if (!isset($_POST['submit']))
{
	showForm();
}
elseif (($msg=validateInput()) !== TRUE)
{
	showForm($msg);
} 
else 
{
	$mail = sendMail();
	if ($mail === TRUE){
		showSuccessPage();
	} else {
		showForm("There has been an error uploading your question. Please try later");
	}
}
?>

of course, even easier, you could ensure that there is a hardcoded email address in the From header and lose the functionality of being able to press Reply in your email client!