SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Evangelist
    Join Date
    Nov 2000
    Posts
    427
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Tellafriend system hijacked by spammers?

    I read the following this morning:

    "

    In I-Design #290, Brant Burgiss recommended FormMail.

    Please use caution with Formmail (or any script that send emails
    from your site.)

    The original version of Formmail can be used by spammers as an open
    relay; in effect they hijack your machine to send their emails.

    If you are going to use this, make sure you fix this hole.

    The recipient of the form should be hard-coded into the script, so this
    cannot occur.

    "

    Could this happen with tellafriend systems? I tried to figure it out but I thought you guys would be sure.

    - Grant
    But what care I for praise? - Bob Dylan

  2. #2
    SitePoint Wizard Crowe's Avatar
    Join Date
    Nov 2001
    Location
    Huntsville
    Posts
    1,117
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    In short, yes.

    Anything that takes email addresses and then sends email to them can be hijacked. All a person has to do is write a script that posts to your form and bam, spam.

    Make sure the scripts you use use a referer check, ip logging and hopefully a max attempts per X amount of time.

    Also, if you need formmail, there is a fairly safe version it's commonly called ForMail 1.9s - *Any* other version will be vulnerable.
    Chrispian H. Burks
    Nothing To Say

  3. #3
    SitePoint Evangelist
    Join Date
    Nov 2000
    Posts
    427
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, then I need to add a referer check to my script. I think I'll ask for some help with that in the Perl forum here. Thanks!
    But what care I for praise? - Bob Dylan

  4. #4
    SitePoint Wizard Crowe's Avatar
    Join Date
    Nov 2001
    Location
    Huntsville
    Posts
    1,117
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Make sure you add more than just a Referer check. A referer check is a decent start but it's easy to get around. Having it as part of your protection scheme just makes it harder. It being the only part of your scheme isn't going to cut it.
    Chrispian H. Burks
    Nothing To Say

  5. #5
    SitePoint Evangelist
    Join Date
    Nov 2000
    Posts
    427
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So you think the three things you mentioned are enough?
    But what care I for praise? - Bob Dylan

  6. #6
    SitePoint Wizard Crowe's Avatar
    Join Date
    Nov 2001
    Location
    Huntsville
    Posts
    1,117
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Probably not But it's a very good start. I'm not a security expert by any means.
    Chrispian H. Burks
    Nothing To Say

  7. #7
    SitePoint Evangelist
    Join Date
    Nov 2000
    Posts
    427
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Crowe -
    How could just referrer tracking not be enough? That way they would have to post to the script from my site. I'm the only one that has can do that.
    But what care I for praise? - Bob Dylan

  8. #8
    gingham dress, army boots... silver trophy redux's Avatar
    Join Date
    Apr 2002
    Location
    Salford / Manchester / UK
    Posts
    4,838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    as far as i know - and i might be wrong here - the referer is sent by the browser in the request headers. a sneakily crafted script can spoof this information quite easily...hence it doesn't necessarily mean that a script that passes the referer check is actually hosted on the server.
    re·dux (adj.): brought back; returned. used postpositively
    [latin : re-, re- + dux, leader; see duke.]
    WaSP Accessibility Task Force Member
    splintered.co.uk | photographia.co.uk | redux.deviantart.com

  9. #9
    SitePoint Wizard Crowe's Avatar
    Join Date
    Nov 2001
    Location
    Huntsville
    Posts
    1,117
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    redux is exactly right. Referer check will only keep out honest folk. People who really want to abuse your script will try every trick in the book - though most just move on to easier targets. The real trick is to make it more trouble than it's worth.

    I'm studying this myself because I've written my own php TAF script and I want to add more advanced security to it as well. The things I plan to use are Referer Check, IP logging + limit number of times per 15 minutes. I'm also trying to find a way to use a "key" system so that the script knows it was loaded from an actual link from my site. I'm thinking of using an md5 encrypted token stored on the server - but I haven't thought that all the way through yet.

