D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Website locked

 

Gordon Henderson wrote:
> 
> I had a customer recently write their own form to email thingy... They
> thought that since it was custom written and mostly hidden with form
> variables that weren't obvious that it would be safe... Sadly not and
> once it was discovered by the spammers it wasn't long before it was
> abused, so they either have lots of humans doing the work or some clever
> and adaptable tools....

Or possibly the form your customer wrote had one of many common problems
with it. The classic is not to validate variables before passing to PHP
mail function, almost every PHP to email script I've seen failed to do
this, and one I fixed doesn't work well because some of the big email
filters recognize the email format and say "that is from an exploitable
PHP form I'll reject the email".

Form variable names are no protection if one of them works as an email
address, your bot would just work through permutations till one of them
delivers an email to you. At which point you know you have an
exploitable form and could take the time to look at it manually.

 Simon


-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html