N
nauticalmac
I'm using CDO to send mail to the site owner from ASP pages with forms.
Recently one of my forms is occasionally sending email with what seems
to be an insertion which is replacing the plain text part of the email
with something else. Looking at the server sent email source, the
hacked emails have the following:
This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C60610.91D1FFA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: base64
QmVsb3cgaXMgdGhlIHJlc3VsdCBvZiB5b3VyIHJlcXVlc3QgZm9yIGluZm8gZm9ybS4...etc
.....................S0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCi0tLQ0K
------=_NextPart_000_0001_01C60610.91D1FFA0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
.......the correct html content
On a non-hacked email the content is:
This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C5FD9B.47C9C190
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Below is the result of your request......
.........the correct plain text content
------=_NextPart_000_0001_01C5FD9B.47C9C190
Content-Type: text/html
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
.......the correct html content
How can I prevent this happening?
What is the evil hacker attempting to include?
Apart from the submitter's email address and links to a chinese site,
all the rest of the characters in the submission are non-english
(irrelevant no doubt).
I am changing the form to include a server generated value which will
make it harder for this to be done by posting to the page without going
to the form first. I am clipping all form entries to reasonable sizes.
What can I look for in or strip from the form submission to decide to
trash the attempt?
Colin
Recently one of my forms is occasionally sending email with what seems
to be an insertion which is replacing the plain text part of the email
with something else. Looking at the server sent email source, the
hacked emails have the following:
This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C60610.91D1FFA0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: base64
QmVsb3cgaXMgdGhlIHJlc3VsdCBvZiB5b3VyIHJlcXVlc3QgZm9yIGluZm8gZm9ybS4...etc
.....................S0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCi0tLQ0K
------=_NextPart_000_0001_01C60610.91D1FFA0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
.......the correct html content
On a non-hacked email the content is:
This is a multi-part message in MIME format.
------=_NextPart_000_0001_01C5FD9B.47C9C190
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Below is the result of your request......
.........the correct plain text content
------=_NextPart_000_0001_01C5FD9B.47C9C190
Content-Type: text/html
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
.......the correct html content
How can I prevent this happening?
What is the evil hacker attempting to include?
Apart from the submitter's email address and links to a chinese site,
all the rest of the characters in the submission are non-english
(irrelevant no doubt).
I am changing the form to include a server generated value which will
make it harder for this to be done by posting to the page without going
to the form first. I am clipping all form entries to reasonable sizes.
What can I look for in or strip from the form submission to decide to
trash the attempt?
Colin