September 30, 2005

Evil Robots of Questionable Canned Meats

Like anyone else, I hate spam. It takes up computer resources and wastes time. So I'm happily pleased with the performance of the junk filter integrated with Thunderbird. It seems to do the trick, keeping the unwanted mail in my inbox down to an acceptable level. Dandy.

Lately, however, spam has been biting web developers in a new way. The bots are on the loose. And these aren't your typical run of the mill crawl-the-web-and-collect-email-addresses spam bots. These nasty creatures appear programmed to target forms, intent on finding a way to hi-jack the underlying mail server.

On many forms, especially contact forms, the content from the users submission is used to create the headers of an outgoing email (to, subject, from, etc.). The spam bots now seem to be posting to these forms, attempting to inject additional headers and a message into the existing headers. If unprotected, one of the spammer's injected bcc headers would alert them of their success. Once they know a machine is open to this type of attack they can strike again, loading up the headers with spam recipients and a message of their choosing. Unless you are watching for this, your server can unwittingly deliver these emails, doing the dirty work for the spammer.

In many cases mail servers are already protected against this form of attack, disarming the danger to a mere annoyance. But what if you aren't sure if your mail server is protected? What if the injection attempts are failing, but receiving the fallout from these attempts is cluttering your inbox and driving you nuts?

In PHP, you can protect yourself by making sure your mail headers don't contain the new line character '\n'. Stripping this from your headers before sending your email prevents the spam bots from injecting any additional destructive elements.

$cleanheader = str_replace('\n', '', $_POST['incomingheader']);

To keep from receiving their failed attempts you might want to revise the code above to try and detect the new line character and kill the script if you suspect foul play.

No comments: