Help Needed with Perl cgi script and spam problem

Discussion in 'Perl' started by Knute Johnson, Mar 18, 2006.

  1. I need some help finding the correct place to go to get specific help.
    We have a script that uses sendmail to send form data to the site owner.
    Last night somebody managed to use it to send thousands of spam
    emails. I need to find the right place to ask about the script to
    determine exactly how the attack was accomplished so we can fix the
    script. Any direction would be greatly appreciated.

    --

    Knute Johnson
    email s/nospam/knute/
     
    Knute Johnson, Mar 18, 2006
    #1
    1. Advertising

  2. Knute Johnson wrote:
    > I need some help finding the correct place to go to get specific help.
    > We have a script that uses sendmail to send form data to the site
    > owner. Last night somebody managed to use it to send thousands of spam
    > emails. I need to find the right place to ask about the script to
    > determine exactly how the attack was accomplished so we can fix the
    > script. Any direction would be greatly appreciated.


    Why don't you ask the author of the script?

    jue
     
    Jürgen Exner, Mar 18, 2006
    #2
    1. Advertising

  3. Jürgen Exner wrote:
    > Knute Johnson wrote:
    >> I need some help finding the correct place to go to get specific help.
    >> We have a script that uses sendmail to send form data to the site
    >> owner. Last night somebody managed to use it to send thousands of spam
    >> emails. I need to find the right place to ask about the script to
    >> determine exactly how the attack was accomplished so we can fix the
    >> script. Any direction would be greatly appreciated.

    >
    > Why don't you ask the author of the script?
    >
    > jue


    Because he doesn't know how it was attacked. I'm hoping there is
    somebody around here that would have a clue.

    --

    Knute Johnson
    email s/nospam/knute/
     
    Knute Johnson, Mar 18, 2006
    #3
  4. Knute Johnson <> writes:

    > I need some help finding the correct place to go to get specific help.
    > We have a script that uses sendmail to send form data to the site owner.
    > Last night somebody managed to use it to send thousands of spam
    > emails. I need to find the right place to ask about the script to
    > determine exactly how the attack was accomplished so we can fix the
    > script. Any direction would be greatly appreciated.


    If you want to ask questions in public then I would suggest one of
    comp.lang.perl* groups and/or comp.mail.sendmail.

    You may post short description of the problem and link to the source of
    the script (or the relevant part of the script).

    AFAIK the most typical problem is lack of sufficiently paranoid checks
    of parameters entered into forms before passing them to sendmail e.g.
    your script sends using "sendmail -t" (take recipeint addresses from
    to:/cc: headers) and abusers use some other entries (e.g. *multiline*
    subject) to insert "extra" to:/cc: headers.

    P.S. Sorry if I grossly underestimated your computer skills.

    --
    [pl2en Andrew] Andrzej Adam Filip : :
    http://anfi.homeunix.net/
     
    Andrzej Adam Filip, Mar 18, 2006
    #4
  5. Andrzej Adam Filip wrote:
    > Knute Johnson <> writes:
    >
    > AFAIK the most typical problem is lack of sufficiently paranoid checks
    > of parameters entered into forms before passing them to sendmail e.g.
    > your script sends using "sendmail -t" (take recipeint addresses from
    > to:/cc: headers) and abusers use some other entries (e.g. *multiline*
    > subject) to insert "extra" to:/cc: headers.


    I'm pretty sure that is how it was done but I really need to know
    exactly how to do it so I can fix the code to prevent it.

    > P.S. Sorry if I grossly underestimated your computer skills.


    This is one subject I don't know much about so I would appreciate as
    detailed a description that you can give me.

    Thanks,

    --

    Knute Johnson
    email s/nospam/knute/
     
    Knute Johnson, Mar 18, 2006
    #5
  6. Knute Johnson

    Mark Hobley Guest

    Knute Johnson <> wrote:
    >
    > I'm pretty sure that is how it was done but I really need to know
    > exactly how to do it so I can fix the code to prevent it.


    http://markhobley.yi.org:8000/CGISecurity

    Regards,

    Mark.

    --
    Mark Hobley
    393 Quinton Road West
    QUINTON
    Birmingham
    B32 1QE

    Telephone: (0121) 247 1596
    International: 0044 121 247 1596

    Email: markhobley at hotpop dot donottypethisbit com

    http://markhobley.yi.org/
     
    Mark Hobley, Mar 18, 2006
    #6
  7. Knute Johnson

    Guest

    Knute Johnson <> wrote:
    > Andrzej Adam Filip wrote:
    >> Knute Johnson <> writes:


    >> AFAIK the most typical problem is lack of sufficiently paranoid checks
    >> of parameters entered into forms before passing them to sendmail e.g.
    >> your script sends using "sendmail -t" (take recipeint addresses from
    >> to:/cc: headers) and abusers use some other entries (e.g. *multiline*
    >> subject) to insert "extra" to:/cc: headers.


    > I'm pretty sure that is how it was done but I really need to know
    > exactly how to do it so I can fix the code to prevent it.


    How on earth do you expect people to tell you *exactly* how to fix
    an unseen script and without having access to the details of the
    spam generated?

    I suggest hiring a Perl programmer and/or switching to a more reliable
    script.

    Axel
     
    , Mar 19, 2006
    #7
  8. wrote:
    >>> AFAIK the most typical problem is lack of sufficiently paranoid checks
    >>> of parameters entered into forms before passing them to sendmail e.g.
    >>> your script sends using "sendmail -t" (take recipeint addresses from
    >>> to:/cc: headers) and abusers use some other entries (e.g. *multiline*
    >>> subject) to insert "extra" to:/cc: headers.

    >
    >> I'm pretty sure that is how it was done but I really need to know
    >> exactly how to do it so I can fix the code to prevent it.

    >
    > How on earth do you expect people to tell you *exactly* how to fix
    > an unseen script and without having access to the details of the
    > spam generated?
    >
    > Axel


    Well Axel, if you had really read my post, I wasn't asking for somebody
    to fix it but asking how they are attacked so I could fix it.

    --

    Knute Johnson
    email s/nospam/knute/
     
    Knute Johnson, Mar 19, 2006
    #8
  9. Knute Johnson

    Mark Hobley Guest

    Knute Johnson <> wrote:

    > Well Axel, if you had really read my post, I wasn't asking for somebody
    > to fix it but asking how they are attacked so I could fix it.


    The method of attack depends on the weakness in the script, we would need to
    see it to comment on this.

    Read up on "CGI Security" to get an idea of the different methods that could
    have been used.

    Regards,

    Mark.

    --
    Mark Hobley
    393 Quinton Road West
    QUINTON
    Birmingham
    B32 1QE

    Telephone: (0121) 247 1596
    International: 0044 121 247 1596

    Email: markhobley at hotpop dot donottypethisbit com

    http://markhobley.yi.org/
     
    Mark Hobley, Mar 20, 2006
    #9
  10. Knute Johnson

    Guest

    Knute Johnson <> wrote:
    > wrote:
    > >>> AFAIK the most typical problem is lack of sufficiently paranoid checks
    >>>> of parameters entered into forms before passing them to sendmail e.g.
    >>>> your script sends using "sendmail -t" (take recipeint addresses from
    >>>> to:/cc: headers) and abusers use some other entries (e.g. *multiline*
    >>>> subject) to insert "extra" to:/cc: headers.


    >>> I'm pretty sure that is how it was done but I really need to know
    >>> exactly how to do it so I can fix the code to prevent it.


    >> How on earth do you expect people to tell you *exactly* how to fix
    >> an unseen script and without having access to the details of the
    >> spam generated?


    > Well Axel, if you had really read my post, I wasn't asking for somebody
    > to fix it but asking how they are attacked so I could fix it.


    The same applies... how do you expect people to figure that out without
    knowledge of the script and details of the spam? There are some very
    old vulnerable scripts out there on the net which will accept all
    kinds of parameters which can be used as possible hooks into generating
    spam.

    If you were to give the name of the script and a reference to the source,
    then probably you would get far better responses other than general
    advice on how to prevent spamming CGI mail scripts.

    For example... useful details would be what was the spam? All to
    the same form indicating a denial of service of attack; using Cc: and
    Bcc: fields to send mail elsewhere; trying to spam multiple addresses
    at your domain?

    Axel
     
    , Mar 20, 2006
    #10
  11. wrote:
    >
    > For example... useful details would be what was the spam? All to
    > the same form indicating a denial of service of attack; using Cc: and
    > Bcc: fields to send mail elsewhere; trying to spam multiple addresses
    > at your domain?
    >
    > Axel


    Again, Axel, you didn't read the post. I stated that a lot of emails
    were sent. I asked where to go to get information on how these things
    are done so that I could fix my own script. In any case somebody on
    another list pointed me to a site that explains the header injection
    method of spamming. That is what I was looking for. If you have any
    further information on how to perform header injection please post a reply.

    Thanks,

    --

    Knute Johnson
    email s/nospam/knute/
     
    Knute Johnson, Mar 21, 2006
    #11
  12. Knute Johnson

    Joe Smith Guest

    Knute Johnson wrote:

    > Again, Axel, you didn't read the post.


    I read your post - it did not include enough information.

    > I stated that a lot of emails were sent.


    Insufficient information. What type? Identical "From:" or "Subject:"?
    Was "Cc:" or "Bcc:" used? Were the bodies identical or random gibberish?

    > I asked where to go to get information on how these things are done


    That request is way to vague to be answered. Perhaps if you had
    worded it as "how can I learn about security in web programming"
    instead of "tell me how to fix my script" it would have gotten
    better results.

    > so that I could fix my own script.


    Well, we could point you to general sites discussing considerations
    on security when writing CGI programs, but that would not be
    specific to your own script. Again, it is "general knowledge" versus
    "fix it".

    > If you have any further information on how to perform header injection please post a reply.


    If you've seen on way, that pretty much covers it.
    -Joe
     
    Joe Smith, Mar 22, 2006
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. dpackwood
    Replies:
    3
    Views:
    1,816
  2. Rene Pijlman
    Replies:
    22
    Views:
    738
    Fredrik Lundh
    Dec 10, 2003
  3. Sergio Correia
    Replies:
    7
    Views:
    294
    Ben Finney
    Sep 18, 2007
  4. Replies:
    20
    Views:
    742
    Gunnar Hjalmarsson
    Jan 18, 2005
  5. kath
    Replies:
    4
    Views:
    656
    J. Gleixner
    Apr 9, 2007
Loading...

Share This Page