Can any explain this spam attack from my website, I'm using php to deal with sending mail. Return-path: <nobody@server2.host.ca> Envelope-to: email_address@mydomain.com Delivery-date: Thu, 28 Jul 2005 12:33:55 -0600 Received: from nobody by server2.host.ca with local (Exim 4.52) id 1DyDCa-00079W-7H for email_address@mydomain.com; Thu, 28 Jul 2005 12:33:52 -0600 To: email_address@mydomain.com Subject: fftsxrf@mydomain.com From: fftsxrf@mydomain.com Reply-To: fftsxrf@mydomain.com Message-Id: <E1DyDCa-00079W-7H@server2.host.ca> Date: Thu, 28 Jul 2005 12:33:52 -0600 X-DIYWebHosting-MailScanner-Information: Please contact the ISP for more email_address X-DIYWebHosting-MailScanner: Found to be clean X-DIYWebHosting-MailScanner-SpamCheck: not spam, SpamAssassin (score=-5.892, required 5, autolearn=not spam, ALL_TRUSTED -3.30, BAYES_00 -2.60, NO_REAL_NAME 0.01) X-DIYWebHosting-MailScanner-From: nobody@server2.host.ca Status: O X-Status: X-Keywords: X-UID: 3 Additional Requests: fftsxrf@mydomain.com Name: fftsxrf@mydomain.com Tel: fftsxrf@mydomain.com From: fftsxrf@mydomain.com Email address 2 (could be different): fftsxrf@mydomain.com Content-Type: multipart/mixed; boundary=\"===============0892483367==\" MIME-Version: 1.0 Subject: c6844b98 To: fftsxrf@mydomain.com bcc: bergkoch8@aol.com From: fftsxrf@mydomain.com This is a multi-part message in MIME format. --===============0892483367== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit ziqnjmxy --===============0892483367==-- Venta Sanlucar Sales

It simply says that someone has sent you an email, what exactly do you want explaining? Wizard ICT. Microsoft Certified Professional

Sorry I've not had access to a pc for the last few days. My email form has the fields to from subject email addrees 2 headers info for fields from and to Yet they have managed to include other fields like bcc, a new subject, the subject is taken from the form page i.e. information Ian Venta Sanlucar Sales

Just because people are supposed to use your form, does NOT mean that they have to! In other words, If they know the name and location of your script, whether it be a php, perl, shell script, or whatever, and they know the variable names passed to it by your form, they can use whatever method they choose to post data to it! Unfortunately there's not a lot that can easily be done to guard against this. However, what can be done, are some sanity checks within your script which is far more effective anyway. Doing things like disallowing dangerous shell escapes, back ticks, "sanitizing" all variables passed in, etc. are some of the more obvious things to incorporate within your script. These can easily be accomplished using simple REGEXP's. A couple of years ago, I wrote a perl script that essentially did what yours does; sent e-mail from a Web form on one of my Websites, to my admin e-mail account. I didn't write it with security in mind and unfortunately someone was able to exploit it by posting some custom form data to it, that contained a command with back ticks! Luckily I noticed it right away, took it offline, and fixed it. The extent of the damage was minimal as I had taken the time to enforce execution of all CGI's within a very controlled environment. Had I not, the damages could have been far worse! When I began investigating the incident, I had relatively little data on which to go but once I figured out what had happened, I was curious! The next revision of my mailer script contained some extra code to log, very verbosely, any and all "nonstandard" data passed to my script. After a few more malicious attempts against my script, it became crystal clear as to what data strings were being tried against my script! You may or may not want to incorporate something similar on yours but it does give a little insight as to what the bad guys are doing. Anyhow, I hope at least some of this info was useful. If not, maybe you enjoyed my little story! Good luck with it either way! k_Rob - kk7av