    TAF is more vulnerable than your standard sendmail scripts because you can specify the recipient in the form. Sendmail scripts have gotten smart enough so that they have to specify the recipient in a config file now. Doesn't really work in a TAF scenario.
    Chrispian H. Burks
    Nothing To Say

  10. #10
    gingham dress, army boots... silver trophy redux's Avatar
    Join Date
    Apr 2002
    Location
    Salford / Manchester / UK
    Posts
    4,838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    crowe, regarding token and md5 hashing...you can do it easily enough if you make it a 2 step process (did something similar for my site's new user signup process) in very broad terms...

    a) your TAF form is filled in with various fields, including a date-time hidden field generated automatically. the user submits, and goes to a "preview your message" type page
    b) on this page, the hash is generated...just doing some string transformations using all the fields, plus the date-time. this is added as another hidden field in a final "yes, send this thing" type form. the user hits it, and goes to the final page
    c) this page first does the same hash generation, then compares it to the hash that was passed along. it might also be worth checking that the date-time is not older than, say, 30 seconds or so. if everything looks fine, send the email

    if you were using PHP, i'd also say it might be worth using sessions rather than passing the variables in the final stages as POST vars. this should add an extra layer of security (as spoofed, off-site scripts couldn't set your session variables).

    ...just thoughts...
    re·dux (adj.): brought back; returned. used postpositively
    [latin : re-, re- + dux, leader; see duke.]
    WaSP Accessibility Task Force Member
    splintered.co.uk | photographia.co.uk | redux.deviantart.com

  11. #11
    BoOm-Rocka! Smarky's Avatar
    Join Date
    Jun 2000
    Location
    England
    Posts
    1,319
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Crowe
    Anything that takes email addresses and then sends email to them can be hijacked. All a person has to do is write a script that posts to your form and bam, spam.
    Yes, but when they do this your Tell a friend script will be sending mails to people recommending your site, why will a spammer be interested in promoting your site for you? Surely it is there's that they want to promote.

    The only thing they could do is change the personal message if you give that option to something, but then again the main message will be alerting them to your site.
    Garlic bread, I've tasted it, it's the future

  12. #12
    SitePoint Evangelist
    Join Date
    Nov 2000
    Posts
    427
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You never know with crazy spammers.
    But what care I for praise? - Bob Dylan

  13. #13
    gingham dress, army boots... silver trophy redux's Avatar
    Join Date
    Apr 2002
    Location
    Salford / Manchester / UK
    Posts
    4,838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well, they could be using it to get YOU into trouble...sending out your message to 1000s of people...
    you never know what them kids get their kicks from these days
    re·dux (adj.): brought back; returned. used postpositively
    [latin : re-, re- + dux, leader; see duke.]
    WaSP Accessibility Task Force Member
    splintered.co.uk | photographia.co.uk | redux.deviantart.com

  14. #14
    SitePoint Wizard samsm's Avatar
    Join Date
    Nov 2001
    Location
    Atlanta, GA, USA
    Posts
    5,011
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Arg! Kids today, with their crazy hairdos and promoting my website for me. Back when I was a boy we promoted our own web sites and that's the way we liked it.....

    Seriously, redux is right.

    I suppose you could build in some sort of trap that gets triggered when the same message is sent over and over again. That could add to your symphony of defences.

    I suppose the ultimate is that system where you type in a code based upon pictures of letters.
    Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

  15. #15
    BoOm-Rocka! Smarky's Avatar
    Join Date
    Jun 2000
    Location
    England
    Posts
    1,319
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by samsm
    Arg! Kids today, with their crazy hairdos and promoting my website for me. Back when I was a boy we promoted our own web sites and that's the way we liked it.....


    Personally I won't worry about it, I really think the chances of someone doing that are very small unless the person is extremely bored and the easiest way to stop it would limit the number of sends from an IP maybe only allow say 15 mails from one IP per hour, if your really that worried about it.
    Garlic bread, I've tasted it, it's the future


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •