interesting spammer trick

while converting a database of mailinglist addresses from one format to another (moving a user from an old ezine application to a newer one), I discovered some entries like the following one in the database:

INSERT INTO ez_addressbook VALUES (19485,16,’ftqilhf@uwalk.ie\nContent-Type: multipart/mixed; boundary=\\\”===============0469157119==\\\”\nMIME-Version: 1.0\nSubject: 47dea9d\nTo: ftqilhf@uwalk.ie\nbcc: jrubin3546@aol.com\nFrom: ftqilhf@uwalk.ie\n\nThis is a multi-part message in MIME format.\n\n–===============0469157119==\nContent-Type: text/plain; charset=\\\”us-ascii\\\”\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\n\nkboxczb\n–===============0469157119==–\n’,’ftqilhf@uwalk.ie\nContent-Type: multipart/mixed; boundary=\\\”===============0469157119==\\\”\nMIME-Version: 1.0\nSubject: 47dea9d\nTo: ftqilhf@uwalk.ie\nbcc: jrubin3546@aol.com\nFrom: ftqilhf@uwalk.ie\n\nThis is a multi-part message in MIME format.\n\n–===============0469157119==\nContent-Type: text/plain; charset=\\\”us-ascii\\\”\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\n\nkboxczb\n–===============0469157119==–\n’,”);

In the above row, the third field is the email address. It seems that, when faced with a form requesting an email address, a spam-bot will enter the above devious code. Then, when the ezine engine sends out either a confirmation request, or a real email, the spam will be sent instead.

So, how do you filter that out? Easy – just ensure that the submitted form contains a valid email in the email field.

Very devious…

2 Comments.

  1. Most of the spammers will include a valid email in the “to” part. It’s all the other junk they shove in that causes problems.

  2. “\n” is the problem; it (or \n) should not be permitted.  I cowrote an advisory regarding FormMail.pl a couple of years ago which detailed a number of vulnerabilities along these lines btw. 

%d bloggers like this: