Help Needed with Perl cgi script and spam problem

Knute Johnson · Mar 18, 2006

I need some help finding the correct place to go to get specific help.
We have a script that uses sendmail to send form data to the site owner.
Last night somebody managed to use it to send thousands of spam
emails. I need to find the right place to ask about the script to
determine exactly how the attack was accomplished so we can fix the
script. Any direction would be greatly appreciated.

Jürgen Exner · Mar 18, 2006

Knute said:
I need some help finding the correct place to go to get specific help.
We have a script that uses sendmail to send form data to the site
owner. Last night somebody managed to use it to send thousands of spam
emails. I need to find the right place to ask about the script to
determine exactly how the attack was accomplished so we can fix the
script. Any direction would be greatly appreciated.

Why don't you ask the author of the script?

jue

Knute Johnson · Mar 18, 2006

Jürgen Exner said:
Why don't you ask the author of the script?

jue

Because he doesn't know how it was attacked. I'm hoping there is
somebody around here that would have a clue.

Andrzej Adam Filip · Mar 18, 2006

Knute Johnson said:
I need some help finding the correct place to go to get specific help.
We have a script that uses sendmail to send form data to the site owner.
Last night somebody managed to use it to send thousands of spam
emails. I need to find the right place to ask about the script to
determine exactly how the attack was accomplished so we can fix the
script. Any direction would be greatly appreciated.

If you want to ask questions in public then I would suggest one of
comp.lang.perl* groups and/or comp.mail.sendmail.

You may post short description of the problem and link to the source of
the script (or the relevant part of the script).

AFAIK the most typical problem is lack of sufficiently paranoid checks
of parameters entered into forms before passing them to sendmail e.g.
your script sends using "sendmail -t" (take recipeint addresses from
to:/cc: headers) and abusers use some other entries (e.g. *multiline*
subject) to insert "extra" to:/cc: headers.

P.S. Sorry if I grossly underestimated your computer skills.

Knute Johnson · Mar 18, 2006

Andrzej said:
AFAIK the most typical problem is lack of sufficiently paranoid checks
of parameters entered into forms before passing them to sendmail e.g.
your script sends using "sendmail -t" (take recipeint addresses from
to:/cc: headers) and abusers use some other entries (e.g. *multiline*
subject) to insert "extra" to:/cc: headers.

I'm pretty sure that is how it was done but I really need to know
exactly how to do it so I can fix the code to prevent it.

P.S. Sorry if I grossly underestimated your computer skills.

This is one subject I don't know much about so I would appreciate as
detailed a description that you can give me.

Thanks,

Mark Hobley · Mar 18, 2006

Knute Johnson said:
I'm pretty sure that is how it was done but I really need to know
exactly how to do it so I can fix the code to prevent it.

http://markhobley.yi.org:8000/CGISecurity

Regards,

Mark.

--
Mark Hobley
393 Quinton Road West
QUINTON
Birmingham
B32 1QE

Telephone: (0121) 247 1596
International: 0044 121 247 1596

Email: markhobley at hotpop dot donottypethisbit com

http://markhobley.yi.org/

axel · Mar 19, 2006

I'm pretty sure that is how it was done but I really need to know
exactly how to do it so I can fix the code to prevent it.

How on earth do you expect people to tell you *exactly* how to fix
an unseen script and without having access to the details of the
spam generated?

I suggest hiring a Perl programmer and/or switching to a more reliable
script.

Axel

Knute Johnson · Mar 19, 2006

How on earth do you expect people to tell you *exactly* how to fix
an unseen script and without having access to the details of the
spam generated?

Axel

Well Axel, if you had really read my post, I wasn't asking for somebody
to fix it but asking how they are attacked so I could fix it.

Mark Hobley · Mar 20, 2006

Knute Johnson said:
Well Axel, if you had really read my post, I wasn't asking for somebody
to fix it but asking how they are attacked so I could fix it.

The method of attack depends on the weakness in the script, we would need to
see it to comment on this.

Read up on "CGI Security" to get an idea of the different methods that could
have been used.

Regards,

Mark.

--
Mark Hobley
393 Quinton Road West
QUINTON
Birmingham
B32 1QE

Telephone: (0121) 247 1596
International: 0044 121 247 1596

Email: markhobley at hotpop dot donottypethisbit com

http://markhobley.yi.org/

axel · Mar 20, 2006

Well Axel, if you had really read my post, I wasn't asking for somebody
to fix it but asking how they are attacked so I could fix it.

The same applies... how do you expect people to figure that out without
knowledge of the script and details of the spam? There are some very
old vulnerable scripts out there on the net which will accept all
kinds of parameters which can be used as possible hooks into generating
spam.

If you were to give the name of the script and a reference to the source,
then probably you would get far better responses other than general
advice on how to prevent spamming CGI mail scripts.

For example... useful details would be what was the spam? All to
the same form indicating a denial of service of attack; using Cc: and
Bcc: fields to send mail elsewhere; trying to spam multiple addresses
at your domain?

Axel

Knute Johnson · Mar 21, 2006

For example... useful details would be what was the spam? All to
the same form indicating a denial of service of attack; using Cc: and
Bcc: fields to send mail elsewhere; trying to spam multiple addresses
at your domain?

Axel

Again, Axel, you didn't read the post. I stated that a lot of emails
were sent. I asked where to go to get information on how these things
are done so that I could fix my own script. In any case somebody on
another list pointed me to a site that explains the header injection
method of spamming. That is what I was looking for. If you have any
further information on how to perform header injection please post a reply.

Thanks,

Joe Smith · Mar 22, 2006

Knute said:
Again, Axel, you didn't read the post.

I read your post - it did not include enough information.

I stated that a lot of emails were sent.

Insufficient information. What type? Identical "From:" or "Subject:"?
Was "Cc:" or "Bcc:" used? Were the bodies identical or random gibberish?

I asked where to go to get information on how these things are done

That request is way to vague to be answered. Perhaps if you had
worded it as "how can I learn about security in web programming"
instead of "tell me how to fix my script" it would have gotten
better results.

so that I could fix my own script.

Well, we could point you to general sites discussing considerations
on security when writing CGI programs, but that would not be
specific to your own script. Again, it is "general knowledge" versus
"fix it".

If you have any further information on how to perform header injection please post a reply.

If you've seen on way, that pretty much covers it.
-Joe

Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples.	2	May 5, 2023
Weird Behavior with Rays in C and OpenGL	4	Feb 13, 2024
Need help with code on website (noob)	2	Jul 18, 2022
I Need Help with making a function that draws in a canvas using location data.	1	Dec 17, 2021
PERL CGI Script Responding to Link	4	Dec 29, 2007
Help with "Guess the number" script	0	Mar 1, 2014
Help me debug this script with argparse and if statements	0	Feb 21, 2013
Help needed with nested parsing of file into objects	12	Jun 4, 2012

Help Needed with Perl cgi script and spam problem

Knute Johnson

Jürgen Exner

Knute Johnson

Andrzej Adam Filip

Knute Johnson

Mark Hobley

axel

Knute Johnson

Mark Hobley

axel

Knute Johnson

Joe Smith

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads