Re: protecting against exploiting mail forms

To: debian-isp@lists.debian.org
Subject: Re: protecting against exploiting mail forms
From: Luc Stroobant <debian@stroobant.be>
Date: Sat, 19 Nov 2005 19:32:47 +0100
Message-id: <[🔎] 437F6FCF.4010109@stroobant.be>
In-reply-to: <[🔎] 1425852874.20051119121720@onee.sk>
References: <[🔎] 1425852874.20051119121720@onee.sk>

Marek Podmaka wrote:

Hello,

  recently one of our customers had a badly written php script for
  mail form and someone exploited this to send some spam. It is
  exploited by injecting entire mail (with additorial recipients) to
  From field - when script doesn't take care of additorial new lines.

  Detailed description of this attack can be found here:
  http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

  Is there any general solution? I was thinking about using
  mod_security, but I'm not sure which string to block - not to cause
  any false positives. The problem is I don't know form field's name,
  so I can test only value. Would "\nTo: " or "\nBcc: " be a good
  choice?


We use:

SecFilter "To\:"
SecFilter "to\:"
SecFilter "From\:"
SecFilter "from\:"
SecFilter "Cc\:"
SecFilter "cc\:"
SecFilter "Bcc\:"
SecFilter "bcc\:"

Few weeks ago we had a simular attack on our server and the rules seemto work...

(but you should try to secure the forms first off course!)

Luc

Reply to:

Follow-Ups:
- Re: protecting against exploiting mail forms
  - From: Marek Podmaka <marki@onee.sk>

References:
- protecting against exploiting mail forms
  - From: Marek Podmaka <marki@onee.sk>

Prev by Date: Re: protecting against exploiting mail forms
Next by Date: Re: handling malware with ClamAV milter
Previous by thread: Re: protecting against exploiting mail forms
Next by thread: Re: protecting against exploiting mail forms
Index(es):
- Date
- Thread