permalink

3

Saving yourself from contact form hijacking

These days contact from hijacking is on run…spammers are using weak contact forms to send spam emails and this makes a server black listed in many sites. The most of the AOL emails are targetted by the spammers.

I came across this when one of my client’s contact form was hijacked and my server IP got black listed. I figured out the problem with the help of Outblaze guys and fixed the issues with the form but that was not the fixed solution to this.

Now what is contact form hijacking?

The spammers pass invalid characters in headers through the form fields using bots / scripts.
For example, they pass BCC header with MANY emails in any of the form fields and send out emails. They even modify the values passed in subject variable if its not fixed. In my case they were sending “diet pills” spam mail using that form.

This works if we do not check for invalid characters in the form validation.

Example of it would be following code:

"sender@anonymous.www%0ACc:recipient@someothersite.xxx%0ABcc:somebloke@grrrr.xxx,someotherbloke@oooops.xxx"

This code adds CC and BCC field in the headers and the email will go to these people as well.

How to stop it from our side and make the forms secure?

If we check for CC and BCC or say recurrence of @ character on action page then it can be stopped. And we can log that IP and other details and take action. (Report spammer’s IP or something)

In PHP you can write a function which will do all necessary cleanup, code on this page would help you with it.

Many people say that it can be stopped by using Captchas (image verification scripts) but these days there are scripts which can decode Captchas too. No kidding, here is the link which shows working example of captcha decoder script.

How to stop it from server side?

Since I run web hosting company so it is difficult to check each and every form used by clients, sit on it and clean it.

I then enabled few things on server side, i.e. I allowed only 100 emails to be sent from one domain in an hour. 2nd thing was I installed mod_security module to take care of these spam mails.

If you are linux server admin then you should know what mod_security is and what it does. I must say it is a very powerful module; you can set rules in it and delete spam mails being sent from your server. It also allows many other rules like disabling few PHPBB and other exploits. Disabling XSS and SQL injections etc….

I just had to add 2 lines to stop spam mails. The code will check for BCC headers and allow only 20 addresses in BCC per mail.

I am reading lot of stuff on mod_security and learning the stuff so I can try my level best to save the server from these kind of attacks.

Good reads for contact form hijacking would be:

For end users:

Info on email injection
Secured PHP contact form
Project Killbot

For server admins:

Info on form hijacking
mod_security home page
mod_security rules

3 Comments

  1. Is form hijacking only related to PHP? Should I be worried about this happening on Windows ASP servers?

  2. It is not specific to particular programming language but it is more about the logic.. so the same thing applies to ASP and other languages too…

Leave a Reply

Required fields are marked *.


This site uses Akismet to reduce spam. Learn how your comment data is processed.