Interesting Crack Attempt to Relay Spam
I'm seeing an interesting new attack on my website where the attacker is hoping to exploit unchecked fields in a "web to email" form. The attack works by assuming a field used in an email header (such as the "From:" address or the "Subject:") is passed unchecked to the mail subsystem. Appending a newline character and a few more carefully crafted header lines with a BCC list and a spam message body might trick the underlying mail system into relaying spam for the attacker. An initial test sending a BCC copy to killerhamster@punkass.com has been used on most forms on my site to phish for vulnerable scripts. I had an old perl script which didn't check for new lines in the "email" field which alerted me to the problem and allowed me to quickly fix it. If you run a site, you should check and strip fields for carriage return and newline characters used directly in email headers.
Details of this attack:
This is an attempt to exploit my comments form. There are many hits from a number of different IPs which I assume are other compromised hosts. Form field data is presented between brackets in the example hit below. Notice how the email field contains a newline character and finishes off the email header fields. It even has Multi-Part support. Impressive!
-- snip --
comments[ejrkjfkn@nowhere.com]
andersUser[ejrkjfkn@nowhere.com]
redirectTo[ejrkjfkn@nowhere.com]
name[ejrkjfkn@nowhere.com]
page[ejrkjfkn@nowhere.com]
email[ejrkjfkn@anders.com
Content-Type: multipart/mixed;
boundary="===============1588588624=="
MIME-Version: 1.0
Subject: 40d7e77
To: ejrkjfkn@nowhere.com
bcc: killerhamster@punkass.com
From: ejrkjfkn@nowhere.com
This is a multi-part message in MIME format.
--===============1588588624==
Content-Type: text/plain;
charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
yyo
--===============1588588624==--
]
subject[ejrkjfkn@nowhere.com]
--/snip--
This is an attempt to BCC killerhamster@punkass.com to report a successful breach. Once a vulnerable script is found, the BCC line is filled with 25 or 30 addresses to spam. If the form doesn't set reply-to before the exploited field or the reply-to is a bad address or nobody pays attention to logs, the site owner may never know his site is compromised and enslaved as a spam bot.
Has anyone else seen attacks like this? Looks script-kiddie-ish as most of the phishing hits came within a two second period.
EDIT: I have written a more concise article covering this issue called Form Post Hijacking.
EDIT: A project of mine called JustHumans.com can help control form spam through image based verification.
Tags
Crack Attempt Spam RelayTrackbacks
Neue Spammermethode?
Gerade habe ich gesehen, dass ich für mySniper.com fünf Registrierungen habe, die keinen Sinn machen. Anstatt einer E-Mail-Adresse wurde der Body einer E-Mail eingegeben. Das sah ungefähr so aus lpubhkhzos@mysniper.com Content-Type: multipart/mixed; bo... read more...
Substantial Rise in Number of Contact Form Vulnerability Test...
<p>Most of the complaints from webmasters seem to be about mailform or "contact us" types of scripts. We have noticed a substantial rise of these types of attacks over the last month on our networks, but alot of other webmasters have been read more...
Interesting Crack Attempt to Relay Spam — Form Post Hi...
Anders Brownworth demonstrates an interesting new attack that
Appending a newline character and a few more carefully crafted header lines with a BCC list and a spam message body might trick the underlying mail system into relaying spam for the att read more...
AOL — THE PEOPLE HAVE SPOKEN
The people have spoken AOL, and we’re not impressed.
I realise there’s a lot that needs to go into something when you have crackers/spammers on your doorstep, much more so when you’re an ISP conglomerate who hands out e-mail accoun read more...
Comments (500)
Anders from RTP
Just got another one trying to report success to wnacyiplay@aol.com.
Anders from RTP
And a couple more: kshmng@aol.com Homeiragtime@aol.com
Anders from RTP
Just got one from bergkoch8@aol.com which is funny because the next hit was to this story.
Anders from RTP
Yet another: jrubin3546@aol.com
sam radion from UK
Yup just got a load of these through this morning bcc'd to bergkoch8@aol.com
Forms were ok already, but very annoying
Sam Radion from UK
Actually - had a thought. Could this not be an attempt merely to grab the presumably valid email address that the form is being sent to for spamming purposes?
Anders from RTP
Could be, but as I say, I had a script that was vulnerable and it started to get hits from all sorts of differient IPs with 25-30 bcc'd addresses and "valid" spam. I shut it down in a hurry, but a few got out. I'm still seeing hits to the cgi even now weeks later.
Matthew Laird from Vancouver, Canada
They discovered an old feedback script of mine too and began spamming through it for a few hours until I caught them. I discovered your article by googling the test email address used, Homeiragtime@aol.com.
I've sent a message to AOL abuse to hopefully shut this address down, but I'm not holding my breath AOL will care enough. That's the sad part... do I spend the time reporting all these zombie IP addresses, is it even worth it?
Ross Armstrong from UK
Loads today all within a few seconds of each other, bcc'd to bergkoch8@aol.com, very frustrating
Teli A. from USA
It seems I'm not the only one, received a few from bergkoch8@aol.com - started yesterday with one of my websites and just received more this morning...my scripts are secure, but it's just annoying having to deal with it...
kaphis from poland
Few probes of scanning vulnerabilities in "www to email" script and one with bcc to bergkoch8@aol.com address. Blocked with adding few lines of php code.
Pavel from San Jose/CA/USA
I received the same attempt on my site.
Olger Smit from Netherlands
Got several too, by bergkoch8@aol.com (may he grow bald and seriously sunburn his head). Thanks for advising.
jcjaxson from waldwick, nj
i've rec'd some of these with a bcc to the jrubin3546@aol.com addy mentioned earlier, am a bit confused and would appreciate a bit more clarification.
in the confirm email i rec'd only one of the form fields contained all the "content type" and "mime" info appearing in the article. both the subject line and the email addy to which the form is sent are hard coded in my script. the originating email is pulled from the form and is validated to be a proper email addy.
how would i know if the script is vulnerable or not?
thanks
dreamer from Ireland
bergkoch8@aol.com Yeah, roger that.
Grr.
Susan from Atlanta
Found this site by searching bergkoch8@aol.com. that address is bcc'd on about 25 messages 'from' our domain to our email address that receives the form in question (mine). I'm not a techie at all...any suggestions?
Anders from RTP
What you as a site admin need to do to be 100% safe is strip carriage returns (\r) and liefeed characters (\n) from form fields in your cgi scripts. How to actually do this depends on the language used in your cgi. In the case of perl, you could do it with a regular expression this way:
$field =~ s/\r/ /g;
$field =~ s/\n/ /g;
for each field used in an email.
Some clarification on questions posted: even if your forms are hard-coded to send you the email, you are still possibly vulnerable to this attack. Adding additional header lines, including a BCC: lists is possible whenever an unchecked field is used in the header of an email. Commonly with cgi forms on the Internet, the subject line, which is part of the email headers, comes from a cgi posted variable and hence can be exploited.
As I say, the fix that will work 100% of the time is to kill all \r and \n characters in cgi variables that are used in an email header. Unless you need to preserve formatting in some special cases, you might as well kill them everywhere as a rule of thumb. There is generally no need for them.
Ian from Spain
I've been hit 28 times by bcc's to bergkoch8@aol.com I'm using php, how would i block this in the headers?
Ian
Anders from RTP
I don't know PHP, but PHP has perl-like regular expressions, so with a quick glance at the docs:
http://us2.php.net/manual/en/ref.pcre.php
A default install of PHP 4.2.0 and later, you could:
$field = preg_replace( "/\n/", " ", $field );
$field = preg_replace( "/\r/", " ", $field );
This is also supported in earlier versions of PHP but you have to compile it in explicitly.
Brian from Dublin
I just got this tip from another forum and wondered what you thought. they went on to say:-
Instead of blocking
IP's, I'm checking the email address the user/bot enters. If the email
address domain matches the website's domain, then the form is not submitted,
i.e., it appears that the bot enters an email address with a random name
followed by the @ symbol, followed by the actual site's domain name.
Anders from RTP
Sure, that might help, but it won't be 100% failsafe. If the exploiter changes his method, he gets arround your solution. Add to that the fact that the field you are testing might be the field the exploiter is using to break your script so you can't assume it will strictly be an email address only.
I don't reccomend blocking IPs either because once a successful breach happens, exploits seem to come from an army of IPs. That's a loosing battle.
Killing the \r and \n characters will be successful 100% of the time.
Brian from Dublin
Thanks Anders for your reply.
I wonder if anybody can clear up then that if I was to remove the \r \n from the following (php) snip would this be sufficient or do I possibly need to write up another bit of scrip to run when the form is submitted?
$message = $_POST['Name']. ' is requesting some information.' . "\r\n";
$message .= ' ' . "\r\n";
Thanks again for this great help
Brian
Chris from MI
I have a site where this has been attempted. The emails sent from the forms are HTML emails, and the To, From, and Subject lines are NOT configurable by the end user...the only things the user provides is content for the body of the email (this content is then placed into an HTML template, the template assigned to the BODY, and then sent). Is this "configuration" still exploitable? Thanks for any and all help! :-)
Chris
Anders from RTP
No, you should be fine. Only fields from a form that are used in the headers of an email (like subject, reply-to, to and from) are possibly exploitable.
Christoph from Germany
I have a site where this has happened, bergkoch8@aol.com is bcc'd. I think I don't really get how this exploit is meant to work... Come here by googleing for bergkoch8@aol.com, impressive number of hits there...
Kasimir from Europe
Another bcc:bergkoch8@aol.com here. No use blocking IP address, as it's an anonymous proxy.
James G from UK
We are noticing crawls for _all_ forms on sites, which then suffer the MIME injections, and it's getting worse.
Damin from Vancouver, Canada
I received the same attack with a bcc:bergkoch8@aol.com on my contact form AND my post comments. Fortunately I watch my logs like a hawk. I've locked down my posted variable fields with partial string matches so if they try to use me as a spam relay all it won't send at all. The originating IP belongs to a university in Turkey.
Danny from s.e. Kentucky
This is to inform you that you are aiding in the spammers efforts.
Just as you noticed when you did a search engine check , your site was listed , just as when I did the search , I was led here. As a suggestion , It would be advisable to place the e-mail addressess as images so the search engines would quit indexing ( close to 5,000 ) articles relating , and aiding in the users spam. Therefore , still keeping people notified. Just a thought.
cheers !
Danny
Mackan from Sweden
If you use PHP:
Run function mysql_real_escape_string() on your POST-data. This function will replace the following characters: \x00, \n, \r, \, ', " and \x1a. For more information read the manual:
http://se2.php.net/manual/en/function.mysql-real-escape-string.php
Steve from NJ, USA
Hey, I just saw this same attempt on one of my scripts, and after googling for the bcc address (jrubin3546@aol.com), I found this site. Thanks for your explanation; it really helped clear things up.
In my script, I accept "Name, Email, Subject, and Message" fields, but actually all those are combined into the $message string, which is then passed to my script. My from, to, and subject parameters are all hardcoded in my script, so all guest emails are from a specific email address, sent to a specific email address, and have the subject "Guest mail from <website>". The message body then contains all the "From, Email, Subject, etc." filled out by the user. I believe this setup is immune to the attack described, so hopefully it'll give some of the victims of this attack ideas for combating it. Cheers.
Brian from Ireland
Hi,
I’m most interested in your reply Steve. I’m quite new to PHP but what you described seem to be the way I have my form setup, for example:
$from = 'IMT<info.blah.ie>' . "\r\n";
$subject = 'Message from your Web Site' . "\r\n";
$headers = "To: IMT <info@me.ie> \r\n";
$headers .= "from: $from\n";
$message = $_POST['Name']. ' is requesting some information.' . "\r\n";
$message .= ' ' . "\r\n";
$message .= 'The Subject is: ' .$_POST['Subject']. "\r\n";
$message .= ' ' . "\r\n";
$message .= 'They wrote: ' ."$messagedetails". "\r\n";
$message .= '' . "\r\n";
$message .= 'You can email them back at: ' .$_POST['Email']. "\r\n";
$message .= 'This email has been automatically generated. ' . "\r\n";
mail($to,$subject,$message,$headers);
I’d be interested to hear a reply. Also if this is the case can we safely ignore any new emails that come in.
Thanks
Brian
Vitor Pires from Portugal
Why don't you just check the email field with some simple regular expression check?
Something like:
/^[a-z0-9\-._]+@[a-z0-9\-.]+[a-z0-9]\.[a-z]{1,4}$/i
I don't know if it's enough but it seems to me it's very light and at least excludes those attacks. :)
No More HGH & Hoodia from O&A
This is the spammer or spam partner: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL27963
Keep sending those reports to AOL. The BCC'd list always seems to contain the spammers verification account. The initial test messages reveal who the spammer is. As the spam run ensues, check the BCC list for that "test account". All the other headers appeared to be forged.
They are using hacked computers to relay through exploitable web forms, which conceals the true orgin and makes it appear as if your site is responsible for the spam. If you let the spam escape your network, you may be held responsible for the spam. If the spam makes it through your organization, there is a good chance you'll be BlackListed by the ISP at the bcc'd list.
I'd suggest converting your web form program into a spam trap. Force send any mail submitted to it, to a spam-trap account. Collect as much data as you can, in particular, the domain being advertised in the spam and the spammers verification, email account, including the where the spammer connected from (the other hacked computer) and share it with AOL. They may not respond to your requests, but they do investigate these reports.
Nick from
Just had bergkoch8@aol.com bcc on my php contact form, no idea what hes trying to achieve or how i can stop this happening...
Flo from Germany
I also recieve attacks by bergkoch8@aol.com as bcc - is it possible that a spammer has a chance to use an aol-acocount to verify possible relay-servers for more than 4 weeks without any actions by aol??? Even if the client is hacked, the verifying mail-address could be shut down or do they keep the address up and running to get the spammer somehow??? We will probably get no answer to this questions - well then good luck fighting these bastards and thanks for the good advices...
Björn from Sweden
We've also been getting BCC: bergkoch8@aol.com attempts on our site, about once a month. I say *attempts*, because the moron doesn't seem to realize that our scripts aren't used to send mails in the first place. :)
MIC from Czech Republic
Also bergkoch8@aol.com on BCCs. Our site is written completely in ASPX and the bot overwrites the VIEWSTATE field as well, causing the web application to report an error, which is how I identified the problem in the first place. Thank you folks for all the info, I was wondering for some time what was going on - suspecting someone is trying to send spams using our web application, but I had no idea about how it was intended to work or whether he succeded. As now I know what's goinng on and what to check, I am happy to sleep well again :-).
Thank you all!
Graeme from Dunedin, New Zealand
I have just had "bergkoch8@aol.com" attempt to hijack my web-to-email script. Problem for them is it is hardcoded to send only to me... anyway the IP address is also sent to me and is 194.152.185.6 (apparently 06.whoiswho.li) - I've emailed complaints to whoiswho.li as well as aol.com, although I suspect the AOL account won't be legitimate as such anyway.
Bruce from USA
bergkoch8@aol.com just struck here. They look for formmail.pl, but I don't use it. I just send them an email telling them to f*** off. Idiots.
Marve from Czech rep.
Well, I got regular attempts on my e-mail scripts.
The IP of the sender was 164.100.104.146
That's annoying... :(
There's a very nice info-page about that attack:
http://securephp.damonkohler.com/index.php/Email_Injection
erkje from Urk, Holland
bergkoch8@aol.com is also spamming in the shoutbox on our site, trying to send e-mails I think. Here's an example of the message
dyuqcjdc@ourdomain.nl Content-Type: multipart/mixed; boundary="===============1153501684==" MIME-Version: 1.0 Subject: b2c188b8 To: dyuqcjdc@ourdomain.nl bcc: bergkoch8@aol.com From: dyuqcjdc@ourdomain.nl This is a multi-part mess...
the text entered is chopped by200 chars (if I remember it right...). he used this ip: 66.160.92.113. this morning 6 attempts within the same minute... maybe automated?
Interesting to see so many people around the world having the same inconvenience with this same person...
I thought this guy was just a kid trying to hack the local christian website :P
this shoutbox script isn't for emailing at all so he won't find a formmail.pl at my site either ;)
Shaun from Sydney, Australia
Another bergkoch8@aol.com here.
They hit us a few weeks ago, my particular script (a custom one) was vulnerable but I picked up on it in 5 minutes and had the script fixed shortly after.
Quite a few attempts overnight as well, but this time the script wasn't vulnerable :-)
They've tried from Belgium, Jordan and Mexico so far.
M from Finland
I had similiar hits today. Three mails bcc:d to bergkoch8@aol.com. Luckily the form and php script were old and obsolete so I removed them instantly. It is very bizarre that AOL has not reacted in anyway to shut down that email account...
A from Germany
Same problem here from Germany. I informed AOL about bergkoch8, hope that they will remove it.
Mexoi from Holland
Bergkoch8 tried it on our site too (Dutch .com website). Fortunately the script doesn't mail the form, so no harm done.
Interesting though, to read about it on this website.
Graeme Leggett from Norwich, UK
Had the same pattern here, BCC bergkoch8@.... The website with the form is operated for us by another. I cut, edited then pasted the above into the to line and hit "submit". The system threw up a warning about newlines not beiing allowed in the 'to field', so ours checks out clean.
Andre F. from Staten Island, NY, USA
found this site with a google of bergkoch8@aol.com. anyway the attack was on a guestbook of a site i had coded, the inputs just gointo a database but its really annoying.
Sarah from Austin, USA
Same here and definitely annoying. (bcc:bergkoch8@aol.com). I disabled my form and changed the email addy to a graphic. What a creepy little person.
Mathieu Jobin from Vancouver
got the same attempt on website (http://justbudget.com/)
he use my login form and comments form.
he tried for every fields, subject, email, fullname, comments, login, password, etc.
looks like he did not acheive what he wanted.
weird he use the same address bergkoch8@aol.com
I was thinking reporting it to aol.com
but i don't know... how does he expect websites to send email like that ?
I receive tons of spam from [random letters]@[domain.com]
maybe tons of site are vulnerable to this problem,... a fix should be issued, maybe it would decrease the amount of spam dramastically.
anyway
same email, bergkoch8@aol.com
Duke from Amsterdam
Just append this code to the processing of the form:
gethostbyaddr($_SERVER['REMOTE_ADDR'])
then you will find this address is sending the form:
212.38.147.205
then use the IP deny manager,
and strip \n from you form input's of course...
Ian from Spain
I've been hit again and sorry for being an idiot but I have no idea what to do with my send mail php doe, this is what I use what can I add / change to prevent this again.
$to = 'email@domain.com;
$subject = $_POST['subject'];
$message = $_POST['message'];
$from = $_POST['from'];
$from_check = $_POST['from_check'];
$full_name = $_POST['full_name'];
$tel = $_POST['tel'];
$headers = "From: ". $_POST['from'] ."\r\n";
$headers .= "Reply-To: ". $_POST['from'] ."\r\n";
$message = "\nInformation Request: ".$message;
$message .= "\nName: ".$full_name;
$message .= "\nTel Number: ".$tel;
$message .= "\nEmail address 2 (could be different): ".$from_check;
if (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $from)) {
echo "<h4>Sorry info here</h4>";
echo "<h4><a href='javascript:history.back(1);'>Click here to return</a></h4>";
}
elseif ($from_check <> $from) {
echo "<h4>Info here.</h4>";
echo "<h4><a href='javascript:history.back(1);'>Click here to return</a></h4>";
}
elseif(mail($to,$subject,$headers,$message)) {
echo "<h4>$full_name</h4>";
echo "<h4>Your email has been sent, we will reply as soon as possible.</h4>";
} else {
echo "<h4>Cannot send email</h4>";
sean from cardiff, uk
just had bergkoch8@aol.com emails.. my feedback form has been used to send emails with bergcoch in BCC field. I saw in some of the emails i received that he/she has managed to somehow get test email addresses to apppear in the to: field.. so i have taken site down while I fix it.
www.dojodirectory.co.uk
Paul Baker from Maidenhead, Berkshire, UK
To the people wondering why (s)he is still using the same email address bergkoch8@aol.com, don't forget that the attempted hacks are automated - just seen a site that got 15 test emails from a form sent within a minute. So (s)he probably wrote the script months ago, and zombie PCs are picking it up and running it still. The email address may have been active once but I doubt it is now.
art101 from California
Greetings to all and thanks for the good comments and fix suggestions on this page. I found this page in a Google search for the phrase 'bergkoch8@aol.com spam'.
We saw the first two attempts to compromise our PHP web-to-email contact form within one minute on 28 August 2005 at 3:39 local time. Each was sent (supposedly) from nonexistent addresses in our domain (random characters _at_ our domain.com). Both attempted to Bcc bergkoch8@aol.com. Based on the IP addresses, they both appear to have originated on servers in Australia. I don't think the attack was successful, but I'll play it safe (see below).
I'm a designer, not a techie. I'm not familiar enough with PHP to go fiddling with the script on my site. My tech guru doesn't work on Sunday (unlike yours truly who works all the time and never has a life). Although I don't see anything particularly scary in my logs or bandwidth usage, I will shut down our contact form until he has a moment to look things over on Monday.
I will also post a brief explanation of why I shut down our form and link to this page from our contact page. I'm ticked off enough that I will also suggest that anyone who has experienced a similar attack should contact the good people at AOL - since they surely don't want their good name sullied by association with this jerk (or jerks).
I'm just paranoid enough these days that I don't even want to post my domain name here... but if you'd like to stop by, add a .com to my name in this post. I'm paranoid because my domain was joe-jobbed a while back by the notorious spammer Eddy Marin (see his extensive profile at the Spamhaus ROKSO) - which cost me tens of thousands of dollars and three weeks of my life. You can read all about that by following the wired.com link in the anti-spam area at the bottom of our home page.
If my tech guy can offer anything useful to this page, I'll report back ASAP. Thanks again to all of you for fighting to take back the net from the tiny minority of thugs who work to ruin it for the rest of humankind.
best - art101
art101 from California
That's an important point, Paul Baker... (quote: "So (s)he probably wrote the script months ago, and zombie PCs are picking it up and running it still."
This still leaves me wondering if AOL plans to take any action. The owner(s) and author(s) of this global assault obviously had to pay for their bergkoch8@aol.com account via a credit card tied to a real bank account somewhere in meatspace or cyberspace. If AOL is serious about protecting the 'net from this sort of attack, it should be fairly simple for AOL to follow the money.
My earnest and polite phone call to AOL Security this afternoon (toll free from the US: 888 265-3733) pretty much went nowhere. After enduring endless hold times, shuffled from one perky, useless 'consultant' to another, a perky 'consultant' who could barely speak my language told me to send all complaints to tos@aol.com. She assured me that the bergkoch8@aol.com account would be carefully examined and that "action would be taken" if AOL decided that action was required. Right. I felt so much better after that call. Another hour of my life... gone forever. My opinion of AOL's commitment to protecting the 'net from this sort of abuse soared. Not.
After putting the phone down in disgust, I wondered: How many people on this planet have been damaged by this particular assault? How many hours of global bandwidth and time have been stolen? Who barged in to our homes and businesses - like scumbag home invasion gangs - in an attempt to splatter crap all over us that no one in their right minds would ever buy?
The Internet is arguably the most important advance in human communication since the invention of the printing press - way back in the 1400s (western calendar). Who are the few hundred jerks who work so hard to turn the 'net into a giant, pervasive, dangerous strip mall from hell? And exactly which mainstream corporations tacitly help them do so? See: http://www.spamhaus.org/statistics.lasso
By the way, Paul... I have relatives in Maidenhead. I hate to go off-topic here, but wouldn't it be a hoot if you knew them? Talk about six degrees of separation... more like two. They live in Bray, actually, just a stone's throw from the river. Feel free to drop me a line at my current throw-away Yahoo address... unitygain2001 (at yahoo dot you know what). Needless to say, I'll do whatever I can to make sure that any jerkoff spam harvester who spams that address is stopped. I will also pray that they die a slow, painful death, all alone.
cheers - art101
jeanmarc from Belgium
Well i see that i'am not the only one to get attack by bergkoch8@aol.com ;)
I think a stripslash is enough to be protected in php, can someone post a "full protection" for php to email form?
Ian from Spain
This is what you need to do in PHP form:
Make sure you end your headers with \r\n\r\n.
change
$headers .= "From: " . $from . "\r\n";
to
$headers .= "From: " . $from . "\r\n\r\n";
It is always best to filter mail form inputs
// Strip \r and \n from the email address
$_POST['email'] = preg_replace("\r", "", $_POST['email']);
$_POST['email'] = preg_replace("\n", "", $_POST['email']);
// Remove injected headers
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$_POST['email'] = preg_replace($find, "", $_POST['email']);
$comments = preg_replace($find, "", comments);
Ian
sinisterfrog.com from Australia
http://www.sinisterfrog.com
My latest news post suggests my solution. Basically for all variables use $name=stripslashes($_POST['name']);
bucky from us
try this in PHP:
clean_variables($_POST);
function clean_variables( &$value )
{
if(is_array($value)){
array_walk(&$value,'clean_variables');
return;
} else {
$value = str_replace(array("\r","\n","Content-Type:"),"",$value);
}
}
Karl from New Zealand
Ugh, just had this same thing happen to me. I don't want to wind up on a black-list of spammers!
Tony from New York
I have also been “visited” by this spam-bot. We actually saw two attempts on different domains in the past three days. At first I blew it off as it really does look very “script kiddish” after the second attempt (yesterday) I took notice. The information here was very helpful in figuring out what the bot was trying to do and after a few tests of my own I came to the conclusion that my ASP based forms and CDOSYS are not vulnerable to this attack.
One thing I do think is that the BCC email address (bergkoch8@aol.com) is not monitored by the account owner. It is probably owned by some poor guy who compromised his account and he doesn’t even know that the email address exists.
As to the IP address question. I chased down one of the IPs to a company in Montana. I spoke with the owner of the company who informed me that his SQL server machine had recently been hacked and that he had been attempting to repair it for the last few days. This reinforces the idea that this script is running on compromised servers without the owner even knowing. It also explains why there was no browser information in our “message debug” information. (A part of our script that grabs IP, Browser type, and cookies and adds them to the message to help us to debug user issues)
I decided to call AOL and report the screen name to the abuse department. Imagine my surprise when the woman on the other end told me that there was nothing they could do unless I filed a report with the police. Basically she said that they were prohibited from looking at the customers records unless the police subpoenaed them to do so.
After some prodding she did give me an email address for reporting Terms Of Service violations. She said to forward the original email (don’t copy and paste it) to tosgeneral@aol.com. Swell, a lot of f’ing good that is going to do.
I am going to follow-up with them again today. I am also going to write an email to the address she gave me and reference this site. I would urge everyone here that has had this problem to do the same.
Peter from Canada
I've had the same thing ... their IP was
81.30.227.90
Ian from Spain
OK - I've managed to tie down any field you want for any forbidden character, the code is below:
If anyone can find faults with it (I've tested and seems fine) please post back.
Ian
**PHP CODE***
$to = 'email@site.com';
$message = $_POST['message'];
$full_name = $_POST['full_name'];
$no_in_party = $_POST['no_in_party'];
$mail_list = $_POST['mail_list'];
$welcome_pack = $_POST['welcome_pack'];
$from_check = $_POST['from_check'];
$from = $_POST['from'];
$tel = $_POST['tel'];
$bcc = $_POST['bcc'];
$cc = $_POST['cc'];
clean_from($_POST);
function clean_from( &$from )
{
if(is_array($from)){
array_walk(&$from,'clean_from');
return;
} else {
$value = str_replace(array("\r","\n","Content-Type:"),"",$from);
}
}
clean_from_check($_POST);
function clean_from_check( &$from_check )
{
if(is_array($from_check)){
array_walk(&$from_check,'clean_from_check');
return;
} else {
$value = str_replace(array("\r","\n","Content-Type:"),"",$from_check);
}
}
$headers = "From: ". $_POST['from'] ."\r\n\r\n";
$message = "Additional Requests: ".$message;
$message .= "\nName: ".$full_name;
$message .= "\n\nNo in party: ".$no_in_party;
$message .= "\nMailing List: ".$mail_list;
$message .= "\nWelcome Pack: ".$welcome_pack;
$message .= "\nTel: ".$tel;
$message .= "\nEmail: ".$from;
$message .= "\nEmail check (different?): ".$from_check;
function validate_from_field($s) {
$forbidden = array('%', ',', ';', 'bcc');
foreach ($forbidden as $f)
if (strpos($s, $f) !== false) return false;
return true;
}
function validate_message($t) {
$forbidden = array('%');
foreach ($forbidden as $n)
if (strpos($t, $n) !== false) return false;
return true;
}
if (!validate_from_field($_POST['from'])) {
echo "<h4>Sorry you have entered an invalid email address, please check and try again</h4>";
echo "<a href='javascript:history.back(1);'>Click here to return</a>";
echo "<h4></h4>";
echo "<h4>If you are having problems with this form please email email@domain.com </h4>";
}
elseif (!validate_from_field($_POST['from_check'])) {
echo 'Validation failed'; // Crash and burn
}
elseif (!validate_message($_POST['message'])) {
echo '% not allowed Validation failed'; // Crash and burn
}
elseif (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $from)) {
echo "<h4>Sorry you have entered an invalid email address, please check and try again</h4>";
}
elseif ($full_name == "") {
echo "<h4>Sorry you have not entered your name</h4>";
}
elseif ($from_check <> $from) {
echo "<h4>Please verify your email address, they are different.</h4>";
}
elseif ($bcc != ''){
echo "System Error";
}
elseif ($cc != ''){
echo "System error";
}
elseif
(mail($to,$subject,$message,$headers)){
echo "<h4>$full_name</h4>";
echo "<h4>Your reservation request has been sent, we will confirm back to you as soon as possible.</h4>";
}
else {
echo "<h4>Sorry we cannot send your email please try again or send an email to email@site.com </h4>";
echo "<a href='javascript:history.back(1);'>Click here to return</a>";
}
Mark from The Netherlands
We are visited by mhkoch321@aol.com
I just filed a complaint with aol as Peter suggested
O&A from USA
Please post the URL in the spam and the product being advertised. I've been following this spammer for a while and am curious what you guys are seeing.
Many of the domains being advertised in the spam have been listed here.
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL27963
onno from Rotterdam / NL
Here a fingerprint of the hack:
Watch the bcc part!
Content-Type: multipart/mixed; boundary="===============0330895761=="
MIME-Version: 1.0
Subject: 201de07b
To: nosdlfctel@flexicare.nl
bcc: bergkoch8@aol.com
From: nosdlfctel@flexicare.nl
--===============0330895761==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
gzfu
--===============0330895761==--
Rahul from New York
Hello...
from my contact page of the website, every day morning i am receiving tons of spam mails BCCd to bergkoch8@aol.com. I see that you all having a discussion about it here. what is this and who is doing this. What is that i have to do to eliminate this problem?...Thanks....
bed from France
I had similiar problem with mails bcc to bergkoch8@aol.com and mhkoch321@aol.com
Joe from New York
If the forms that are use are only coded using HTML and do not use PHP, is there a vulnerability to this?
O&A from USA
Too many spammertised domains to list here, but here's a short history of the spammer. Listed is the dates the spam runs went out and a short description of the spam being advertised.
damnitmayn@aol.com Nov. 2004 - Mar. 11, 2005 ( account closed )
securities fraud (CSDP.PK), mortage, car warrenties, HGH
cameronmtc@aol.com Mar. 18 - Mar. 20 ( account closed )
Human Growth Hormone (HGH)
wolfione@aol.com Mar. 21 ( account investigated ... closed?)
HGH
wnacyiplay@aol.com Mar. 22 - Jun. 9, 2005
HGH
wwjdkid14@aol.com Mar. 23 - Mar. 30, 2005
HGH, mortage spam
angelrrsmr@aol.com Jun. 2 - Jun. 6, 2005
Test messages ... no spam, but testing of spam to a single email address
kolyathekid1@aol.com Jun. 25 - Jun. 30, 2005
Hoodia Weight Loss drug
kshmng@aol.com Jun. 30 - July 7, 2005
Hoodia Weight Loss drug
lshmng@aol.com Jun. 30 - July 7, 2005
Hoodia Weight Loss drug
jshmng@aol.com July 5, 2005
Hoodia Weight Loss drug
mhkoch321@aol.com July 7 - July 9, 2005
Hoodia Weight Loss, HGH
Homeragtime@aol.com July 17 - July 19, 2005
HGH
Homeiragtime@aol.com July 7 - Sept 1, 2005
HGH, Hoodia Weight Loss, Securities fraud (GTRD.PK) spam started 8/26/2005 - 9/1/2005)
===
Martin from Germany
I got the same Problem here. 20 mails in the last few days from my own contact page (bcc: bergkoch8@aol.com or mhkoch321@aol.com.
Does anybody know a good formmailer to avoid this problem?
Joel from UK
A new one this morning:
jrubin3456@aol.com
Nothing in Google for this one as yet, so recording here.
note the spammer has changed it from the more ubiquitous jrubin3546@aol.com
I'd like to see this fellow strung up. I will be adding him to my black magic scorpian bottle next time I bury one in the garden.
Tara Michelle from NJ, USA
This is not just happening with PHP, but also with Coldfusion. I am a webmaster and many of my forms are being attacked. Don't know what to do.
VB from Detroit, MI, USA
It is very annoying, we have logged many attempts by this person.
bergkoch8@aol.com
originated from 219.93.174.102 or BRF-CE03-G2-0.tm.net.my
had to block their network segment
Donna from FL, USA
I just had this happen to me today and I googled the bcc address that was included of "jrubin3546@aol.com" and found this site. Thanks for all the information.
Ryan from Corvallis, OR, USA
I don't want to compromise anyone else's site by having someone post something here to help out a hacker, but I think maybe my site is fixed -- is there any way to check it to make sure?
Nick from UK
Yep, I've had two attacks on our site in the last couple of days now (the bergkoch8@aol.com) e-mail addy. Like others, I've e-mailed abuse@aol.com, in the offchance that they actually care and will do something. In any case, this is a short-term fix.
I don't believe that we've been suffering with acting as a spam-relay, the nasty part is that if we received the e-mail then it's a reasonable indication that the attack failed, I pity all the other admins that *didn't* receive such mail alerting them to a problem.
Gerard from Castricum, netherlands
Same 'attach' to me from bergkoch8@aol.com. Interesting to see that the person or robot first visited som eregular pages of our site and then entered 6 entries within a few seconds in our guestbook. Ans then it visited again a page of our site. all from same public proxy ip 67.72.25.2
Diwic from Sweden
Another thing one could do would be to make sure that there is only @ in the from-email field, and remove all other @:s. That would effectively block the spam attempt...
Uwe from Germany
Seems like they're very active, again. Found this site via googling "bergkoch8@aol.com". Luckily I was sitting at my computer yesterday around 21:50 when the first attempts dropped in at my EMail account. Took the formmail script off immediately and then searched every POST variable in PHP with the following code:
if (eregi("\r",$MailFrom) || eregi("\n",$MailFrom) || eregi("Content-Type:",$MailFrom)){
die("SPAM Injection Error :(");
}
Now I also added hostname logging as suggested earlier in this thread..
Mark from Canada
There is one thing that would stop all bots attempting to abuse the contact us page trying these scripts.
Add an image verification code to your form. The bots dont get a chance this way.
And if you want to go a step further, add a function to parse the arguments before calling the php mail function. If you detect foul play, ban the ip automatically just have code to update your .htaccess with the banned ip. That should take care of the rest. (You could also add a timer say a couple of months for the banned ip to be released since these are zombie pcs)
The thing is if you dont ban them, the spammers get chances to update their scripts. Sooner or later they figure our another weakness.
If you get some public image verification code its good idea to customize it as the spammers try to find weaknesses in common functions so they have max effect.
mika from germany / magdeburg
Thank you Ian from spain for the script! I think it is a very good idea to double the email field and compare the strings. Hope the robot won't get it. I named the second field "clicker2" so there's no "from" at first sight if the HUMAN programming this code is able to look at the php data somehow.
Many thanks mika.
stu from new zealand
Also have had bergkoch8@aol.com visiting our subscribe form. The bot, or person, tries each input field, but I truncate all fields apart from a comments field at about 50 characters which I hope stops it in its tracks.
I'm also going to add a test for the string "BCC:" and not allow any form processing if this occurs. A blunt, but quick fix I think
One way I'm using, to test if my form fields are susceptible, is to take the text of the attempt, change the bcc address to one of my own, and see what comes to that address.
Rob from England
Just had the same problem here I googled the email address mhkoch321@aol.com that came through in the attack. My site traces the ip address of such attempts and it appears to be a Lithuanian dialup ISP it originated from
Mark from England
Just had an attempt this morning from bergkoch8@aol.com and as many of you people here followed up a search through google. Sounds like your all doing as much as possible, but is there a way of blocking the ip address at all? My site is a big message board and all the failed attempts show up as entries - annoying and not pretty!
Lydia from
I have had the same problem, all my forms have
$name = htmlentities($name, ENT_QUOTES);
for all form data which seems to have stopped the attack as their quotes were disabled, it doesn't affect how things show up in messages so you could use it as an easy measure although it may not be totally fool proof.
Alan from Todos Santos, Mexico
Getting hit here as well over the past month on multiple sites.
I'm using HTML forms that call an ASP page using the CDONTS to mail. No PHP used here.
The script being used seems to bypass the form page and go directly for the "post" page since I'm seeing the number of characters inserted in some fields far in excess of the "maxsize" values I set for them in the form page.
Isn't it just as effective to use a simple referrer check n the form processor to ensure the request originated from the form page on our domain and not somewhere else?
Brum from Germany
Graah! Added a php-email form yesterday with a code modified from this page: http://www.ibdhost.com/contact/ (first one that comes from a 'php email form' google search) and today mr jrubin3456@aol.com had made a visit. Í think that the extra data injected to 'your email'-field worked :-( Corrected this now with all the data going to message field and from & subject -fields are fixed strings that have nothing to do with postdata. Well, hopefully that jrubin-address wasn't working anymore and I haven't been the source of tons of spam. Still a nasty thing, especially for us inexperienced coders looking for code snippets from net.
Al from New Zealand
I just got spammed with a bcc to: mhkoch321@aol.com
I'll report it to AOL, fwiw.
Greg from AZ, USA
I received the contents of a form with the BCC of jrubin3546@aol.com. I checked my logs and the IP address was within Greenville Public Schools. I sent the details to the Webmaster of their site.
Jacob from SLC, UT
I am a web developer and I am currently working for a company calle WI Works, Inc. We have over 300 clients and have a portfolio that contains most of the urls to our clients websites almost all of these sites contact forms are being spamed with what was explained above. If anyone comes up with a solution to this prob. then please contact me at jacob@utahwebservices.com . Our clients are starting to get pretty anoyed and we do need to resolve this prob. A.S.A.P . I am sure we will be able to put some money into this if needed.
Thank you,
Jacob
WI Works, Inc. - Web Development Engineer
Raphael from Luceren (Switzerland)
Hi there
Just got the same problems on my Page ( www.black-silence.ch ).
They were not able to send mails (because my script doesne't send any mails ;)) but deleting the "bad" entries is annoying ... I modified the script so it doesen't show the "bad" entries but logs them.
I think that's the best idea ...
Bob from UK
At the risk of missing the point completely, is there a way to immunise my contact forms against this spam without removing the message's own line breaks/carriage returns?
Having them 'cleaned out' before it's sent makes for a less readable message at this end.
Niek from The Netherlands
Another attack to some forms on our site. The BCC was sent to mhkoch321@aol.com
David from Germany
I am totally confused by all of this. I Googled the address: Homeiragtime@aol.com and found this site. I am not a programmer, so I don't know exactly what is happening here. If I get blank emails from my own forms (from my site to my site), does that mean that the spammer was successful and my site is comprimised or does that mean that he failed and my scripts are okay?
Mikkel from Denmark
Quote:"I just got spammed with a bcc to: mhkoch321@aol.com
I'll report it to AOL, fwiw."
The same happened on my site twice in two days... really annoying!!!
Anna from England
We've just received the same from bergkoch8@aol.com and have reported them to TOSREPORTS @ aol.com and the ISP expedient.com, although I guess from scanning the posts above that the source PC was some other unsuspecting victim.
I'm 99% certain that bergkoch8@aol.com and mhkoch321@aol.com are one and the same as we had an identical attempt about 5 weeks ago from the latter. We reported them then to AOL and the ISP - Hopone.net who were really prompt and helpful "We have informed the owner that we are
aware of this activity and that it should cease immediately", and hadn't had this problem again until today.
Thankfully our web app catches the attempts but it's really irritating. I guess we're eventually going to have to go down the random-letters-in-jpg route.
Meanwhile I believe in promptly reporting them. Even if the source PC is a victim, the owner really needs to be told!
Joern from Essen, germany
Hello,
while our website is online for testing, we have found following in our mailbox. All form-fields were filled with urfdpps@ru*.de .
Content-Type: multipart/mixed; boundary=\"===============0578799144==\"
MIME-Version: 1.0
Subject: 831ab45a
To: urfdpps@ru*.de
bcc: mhkoch321@aol.com
From: urfdpps@ru*.de
This is a multi-part message in MIME format.
--===============0578799144==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
dacrgvov
--===============0578799144==--
urfdpps@ru*.de
urfdpps@ru*.de
Niki from UK
We've had this exact problem over the weekend. We have two .asp forms that send mail to use using CDONTS. I don't know whether this knobcheese has succeeded in relaying mail through us, but I want to make sure he can't. Any idea on what to put into asp scripts to block this please? (am I the only person in the world using ASP?!?)
Eric from USA
Homeiragtime@aol.com is still up - AOL clearly has no interest in stopping these people if this was first reported to them in July.
Marianne from Las Vegas, NV, USA
I am getting tons of these sent to me using my various contact forms on my sites. I wonder if they have been successful in using it to send spam. It is an old perl script. How can I check if it has been successful? They have looked pretty much like this and thank God I found your article because I was quite clueless and thought it would stop. These are my client's contact forms and it is getting really annoying for them and myself. Any help would be glorious.
This message was sent from FacialPlasticSurgery.net:
http://www.facialplasticsurgery.net/
------------------------- COMMENTS -------------------------
pwoxmh@facialplasticsurgery.net
Content-Type: multipart/mixed; boundary=\"===============1255325315==\"
MIME-Version: 1.0
Subject: 2c1b597b
To: pwoxmh@facialplasticsurgery.net
bcc: Homeiragtime@aol.com
From: pwoxmh@facialplasticsurgery.net
This is a multi-part message in MIME format.
--===============1255325315==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
ncnotjuuq
--===============1255325315==--
------------------------------------------------------------
Eric from USA
Niki, I'm using CDONTS too. Just create a regular expression object to strip all of the unwanted characters from your form fields before they're passed to the headers. You may want to experiment with the characters you allow, depending on the function of the form field.
Something like:
<%Dim sc
Set sc = New RegExp
sc.Global = true
sc.Pattern = "[^.,:@0-9a-z A-Z]"%>
<%dim vartext
vartext = sc.Replace(request.form("textfield"), "" %>
You'd then use the vartext variable instead of a direct form request in the CDO object.
Anders from RTP
The only way to tell if your site has been commandeered to send spam is to check your mailserver logs. If you see suspicious looking emails being sent by your webserver, then chances are you were sucessfully targeted. Patching the vulnerability is easy enough for a technical person, so if you're not technical, contact the people that do your web hosting and have them fix or upgrade your script. If you don't know where your mail logs are, your website hosting company can help you with that as well.
Anthony Cartmell from UK
mhkoch321@aol.com for me too!
Joachim from Bremen, Germany
I'm a PHP minimalist and the following seems to prevent from getting any more of these mails:
if(
eregi("\r",$_POST["email"])
|| eregi("\n",$_POST["email"])
|| eregi("@mydomain.net",$_POST["email"])
|| eregi("@mydomain.net",$_POST["message"])
|| eregi("boundary=",$_POST["message"])
)
{
die($sorry_string);
}
art101 from California
We recently swapped some email with the founder of TheSiteWizard.com (http://www.thesitewizard.com) about this issue. While somewhat limited in functionality, the most recent versions of his generic feedback form (PHP 2.04 or Perl 2.2.1) appear to be currently immune from this sort of attack. Webmasters who simply need a basic feedback or contact form on their site(s) might consider checking out his Feedback wizard. The scripts are good and the interfaces for downloading them are seamless (and free).
