| Author | Thread |
|
|
09/06/2005 08:36:18 AM · #1 |
I maintain many web sites, and I'm finding that I'm getting a LOT of instances where forms on sites are being filled out with this crap:
axrtbjaiwi@ontv.com Content-Type: multipart/mixed; boundary="===============1206274178==" MIME-Version: 1.0 Subject: 4c3a625b To: axrtbjaiwi@ontv.com bcc: jrubin3456@aol.com From: axrtbjaiwi@ontv.com This is a multi-part message in MIME format. --===============1206274178== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit befxcvo --===============1206274178==--
I'm assuming that this is some sort of computer-generated fishing expedition, where some jerks are trying to find computers that can be used to relay spam? That's my guess -- I'm just wondering if any of you geeks (using that term affectionately!) might know for sure if this is what's going on. I'd love to personally visit the whackos that create these things and test out a fully-charged cattle prod...
|
|
|
|
09/06/2005 09:18:10 AM · #2 |
well im no expert but some of that looks like a combination of the beginning of an html document with some CSS code
and as for the --==========1231241234 thing
heck i dont know
might just be some kid trying to scare people, text alone cant hurt anything, only if its put into a .dll .bat .xls files and the dreaded .exe, then it can screw windows up depending on its contents
people that write virus's are smart, not the best intentions ive tried to learn how to program but got frustrated and gave up
post us a link to the thread where you saw this, i would like to look at it
|
|
|
|
09/06/2005 09:22:07 AM · #3 |
I would be wondering the same thing--looking for an overflow situation?
I have seen something else weird: do you have a lot of guestbooks running? I have received "guestbook" entries on my personal sites from people I don't know, where it looks similarly like some robot went and filled out the form. It's not an email, but usually a positive phrase (which you can find that they posted all over the internet on guestbooks). Here's one I just got:
September 04, 2005 - 08:06 AM
Sanekus from USA
ivandf@mail.com - Visit my homepage
I love your site !!!
I believe it's SPAM--they want you to look at the website link they leave, which in this case is:
//honda-br1.sanay.ru/
which redirects you to:
//honda.buyonlineorder.com/search.php?qq=honda
I am not sure, though, why anyone would think this is a good way to advertise. Have you seen these as well?
|
|
|
|
09/06/2005 09:26:09 AM · #4 |
Yeah, i wouldn't be too oevrly concerned if it's only text!
|
|
|
|
09/06/2005 09:43:13 AM · #5 |
Are you using a PHP based board? Look's like the "Email Injection" exploit that injects emails into forms (PHP/MIME).
Email Injection
Discussion of Spammers using forms
Andy
|
|
|
|
09/06/2005 09:58:02 AM · #6 |
Originally posted by nshapiro:
I would be wondering the same thing--looking for an overflow situation?
I have seen something else weird: do you have a lot of guestbooks running? I have received "guestbook" entries on my personal sites from people I don't know, where it looks similarly like some robot went and filled out the form. It's not an email, but usually a positive phrase (which you can find that they posted all over the internet on guestbooks). Here's one I just got:
September 04, 2005 - 08:06 AM
Sanekus from USA
ivandf@mail.com - Visit my homepage
I love your site !!!
I believe it's SPAM--they want you to look at the website link they leave, which in this case is:
//honda-br1.sanay.ru/
which redirects you to:
//honda.buyonlineorder.com/search.php?qq=honda
I am not sure, though, why anyone would think this is a good way to advertise. Have you seen these as well? |
I've gotten responses in my comments section of my photo blog. They leave nice remarks to the site, but leave a link to a business site.
|
|
|
|
09/06/2005 11:44:12 AM · #7 |
Originally posted by Fetor:
post us a link to the thread where you saw this, i would like to look at it |
Well, thankfully I'm a little smarter than these jerks... the places these things have been showing up are places that I strictly moderate, or places that the public wouldn't be able to see. The one I copied and pasted above is for a form where people can receive news updates from a radio station.
They've also appeared on forms I do for the amber-brkich.com web site. Basically, they just annoy me... I'm just wondering what the intent of these things is. This stuff appears to be mail headers. |
|
|
|
09/06/2005 11:46:51 AM · #8 |
Yes! I have been stung by this crap, too! I've gotten hundreds of them through the amber-brkich.com site. Thankfully, I screen every message that comes through the guestbook, and I manually approve appropriate ones, so these things never see the light of day. I eventually changed the coding a bit since it was obvious that these things weren't coming from a human -- they were appearing constantly at all hours, obviously by an automated process.
I simply switched the location of the guestbook, and haven't seen any new ones for a while. They were just like you described -- they compliment the site, then pitch a product. UGH.
Originally posted by nshapiro:
I have seen something else weird: do you have a lot of guestbooks running? I have received "guestbook" entries on my personal sites from people I don't know, where it looks similarly like some robot went and filled out the form. It's not an email, but usually a positive phrase (which you can find that they posted all over the internet on guestbooks). |
|
|
|
|
09/06/2005 11:49:24 AM · #9 |
what your looking at is an email header that is malformed... harmless
|
|
|
|
09/06/2005 12:11:37 PM · #10 |
here is a wikipedia entry on comment link spam.
LINK SPAM
Its a problem, and there are a lot of ways to fight it. There is even a "flag day" now where groups of people hunt for and flag spam sites.
|
|
|
|
09/06/2005 01:09:40 PM · #11 |
Originally posted by gusto:
what your looking at is an email header that is malformed... harmless |
I would not write if off as just a harmless malformed email header. Might be worth checking the PHP mailer code. Might just be an attempt to see if they can breach the emailer, and if so will try to use the site as SMTP spam relay. Don't matter what form they use, Guestbook, Contact etc are all game for the bad guys.
Google or dogpile this part of Alan's post below
MIME-Version: 1.0 Content-Transfer-Encoding:
And you will get an idea how many sites are being attacked by these guys, or that's a ship load of malformed email headers.
There is a SendMail vulnerability with some PHP code that is much like the Sql(MySql as well) Injection exploit of the past.
What you don't see is that they are trying to use "forms" to inject an an email message, anonymous sender and us the BCC/CC to forward mail out through a system.
The first one usually BCC's the bot/person that is trying to breach the site.
ED: another link on Form Post Hijacking
Message edited by author 2005-09-06 13:12:44. |
|
Home -
Challenges -
Community -
League -
Photos -
Cameras -
Lenses -
Learn -
Help -
Terms of Use -
Privacy -
Top ^
DPChallenge, and website content and design, Copyright © 2001-2026 Challenging Technologies, LLC.
All digital photo copyrights belong to the photographers and may not be used without permission.
Current Server Time: 05/10/2026 11:31:37 PM EDT.
