Re: SPAMMERS DELIGHT: as feeble as feeble can be

From: Jay D. Dyson (jdysonat_private)
Date: Mon Dec 10 2001 - 20:44:10 PST

Next message: securityat_private: "Security Update: [CSSA-2001-SCO.35.1] REVISION: OpenServer: setcontext and sysi86 vulnerabilities"

Previous message: NyQuist: "Re: Netscape engineers are weenies?"
Next in thread: Gert-Jan Hagenaars: "Re: SPAMMERS DELIGHT: as feeble as feeble can be"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 10 Dec 2001, http-equivat_private wrote:

> Forget about open relays. There is an extremely simple mailto form
> application called mailto.exe available on the internet. Simply create
> your html form, upload the mailto.exe into your cgi bin and fire away. 

	This is really just a somewhat new face on an old problem.  A
similar search for formmail.[pl|cgi] and similar web->mail gateway scripts
will yield equal -- if not greater -- spam injection vectors.  There's
loads of those beasties out there, and they can be trivially tricked into
serving as a spam-spewing machine; usually with no equivalent of the
common X-Originating-IP header included. 

	Bottom line: just because your server doesn't support the likes of
mailto.exe on it doesn't mean your boxen aren't vulnerable to this sort of
net.abuse.  If one's httpd.conf has "AddHandler cgi-script" enabled, and
allows ExecCGI on personal directories, one's web site can be readily
exploited for such purposes.  Heck, even the absence of the sendmail
binary doesn't qualify as a stumbling block since PERL's Net::SMTP can be
used in its place. 

	All told, if one is going to run a web->mail gateway, it's a good
idea to have pre-defined destination addresses defined within the CGI and
well outside the HTML form.  Relying on "hidden" fields and an expectation
that everyone will play nice in the sandbox is just a recipe for spammer
mischief these days.

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdysonat_private -----<) |    = |-'
  `--' `--'  `---------- Si vis pacem, para bellum. ----------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBPBWBDrlDRyqRQ2a9AQH31QQAgjb2KKKT2XZ85i5Sgg9W4dbna0TKZG9V
kqrXzYfg8me8aV6tx9sUq2s0nKUD94+uuDO/vOuwnMUpl5ggiTKc76AF63waCXmf
OTf8HXzAKTJUfGln5RjcxdkFKjo57Bpgz3RRWdKVAbOTphAV8VaydqIrtRWgdyz6
DfRM0Wslv2I=
=Rn6S
-----END PGP SIGNATURE-----

Next message: securityat_private: "Security Update: [CSSA-2001-SCO.35.1] REVISION: OpenServer: setcontext and sysi86 vulnerabilities"
Previous message: NyQuist: "Re: Netscape engineers are weenies?"
Next in thread: Gert-Jan Hagenaars: "Re: SPAMMERS DELIGHT: as feeble as feeble can be"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 10:09:21 PST