I tried once again to reach AOL Security and AOL Legal... anyone at AOL who could knowledgeably address this issue. AOL seems uninterested in protecting the broader Internet community from this sort of assault. AOL's corporate spin seems to be, "We just want your money, so f*ck you if you aren't an AOL customer." I will encourage our clients to avoid giving AOL any money or trust.
I uploaded a copy of an open letter to AOL at the Contact page of our site today (http://art101.com/contact.html) and sent a copy to tosreports@aol.com and aollegal@aol.com. I encourage readers of this forum to stop by, read the letter, and pass it along.
Martin from UK
Does anyone know if there are any issues regarding the latest version (1.92) of Matt's Perl FormMail script with respect to this bergkoch8@aol.com business? From what I can see it's been fixed to remove linebreaks so the form can't be used for spam. But I still get these "reconnaissance emails" which are annoying, sent to randomchars@mydomain with all the fields filled out with the same randomchars. My ISP says to stop receiving these I should remove my catch-all email addresses and just have a list of specific addresses @mydomain to use. Is there not also an option to add a few lines to the FormMail script to prevent a BCC line being used?
Kris from Denmark
I do also have problems with a bcc to: mhkoch321@aol.com. The spammer uses my email-form at my homepage. Quite frustrating..
kilbot from Melbourne, Australia
I just started getting some through today.. seems like this is getting wide spread. Seems like somebody doesn't like mhkoch321@aol.com .
memex from Hungary
Hi guys, my forms also got hacked in the same way. Just got 23 emails in which the bcc field contains the same bergkoch8@aol.com address.
Joachim from Germany: thanks for this short code, i will try it out myself.
Jon Freeman from Seattle, WA
mhkoch321@aol.com hit here, or tried to at least. ColdFusion MX 6.1 in use with CFMAIL tag for delivery. Some sort of message was burped out oddly back to me as the form recipient, with a to/from that didn't match, but it never made it outside my network.
About 10 attempts to send mail out - appears to be automated. Checking the logs things seem to be fine.
Haze from Spain
Hi. Same here but we are using ASP and J-mail. Anyone who know the script for that? We have 3 websites in different countries attacked so its for sure a robot following our links between the websites. Regards Haze
Lightbox from Dublin Ireland
to stop the annoying mails coming through we have simply put an if statement into the form to stop this type of mail coming through:
They always use bcc to send the mail so now we just block any mail with bcc
<% if (CGI.getValue("bcc").length()>0) { %>
<%//
// This is SPAM
//
// So dont sent any emails!
//%>
<% } else { %>
Martin Smith from London, UK
Alan from Todos Santos, Mexico
Asked
Isn't it just as effective to use a simple referrer check n the form processor to ensure the request originated from the form page on our domain and not somewhere else?
Unfortunately some people use things like Norton Personal Firewall which block out the referer for privacy reasons!
Randy from Europe
I'm not sure how secure this is, but this fixed the problem for me. It includes the \r\n fixes and removes bcc:, cc:, to:, and content-type from the variables used by the contact form originally createdd by rapid weaver:
$email = $_POST["email"];
$_POST['email'] = preg_replace("/\r/", "", $_POST['email']);
$_POST['email'] = preg_replace("/\n/", "", $_POST['email']);
$comments = $_POST["comments"];
$name = $_POST["name"];
$_POST['name'] = preg_replace("/\r/", "", $_POST['name']);
$_POST['name'] = preg_replace("/\n/", "", $_POST['name']);
$subject = $_POST["subject"];
$_POST['subject'] = preg_replace("/\r/", "", $_POST['subject']);
$_POST['subject'] = preg_replace("/\n/", "", $_POST['subject']);
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$email = preg_replace($find, "", $email);
$comments = preg_replace($find, "", $comments);
$name = preg_replace($find, "", $name);
$subject = preg_replace($find, "", $subject);
$msg = "Name: " . $name . "\r\n\r\n" . "Email: " . $email . "\r\n\r\n" . "Subject: " . $subject . "\r\n\r\n" . "Comments: " . "\r\n\r\n" . $comments;
$headers .= "From: " . $name . " <" . $email . ">" . "\r\n\r\n";
by the way some slashes are missing in the preg_replace examples in previous posts on this site, so i added them here.
Oz from Australia
These guys are a pain.
I'm not sure if this is the right approach, someone correct me if I'm wrong.
I had the luxury of being able to fix the code then change the url of the PHP script and changed all the pages that call it to refer new url. This was a quick fix to stop our site being used as a spam proxy.
I then modified the original php that had been spam scammed and hard coded the to,from and message content. It now sends all spammed email back to mhkoch321@aol.com along with a nice "friendly" message. I just figure if we all did this it would make it a bit harder for these guys/girls. What do you think ?
Jen from Chicago, IL, USA
I use formmail.php ... can anyone tell me exactly what to change?
Randy from Europe
Oz: careful with that approach... if everyone did this you'd basically be building a ddos infrastructure for the attacker. he could then easily ddos aol.
also: you're making yourself vulnerable. with a relatively small http request the attacker can trigger an email which uses up more system and network resources on your side. he could dos your system, make your server use up all its bandwidth, he could possibly make you exceed your traffic limit if you have one and then you'll either be offline or you'll have to pay extra.
i don't think he actually reads any mail to mhkoch321@aol.com, he probably has some script collecting the emails to fill a database with vulnerable ip addresses or so. would be kinda cool to know his script and exploit it with a "broken" email to this aol address though ;) you're better off looking for more vulnerable scripts on your servers and fixing them before someone else finds them though.
Oz from Australia
Thanks Randy.
Yes your right.I'll scrap it and just make sure the scripts are secure. It just p'd me off and I wanted them to know ir.
Ron C. de Weijze from Amsterdam
Hi, just sent the following mail to aol.
=====
From: Ron de Weijze [mailto:rdw@concepts-ict.nl]
Sent: 07 September 2005 04:14
To: 'postmaster@aol.com'
Subject: spammer from aol is bothering the rest of the world.
Importance: High
Hi,
This spammer is using an aol account and is responding to any internet form with nonsense letters.
Please search the net for bergkoch8@aol.com (which he uses in the bcc field).
This forum is discussing his annoyances.
Urgent!
Thank you,
Ron C. de Weijze
M2M Matter to Man BV
www.pmm.nl
=====
Barta Csaba from Oradea/Bihor/Romania
Hy, thanks for the info, im a php+mysql programer and 7 of my sites got this "attack", none of my scripts are vulnerabil for this attack since i use htmlspecialchars and addslashes but im still heppy for knowing what is this "mail rubish" that i get :) oh and hears on of the script kiddies: mhkoch321@aol.com
Chris from UK
Jsut htought I'd add support. Homeiragtime@aol.com was at my form yesterday. I'm not much of a PHP guy, so I've implemented a version of the fix off of Anders' other page.
What's stopping AOL from handling this? Laws in whatever country the spammer is doing it from?
Chris from UK
I just realised that the guy did NOT get access to mine. The bcc statement is in the BODY, not the header. That means my script is safe correct? Or does that just mean that it's masked in the header? This shows up in my message (Body):
Name: qgyiq@giftedniche.com
Telephone: qgyiq@giftedniche.com
Content-Type: multipart/mixed; boundary="===============0405870795=="
MIME-Version: 1.0
Subject: ebaa588e
To: qgyiq@giftedniche.com
bcc: Homeiragtime@aol.com
From: qgyiq@giftedniche.com
This is a multi-part message in MIME format.
--===============0405870795==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
nbkxiw
--===============0405870795==--
Website: qgyiq@giftedniche.com
Message:
qgyiq@giftedniche.com
It looks to me like the spambot tried to inject the Telephone field? Am I right here?
markus from innsbruck, austria
filtering out all requests containing "bcc:" in the text seems to be a goog idea!
btw, here a few IP addresses that are used for this annoying contact form spamming approach:
213.25.156.26
211.101.6.3
80.124.140.1
212.50.185.147
217.218.155.73
always with bcc: jrubin3546@aol.com
best regards,
markus
Marin Saylis from North Yorkshire / England
209.133.181.161 < another IP address, was exploiting my website contact form. Added the above mentioned filters, hoping nothing will get through to the bastards! ;)
MrKicks from Los Angeles
I too have attempts with a bcc of bergkoch8@aol.com . We use a HTML forms that post to .Net that sends the data through SQL to our Email's com. There is no chance that this could be used for spamming but it is interesting to see the attempts.
I also sent this address onto AOL with an explination and a link to this site.
art101 from California
AOL continues to splatter "Want a better Internet?" TV ads all over the public airwaves here in the USA.
Calls and emails to AOL regarding the spam injection issue documented on this site are ignored. AOL is clearly more interested in marketing its crap to gullible new users than in serving a broader global community.
Greed and shortsighted profit... that's what AOL is all about. Shame on AOL. Shame.
http://art101.com/contact.html
thomas from Germany
I have been attacked by bergkoch8 several times. I fixed the contact form (ASP) but s.o. or s.th. stays trying. Tonight jrubin3546@aol.com (REMOTE HOST:209.173.13.167) tried to crack it once more.
Tiigeress from Chicago
I recieved some attempts from this sick individual today as well. They didn't work but I saw someone a few posts back ask for a form handler that protects against this... best i have found is called Forms To Go, found at bebosoft (dot com)
may barbarians invade his personal space.
Anony from
According to
http://postmaster.aol.com/guidelines/junk.html#abuse
Please report these attempts to " TOSGeneral@aol.com"
With enough complains we can hopefully close their account
KLemmkeil from Germany
I´ve been attacked 4 times over the last few weeks by this sick individual too. Changed all scripts to stop this annoying stuff. If i ever get my hands on whoever that may be... Help him god.
jcjaxson from waldwick, nj
I'm using an ASP-based script (no "Niki from U.K." - you are not the only one using ASP) that does not interface w/CDONTS.
I'm not sure if this has been discussed, but what we've uncovered in our investigation is that jrubin3456 is modifying all fields ... including hidden fields and radio buttons ... into text fields, that he then fills with his code.
We've taken an approach where, once we detect the attempted attack, we stop the email from being sent. We then capture the IP address from which the attempt has been made. (The most recent attack this morning came from 219.93.174.103.)
Rather than dealing w/AOL, I've traced the IP Address back to the Administrator of that particular block of addresses and notified them of the attempt. I am also pursuing an approach through a blacklist organization to see what might be done through them.
comments, anyone?
Arthur from Virginia, USA
Good article and comments.
Looking at my logs, I noticed that the requests from the bots don't contain the HTTP_USER_AGENT field, and the HTTP_REFERER field is set to my home page, not to the address of my contact form.
So I added the following to my php script:
$valid_user_agent = isset($_SERVER["HTTP_USER_AGENT"]) && $_SERVER["HTTP_USER_AGENT"] != "";
$valid_referrer = isset($_SERVER["HTTP_REFERER"]) && $_SERVER["HTTP_REFERER"] == "http://{$_SERVER["HTTP_HOST"]}/contact.php";
if ( $valid_user_agent && $valid_referrer ) {
// send email
} else {
// spambot
}
Kevin from USA
Wow. Seems pretty common. I don't PHP at all, but I am guessing that a simple ASP replace function would take care of the hook. Almost seems like a SQL Injection Attack
Haze from Spain
Seems to me that some of you have ASP script that works, anyone who can show us how to do? I received over 100 emails from my forms today so he send more and more. Please HELP!
Regards Haze
GoGo from Netherlands
Got several too, by bergkoch8@aol.com.
Thanks for advising.
Tiigeress from Chicago
This is kind of interesting... after a failed attempt to hijack a testimonials section of my site, a few days later i get 4 new posts waiting for approval from i assume the same person with different attempts. A lot of them are advertising a URL - http://www.home4u.china.com but there was one URL that stuck out at me as odd, it was the only one in a long list of strange characters. http://www.vhv.cn/ doing a few babelfish translations from chinese to english it appears that this is a company that makes or hosts advertising software or maybe the script that is taking over all of our sites. if this is the company this person is with, maybe it is worth further investigation. From what i gather, they call it "the hurricane"
here's a babelfish translation (i know it sucks) of part of the page...
"1st, enters the national large-scale information port, has your advertisement 2, enters each kind of type message center, has your advertisement 3, enters each kind of forum, turns on the mailbox........ to let your advertisement there is no place not in, lets your advertisement seize every opportunity"
here's another translation from the side menu:
"This website software face interlocks the net honestly to draft the business agent, the proxy condition extremely superiorly, enables you to become interlocks the net well-known group to send the software supplier and the group sends the service provider, and specially makes for the proxy has custom-made software, including business agent's individual copyright information, the contact method and so on other contents, our service and your inevitable success close is connected, welcome to relate, deigned to inquire! ! !"
what do you all make of this?
Tiigeress from Chicago
oh, more on that URL i just posted - the exact URL in the code was: http://www.vhv.cn/zxgx.htm
Joachim from Australia
I guess another way to prevent this is to check all the header-fields that are sent from the HTML Form. Do a regular expression, or a string search from either \r or \n and remove EVERYTHING, including \r and \n after it in the header field. This is acceptable because there are not supposed to be a line feed in any of these fields anyways.
Jordie from Australia
I got hits this afternoon from jrubin3546@aol.com, I found this site through Google. I guess the best I can do at the moment is set up a Thunderbird filter and see if I can dig up a bit more on Mr. Jrubin3546@aol.com.
I did something really stupid though... I sent an e-mail to the address, asking if he sent them or if he was receiving them too. Oh well.
Mike from USA
I got these emails from the bergkoch8@aol.com mail address. I use ASP and told my provider about what was going on. I wonder if AOL was told that the bergkoch8@aol.com bastard was using their system to pass kiddie porn would they react more diligently? I know it would be lieing, but if it got the guy shut down it would be good for the people he is exploiting.
Matthias from Germany
This is all very interesting. I have kept getting strange emails from our newsletter registration form since a couple of weeks ago and I first didn't know what was going on. Then I finally decided to trap the IP, which was 195.205.195.131. If you enter "195.205.195.131" on Google, you get very many results, it seems to be a proxy server in Poland. I also found out that "jrubin3456@aol.com" appears in the BCC line of one of the emails.
So far he doesn't seem to have succeeded because almost eveything in my call to mail() is hardcoded. However, he won't stop trying.
David from Birmingham, UK
Just a thought for an easy fix. Rather than removing line breaks and characters to disable the hack, is it not easier to check for the term "bcc:" within the submitted fields and simply not run the script if it finds it?
Matthias from Germany
This morning I got another 18 attempts using the following IPs:
208.255.231.36 (host36.agcocorp.com)
12.41.160.10 (co001sip01.solutionip.com)
12.20.120.98 (wv002sip01.solutionip.com)
142.169.32.60 (www.atena.qc.ca)
213.137.3.26 (host213.137.3.26.manx.net)
204.138.156.235 (unknown)
131.109.15.2 (unknown)
69.0.102.142 (69.0.102.142.adsl.snet.net)
129.49.65.113 (climate.msrc.sunysb.edu)
204.185.159.249 (unknown)
201.15.67.77 (master.worldnet.local)
12.27.32.186 (wv001sip01.solutionip.com)
12.104.41.154 (pa007sip01.solutionip.com)
12.104.41.154 (pa007sip01.solutionip.com)
12.135.196.162 (162.muh196.chcg.cgcil02r18.dsl.att.net)
65.183.39.107 (node39-107.ipglobal.net)
81.138.182.132 (host81-138-182-132.in-addr.btopenworld.com)
24.43.246.83 (CPE000d9301704d-CM00140492cf58.cpe.net.cable.rogers.com)
I found out that my script seems to be more vulnerable than I thought, but I fixed it so it should not be exploitable any more. I don't know why but the offender did not seem to try filling in any fields of my form, so I wonder what the purpose of this attack was.
Matthias from Germany
I have been hit by jrubin3546@aol.com again. He was using the same IP three times within a couple of seconds, and he did not seem to be using a proxy server.
I reported to the ISP that corresponds with the hostname that I was able to resolve and asked them to reveal the offender's identity. I also wrote an email to tosgeneral@aol.com, which seems to be the new address for complaints of this kind.
Well, let's see if I get any response...
Jon from UK
Thanks for the info here. I've been monitoring these attempts on a few domains over the last few weeks and have stopped them each time I find an e-mail gets through. I've sent a complaint to AOL at their TOSspam address.
Dan from UK
After watching them mess with my forms for the past couple of weeks they succeeded in sending out some spam last night. Deleted the script, patched it up then reupped it. Seems to have worked for now.
Interestingly a different ip from the bots is now rescanning the site and grabbing the new contact form after the last dozen bot attempts got 404 or 403 errors: 67.109.66.254
Rob Barkas from Haverhill MA USA
Received 15 of these this morning with the bcc being mhkoch321@aol.com. If AOL is getting so many complaints why is this account still open. I did report it to TOSGeneral@aol.com hopefully something will be done. I will now have to validate my PHP form due to this.
thomas from Germany
#136
For ASP scripting with JMail try this code to replace linefeeds and carriage returns
_______________
Set RegularExpressionObject = New RegExp
With RegularExpressionObject
.Pattern = "[\r\n]"
.IgnoreCase = True
.Global = True
End With
name=RegularExpressionObject.Replace(name, " ")
email=RegularExpressionObject.Replace(email, " ")
subject=RegularExpressionObject.Replace(subject, " ")
message=RegularExpressionObject.Replace(message, " ")
Set RegularExpressionObject = nothing
_____________
You have to use your form variables for name, email etc.
to kill all mails containing "bcc" try this:
_______________
Dim found = false
Set RegularExpressionObject = New RegExp
With RegularExpressionObject
.Pattern = "/bcc/"
.IgnoreCase = True
.Global = True
End With
found = ( RegularExpressionObject.Test(name) or RegularExpressionObject.Test(email) or RegularExpressionObject.Test(subject) or RegularExpressionObject.Test(message))
Set RegularExpressionObject = nothing
If found Then
msg.Send("yourpopmail")
endif
June Barkas from Haverhill, MA
It is king of obvious that AOL is not taking this problem very seriously as some of these accounts including mhkoch321@aol.com are still open as my husband received some of them in his business web site. AOL obviously doesn't care about the internet community at all as this web site was first posted on July 8, 2005 and it is now September 10, 2005 and it doesn't seem that alot has been done. If anyone knows the code for elimating bcc mail using PHP I would appreciate it.
Anders from RTP
Eliminating BCC: is a little more complicated than it sounds. For example, my posting this comment would trigger your BCC block because BCC: is in the body of this message. A BCC block still won't block additional TO: lines either. Take these points into consideration if you choose to block BCC. Killing \r and \n characters eliminates all possible permutations of this attack.
June Barkas from Haverhill MA
Thanks for the quick response. If I take out the /n can I uses spaces in between as all of the information would be clumped together?
Anders from RTP
Yes, replacing \r and \n characters with a space is a good idea. My origional example does this.
Matthias from Germany
I just got another 3 hits from jrubin3456@aol.com. I simply send them to AOL as an attachment and I will keep doing so. If you do that as well, then AOL might finally learn what it is like to get trash all day.
Someone suggested that jrubin3456@aol.com might already have been deactivated and that scripts on PCs keep using it, without the knowledge of their owners. But if this is not the case, then I wonder if it would help to mailbomb jrubin3456@aol.com and all the other addresses he's using. If this does not help, then one should maybe simply mailbomb tosgeneral@aol.com, making them aware of the problem by choosing an appropriate message body.
Anders from RTP
I wouldn't suggest mailbombing AOL. They have computers reading those messages before humans do so I'm sure they will just blacklist your IP and be done with you. Even though mail to these AOL addresses is not bounced back, we don't know if AOL hasn't already suspended the accounts and is just sending our emails to the bit bucket. The best strategy is for each of us to submit a rational complaint to AOL, hope they work on it and make sure we are not vulnerable to this attack.
Tiigeress from Chicago
Another thought... we could just block all of AOL from our sites - if enough sites do this people with AOL accounts will start complaining that they cant go anywhere on the net. maybe they would take us seriously then :)
I know it isnt a very practical solution, but this stuff is driving me crazy.
Has anyone looked at the site I mentioned a few posts back? I really think those people are the ones behind it all.
Klemmkeil from Germany
This annoying bastard is hitting my sites daily meanwhile.
Today, I got a returned mail by AOL stating that the jrubin3456@aol.com Mailbox is full :-)
I keep fixing my scripts, but he seems to find a way every time. I am stripping all \r and \n, but one or two attemps went through anyway. When I try myself, no mails are sent at all.
I am getting really annoyed!
Matthias from Germany
I can assure you that jrubin3456@aol.com is still an active account. I have just sent him an email, and it did not get bounced - neither did the other 5.000 or so... ;-)
Simon from UK
We've been seeing regular attacks of the same nature as discussed here on our web to lead form for a number of weeks. I've a feeling a few early attacks may have got through, but have tightened the backend up a lot since.
Today however we've seen over 30 attempts 2 or 3 an hour almost at random it seems. All failed.
At the suggestion of someone else I've initiated a log of the requesting IP - which in this instance was
The source IP was: 195.221.204.245
The hostname was: d02-245.ensiacet.fr
Has anyone else had an attack launched from here?
I've reported it to the named contact in the domain registration records - what good it will do I have no idea. This time the BCC address was jrubin3546@aol.com.
We changed our web to lead so that it always has a fixed (hard coded) from and to address - and now is only informational to us, rather than also copying the original sender on the message. So far this seems to be holding... We copy all the email address info into the message body for later examination.
In the near future rather than email us from the form it will post directly to our eCRM system as a potential lead, which will cut out any chance of it's use as spam, but I guess will open other possibilities....
It's good to see others are having the same problem, and share ideas.
Matthias from Germany
Now look what I just found in my inbox:
----- The following addresses had permanent fatal errors -----
<jrubin3456@aol.com>
----- Transcript of session follows -----
... while talking to air-yh03.mail.aol.com.:
>>> RCPT To:<jrubin3456@aol.com>
<<< 552 jrubin3456 MAILBOX FULL
554 <jrubin3456@aol.com>... Service unavailable
:-D :-D :-D
Russ from Los Angeles CA, USA
I have been dealing with jrubin3456@aol.com last night and this morning. It doesn't look like any of his 150 attempts went through, but he sure tried. I Googled his email address and found this page. Thanks for the info. I fixed some of my code, but with the information above I can now totally protect my site against these punks.
Jason from Tyson's
To report this guy to AOL call 888-665-3733. He also tried to crack my php contact form.
Greg from Canada
I got plenty of %#*! spam from jrubin3456@aol.com, trying to use my website forms.
I coded the PHP on my site 5 years ago, and I have long forgotten my code... Could anyone who came up with some nice working code against this problem be nice enough to post it for me and remind me where to append the code?
I saw the code with mysql_real_escape_string but I can't seem to figure how to use it from the PHP help file. There are too many different solutions in this thread. What's the definitive code people use?
Michael Grimm from Florida
I took out the /n however the data submitted is harder to read as it is all crunched up... Not sure if this is spammer proof yet though.
Matthias from Germany
jrubin3456@aol.com is back again. I got another 3 attacks this morning and forwarded the information to AOL. Looks like the address jrubin3456@aol.com is really being used by someone, as emails do not get bounced any more.
Oh well, then let's send another couple of thousand messages. If AOL does not react soon, then I might also send the information more than once next time...
Matthias from Germany
Ok, here we go again! :-D
----- The following addresses had permanent fatal errors -----
<jrubin3456@aol.com>
----- Transcript of session follows -----
... while talking to air-yh04.mail.aol.com.:
>>> RCPT To:<jrubin3456@aol.com>
<<< 552 jrubin3456 MAILBOX FULL
554 <jrubin3456@aol.com>... Service unavailable
Dean from Melbourne Australia
I've had about 120 attacks (with jrubin3456@aol.com as the BCC) across 8 different websites that I host, and which all had running my own custom php script.
However, as Pair Networks (pair.com) is my web host, they have their own custom formmail.pl script available -- they advised me to either use this script or find a more secure PHP option.
I settled on Tectile's PHP form mail variant -- free to use -- at http://www.tectite.com/formmailpage.php.
This includes two very helpful security features -- you can specify the target email for the form in a config file, and you can "mangle" your form's hidden fields so the recipient email is not in a valid email format for any trawling spam bots.
As soon as I implemented this solution today, I noticed 48 attempted attacks fail! (The Tectile program can email you at a separate address to advise you of when a user "fails" the form, although you can turn this off).
And I tried adding linefeeds and extra bcc addresses into my own forms, which immediately failed and stopped the form from working.
Thought I'd let you know how I solved it.
Chris from pornicopia.net
jrubin3456@aol.com's email showed up in my LAST SEARCH query.. Along with a limited amount of garble:
1.0 7bit 90f81d6f ===============1599482751== akytvbu bcc boundary= charset content-transfer-encoding content-type format. from hwcohnhr@pornicopia.net jrubin3456@aol.com message mime mime-version multi-part multipart/mixed subject text/plain us-ascii -===============1599482751
Lin from Uk
jrubin@3546@aol.com appears to be at his tricks of hacking my site. He is a menace, what can be done about this? I am no techie and would appreciate some advice?
thanks
Matthias from Germany
Ok, enough is enough. I got hit by jrubin3456@aol.com again and AOL does not seem to care a fig. This time I'll mailbomb them, too.
June Barkas from Haverhill MA
What I still don't understand about this whole situation is that most of us have contacted AOL regarding this and they have done nothing. They claim that they have an anti-spam policy? They certainly don't enforce it do they. When I receive any type of spam from hotmail or yahoo within a day or two the account is closed. I don't understand what is taking so long for them to do anything? If you search out any of these email addresses you come up with tons of guestbooks that have been signed by them. What is wrong with AOL? If they email addresses indeed did get hijacked then the accounts should be closed immediately if not sooner. Still don't understand their policy.
Matthias from Germany
Oops...
----- The following addresses had permanent fatal errors -----
<tosgeneral@aol.com>
----- Transcript of session follows -----
... while talking to air-xk03.mail.aol.com.:
>>> RCPT To:<tosgeneral@aol.com>
<<< 552 tosgeneral MAILBOX FULL
554 <tosgeneral@aol.com>... Service unavailable
I am surprised to learn that the postmaster has a limited account - maybe he should buy an upgrade to be able to receive more emails... ;-)
June Barkas from Haverhill MA
Yesterday I removed all of the \n in all of the fields and today got slammed again 16 times with a bcc of mhkoch321@aol.com including the Mime message. Any suggestions?
nic from virginia
Try using a more secure form like this one below (see web address) i was getting spammed just like most of you mention above so i changed my form to a new one where user has to look at image and type in letters from it as well as some more security checks and feature.. it's a good form. to use
http://rockcontact.rebusnet.biz/
Uli from Berlin
I had the same attempt on one of my administrated websites. He used the adress: Homeiragtime@aol.com and was trying to attept a hack on the 06th Sept.2005 at 02:08am MEZ with the ip: 216.151.106.11
Eduard from Amsterdam
I found Arthur's comments (#134) to be useful, also I think Anders' comments at the top are relevant in explaining the mechanism allowing for the hack.
I'm using Richard Heyes' php formmail script and interestingly enough, the version I was using was already set up to add a lot of /r/n's but it was still hackable. I updated it to his latest one and will see if this helps. I also used the referer and user_agent filtering.
Matthias from Germany
AOL anti-spam policy? Don't make me laugh! Rumor has it that they even sell the data of their customers, so signing up with AOL is the best way to get spam.
I was hit by jrubin3456@aol.com again, and I forwarded the information to AOL as before. The email did not get bounced, so someone must be reading this stuff.
My script should be secure, but it's still annoying to get these tests all the time. Well, I am mailbombing jrubin3456@aol.com again...
Dami from Germany
I have the same problem, which is costing me lots of money as mails get forwarded to my phone.
As AOL seems to sleep, has anyone contacted CERT or government authorities yet? I'd also be happy to supply IP addresses...
Anders from RTP
Matthias: please don't mailbomb.
Dami: CERT is a good idea. I haven't contacted them, but we should first check to see if an advisory is out. This has been going on for a long time so someone may have already submitted something.
Another clarification, with the \r and \n replacement fix, you will still get the test emails which is quite annoying. Some additional checks (such as the BCC: suggestion from earlier) can be used to stop you from seeing the probe emails as well but you have to be carefull as I mention in comment #152.
Matthias from Germany
Why should I not mailbomb jrubin3456@aol.com? AOL does not seem to be able to close the account, and I am really fed up with that guy.
Anders from RTP
Matthias: This guy is frustrating I know, but script around it for now. Check on CERT and see if they know about this problem yet. Submit if they don't know yet. I have a feeling AOL will listen to CERT.
Matthias from Germany
Well OK, I will cease mailbombing jrubin3456@aol.com and AOL. But as far as CERT is concerned, I hardly know anything about that organization or it's purpose, so could anyone else do that please?
Decibles from India
I’m a PHP newbie and jrubin3456@aol.com has been a pain ....its been more that two weeks now and I’m tried of handling spam in my personal mail and all my clients are after me to resolve it as eventually the same PHP script runs on their site too....don’t know if this is a great idea but it just occurred to me that by separating the email "from" field from the rest of the form and collecting this on a separate page and collecting other details on a different page work? And will it stop the spam...? Would really appreciate the feedback
Pieter from Netherlands
jrubin3546@aol.com is attacking formmail here.
If you subscribe him to many boards to spam him, you're only give him new scripts-adresses.
He is using different anonymous proxy servers and sent a bcc to jrubin3546@aol.com
The last time I had problems with a "bomber", I created an account at the internetcafé on Ebay and in the control-panel (after activation) I changed the free email account. Did some bids on Ebay and 2 weeks later the email adress was out of order. Seems Ebay is working on AOL
Chess from San Diego
I have used Forms To Go and am being hit by jrubin about 5 times a day with 12 emails sent each time.
I use a PHP Script. Is there a simple code that I can include in my script that would kill all bcc emails AND strip the \r and \n strings while at the same time not clump all my information together into an unreadable mess?
This may have been covered befoer, but I am not sure which codes will work best for PHP. Thanks. Let's put an end to this joker!
Luke from QLD Australia
I have found that the dropkick has been using these IP's
69.56.173.61
213.140.1.192
146.235.66.52
64.60.91.218
66.135.39.146
131.109.15.2
200.119.133.50
80.82.3.137
213.84.97.62
I also found that the IP address is changing every hour or so.
Could this be some sort of spyware or trojan program that has infected other computers?
Or maybe there is more than one spammer involved in this crap??
Jo from Hamburg
Many people are asking for the best change to prevent email injection and to get rid of the annoying test emails from the spambots. As Anders suggests, I think also the best way to secure mails is to replace linefeed (\r) and newline (\n) charcters with spaces in all variables intended to be placed in the mail header. This is not necessary for the message body. Some have done this and got ugly formatted emails as a result.
Next is to reject the test emails. This is easy for all fields which will be added to the mail header. If they contain \n or \r you may stop sending the email. How to do this is explained from Uwe in post #81.
After grasping the fields contained in a form the spambot by-passes the form and sends his request directly to the script. In his repeated tries he fills his malicious email in one form field after the other, so not always the email field contains the garbage. As the message content may contain any text it is site dependant if you are able to define expressions which are not allowed in the content. The same is for all other fields too. You have to decide individually what content is wrong and define similiar expressions as in post #81. As more expressions you find as less spamtest mails you will receive.
The current spambot also can be recognized by the missing HTTP_USER_AGENT and incomplete HTTP_REFERER fields. But this is not unique. As posted earlier some firewalls delete the HTTP_USER_AGENT and if someone has bookmarked your site no HTTP_REFERER is set. Also future spambots will probably do it better.
And don't blame AOL for the outrage of the spammers. They can not do very much. The probing mails as well as the spamming mails are not sent from AOL but from a lot of pc's which are hijacked by a trojan virus. It will not reduce any of these annoying test mails with bcc to jrubin3456@aol.com or bergkoch8@aol.com if the AOL account is closed. The only thing AOL can contribute, is to prevent anyone to download the mails from that accounts, so the spammers do not get new addresses of cracked web sites.
Barbara from UK
I have tried some of the fixes suggested for my html/php forms and would like some help for an error I am seeing in the POSTed email.
Where I test for \n, this is being replaced by \\r. I know this is not a problem, just wondering why this is happening when I would expect " ".
Dear Mr.AOL appears to being a little blocked by what I have done and is now spamming me with empty response forms.
With everything else that I am testing for, how do I add in a NULL test. Not all fields are required so I only need to test if all fields are NULL.
Or, has my form been hijacked completely and I am only getting the NULL part sent through while the script does its evil work on my server?
Chess from San Diego
I read post #81 and have copied the script. Is this something that I paste into my php script. And if so, where do I paste it? Apologies for being such a newbie at this.
In my script he only fields that get called into the header are the name and email. So, I just strip the \n and \r drom those fileds? How do I add a space so that the fields don't run together in the email that I get sent?
Thanks for any straight forward answers.
Optima from Malaysia
We using ASP form and got the spam attack as well, any way to cure it or fix it?
Matthias from Germany
Looks like the attacks are getting less. While jrubin3456@aol.com used to send 3 emails in each attack, he has only send a single one this morning. I hope he did not get disturbed by my script detecting the hack and sending him more than just one email to jrubin3456@aol.com... :-D
I know that AOL is not responsible for the spammer trying to hijack our forms, but preventing anyone from downloading the information gathered in these accounts will make the spammer's life much harder, and this is the goal of closing them.
Besides, these accounts are the only chance to identify the offender, as the logged IPs only tell us whose PC was abused for the attack. However, AOL seems to protect this guy.
Carl Colijn from Netherlands
I use ASP and CDONTS on my website, and I did a check whether the script was vulnerable. The value of the "To" field is hardcoded in the script, but the "Sender'", "From" and "Subject" header fields are not. For testing purposes I set these fields to "Request.Form("email") + vbNewLine + "Bcc: spam@ (etc.; our company web address)"; and the results were this:
- Setting "Sender" triggered an error while sending the mail
- "From" and "Subject" seemed to get their newlines stripped already by CDONTS (replaced by spaces).
The mail got through to our inbox (when I removed the "Sender" test), and the mail's source revealed no extra header lines with the BCC field; the BCC line was merged in the To, From and Subject line.
Our server is using IIS 6.0.
Just to be on the safe side, I still patched our script ;) I used the following code in the new email script:
Function SecureHeaderField(sFieldValue)
SecureHeaderField = Replace(Replace(sFieldValue, Chr(10), " "), Chr(13), " ")
End Function
You use this function i.e. like this:
oMail.From = SecureHeaderField(Request.Form("email"))
I invite anyone that wants to give this script a test (including mr. jrubin3546 et al. :) ) at our web form: http://www.twologs.com/nl/contact/main.asp (the page is in Dutch, but the form is easy enough to understand).
Hope this helps anyone.
Cosmo from UK
I'm trying a different approach. Using PHP.
1. Clean all $_POST fields
2. use regex to check all named fields for presence of an email address in the text; count the hits.
3. reject any input that contains more than one email address anywhere
4. validate that one email address as the 'from' adddress (the regex excludes /n and /r as a matter of course)
5. 'to' address is hard-coded.
This way, you don't lose formatting on the message body. You don't allow bcc or other addresses anywhere - just the sender's address.
Comments?
Matthias from Germany
Looks like I spoke too soon. I got another couple of hits from jrubin3456@aol.com. I called AOL Germany and asked them what they could do about that guy. They told me that I would have to report to the police. AOL really sucks... It seems to be the provider of choice for hackers.
Well, I am now going to incorporate the code from Uwe in post #81 into my script.
Greg from
i don't use a bcc in my post variables, would this kill it if i put it up top?
if(isset($_POST['bcc'])){ exit; }
is it possible to check for the presence of variables outside of the few i use that aren't mine and if found exit?
Greg from
wold be nice to have a script that checks for the variables you expect and if others are found, it will kill the form
Ian from Australia
Yep, I had three different servers I run have this hack today, all from jrubin3546@aol.com.
Given I don't know a single techo person who actually uses AOL, I think (as well as putting in the sugestions above) I'll do a search for 'aol.com' in every field. If it exists, die() will be called...
June from Haverhill MA
Hi Nic, I like the idea of having a box to type in the letters and numbers to verify. What are those called and where do you get them from. Call me stupid, as I have seen them around every where but don't know where to get them from.
Thanks
Michael from Atlanta
It started about two weeks ago for me. My site was hacked into by jrubin3546@aol.com. I now need to pull my site off line. How can we trace this culprit down and prosecute!
Ben from Bristol, TN, USA
I have been severely affected by this problem. I maintain abouut 25 websites and about 50% of them have been hit by 20+ e-mails and the frequency is increasing. They aren't "working" in terms of relaying, but it's still consuming time and my customers are asking questions.
I'm afraid this could be the beginning of a significant change to web development. We have made the decision to begin utlizing a low-level "turing" test on all our forms to verify the form submitter is indeed a human being. I realize we could implement steps server-side to prevent these automated contacts, but I also realize that this problem will only continue to evolve as enough insecure forms and servers exist to be exploited in the future in new ways.
We are going to start with a simple question, such as "What is the third letter of the alphabet?" but we dread moving towards CAPTCHA (http://www.captcha.net/) techniques because they are inaccessible to those with vision impairments or browsers not displaying images.
It may be that we will have to continue to devise ways to trick computers until that inevitable moment when it's impossible to differentiate and we'll have to resort to fighting the losing battle of IP bans, e-mail bans, and string recongnition deflections.
jrubin_victim from USA
To Jrubin - congratulations jrubin3546@aol.com - it takes alot to piss me off - with over 300 attempts this morning - I hope someone hacks the $#!^ out of you.
Kirk from Carlisle, PA
A HTML/PHP contact form on my web site was compromised this morning by jrubin3546@aol.com. Over 300 attempts corroded my inbox. What an annoyance! Is there anyway to tell if this person was successful in sending spam or attaining there goal?
Jo from Hamburg
Hi Matthias,
I don't believe any mailbombing is a good idea. I think this helps primarily the spammers because all mails to that AOL addresses may be evidence if this guys get caught. And if the mail accounts are full the evidence is lost. Therefore it is important that the spammers can not download their mails.
A way to force AOL to give a statement about what they have done with these accounts may be to inform computer magazines (like c't in Germany) about that spam campaign (with evidence of received hacking attemtps, discussion forums at the web, persons who get infitrated by the trojan virus as described from Tony in post #62 and that AOL gives only general statements). In their issue 5/2004 c't had a report how they revealed the cooperation of a hacker group with spammers. Last I've heard was that the three leading guys from U.S. and UK were brought to court.
Terry from MN
If you're using a formmail script rename the script to something other than formmail. The bot searchs for formmail file handles.
Matthias from Germany
These attacks seems to follow a certain pattern: I always get 3 Emails per attempt, one without any spam injection and 2 with spam injection. Having included the code by Uwe in post #81, I seem to have got rid of the spam injection probes at least. However, I still get the other one.
As Jo from Hamburg has suggested, I have just sent an email to the editor of the c't magazine, asking him to search for jrubin3456@aol.com on Google and to check out this discussion (I included a link to this page).
Maybe they will investigate the issue and publish an article, forcing AOL to take action in order not to lose their reputation (which won't change the fact that I have never held AOL in high esteem anyway).
Sergio from Barcelona, Spain
Another victim of jrubin and bergkoch8 here. Fixing my PHP scripts right now. Thanks for this site!
June from Haverhill, MA
Not sure if this is working, but today I didn't receive any bogus emails. If someone can take a look at this code and give some feedback, I would appreciate it.
Thanks!
<?php
if ($Submit) //if Submit is hit
{
if ($to == "info@mydomain.net" && $subject == "Inquiry for Function" ) {
mail($to, $subject, $from, $body);
echo "<meta http-equiv=\"Refresh\" content=\"0;URL=http://www.mydomain.net/HomePage.htm \">";}
else {
print "Sorry! Wrong information, cannot send form";
} }?>
Nick from UK
Each time I've been hit it uses my own domain in the fields, e.g:
To: qdlnnbun@example.com
bcc: jrubin3546@aol.com
From: qdlnnbun@example.com
Could a script be used to block any e-mail addresses that include one's own domain - @example.com?
Tommy from Germany
A friend contacted me a couple of days ago with the plea for help for he was getting strange emails sent through the contact formular on his website. Turned out to be the problem described here and was fixed fast. But by carefully scrutinizing the access statistics another problem popped up - some of the attackers have supplied a correct referrer (ie, if the URL of your contact formular is http://www.somesite.com/mailme.php", the attackers often supplied "http://www.somesite.com/index.html" as a referrer). Now, since the site is entirely realized with PHP, there is NO SUCH document, so the referrer is obiously as fake as a 3-dollar bill).
Looks like some malignant software writer is trying to get smarter.
from
If the $from variable in post #208 is from a input field of the form this code is unsecure. You have to apply a substitution as Anders has described in his article http://www.anders.com/projects/sysadmin/formPostHijacking/ to disable email injections.
If you want to ignore such attemps apply a check similiar to post #81 from Uwe. But this does not ignore all attempts. Although they are harmless and only fill your mailbox.
Linda from Virginia Beach, VA
I got 273 of these emails this morning. I think I've fixed my form & don't want to help spammers by posting how they are doing this, but I'm not really sure I understand how this is being done. I'd really like to test my form to make sure it is fixed. Can you give some tests or suggestions to make sure it is fixed?
Jay from London, UK
I'm really stuck!
Whatever i try, i just can not stop these emails incoming.
The other day i had about 60! :(
Is there anyone with a fool proof bit of code?
Help!
Thanks.
June from Haverhill, MA
The form variable on post#208 is not from an input field. It is a variable that is desinated $to= 'info@mydomain.net' and $subject=Inquiry for Function'. They are preset and not from input fields that is why I was curious if this would work.
Thanks
Pete from UK
I had someone try to use my contact form too. BCC'd to another AOL address: mhkoch321@aol.com
I've put some code in now to stop it happening - however it still sends the email to me, so I can see who is trying what.
I've hardcoded the to, from and subject into the mail() command now, and I check all the other fields for the @ symbol and replace any found with another character. Should stop it happening.
Tiigeress from Chicago
Linda:
Carl, #193 posted a way to test: Request.Form("email") + vbNewLine + "Bcc: spam@yourdomain.com";
in your browser's URL bar, type in the url like so: http://www.yourdomain.com/formhandler.asp?Request.Form("email") + vbNewLine + "Bcc: spam@yourdomain.com";
at least I think this is how it is supposed to work, i tried it on my form and it sent to my spambot error page <3 if this is not how it goes, I too am looking for a test script. thanks all. :)
arctangent from Seattle
We had posts appearing in numerous forms - mail, guestbooks, etc. - on our system, which serves many hosted domains. We hit on a similar solution, modified for our multi-site environment; thanks to Anders and to all who posted for the confirmation.
from
RE occasional coders: I've noticed many people in this forum typing /n /r when they mean \n \r. It's the \ backslash (escape) one must use to trap newlines and returns. With / you'll be debugging your code forever.
Haze from Spain
Hi again. ASP/JMAIL. A Swedish girl told me to move the JMail.Subject and JMail.Body to the top, right below "Set JMail = Server.CreateObject("JMail.SMTPMail")" and have all the others below, JMail.AddRecipient and JMail.AddRecipientBCC etc. She says that my info will write over the info put in by the spam robot. I'm not sure if it works but have not received any spammail since then, Friday last week..
from
just an update, this was useless - if(isset($_POST['bcc'])){ exit; }
greg from
check this out!
if ( eregi( "MIME-Version: ", $_POST['field1'].$_POST['feild2'].$_POST['etc'] ) ) { die( 'Get out, spammer.' ); }
from - http://us2.php.net/manual/en/ref.mail.php