l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
January 6: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2008 Dec 18 14:12

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Strange web form submissions; regexp to filter?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Strange web form submissions; regexp to filter?



On Thu, Dec 18, 2008 at 01:05:30AM -0800, Bill Kendrick wrote:
> 
> I've been notcing some weird submissions to the survey form I have on
> the Tux Paint website.  For most of the type-in fields, the values are
> gibberish.  Combinations of uppercase/lowercase alphabetic characters.
> (No spaces, no numbers, nothing else.)  Like so:
<snip>

Searching Google a bit, I thought at first that perhaps the valid-looking
email addresses were 'ping-backs'.  Some web forms are used to send full
emails out to people (spam them), but apparently first the nefarious
software tests the water.

It injects a Bcc header into the message that the form emailing software
sends.  (In other words, the form software does, for example,
"Reply-To: $email", but if the email field contains a carriage return
sequence, then the Bcc, and the form software doesn't clean that up,
they can utilize the form software to send whatever they want, to whomever
they want.)

They test the water by sending one message to the form with some ping-back
email address in the inserted Bcc line.  If that address gets a message,
they know they can abuse the form software, and set to it.


However, after searching for some of the valid-looking addresses I'm seeing
as part of the weird junk being sent to the survey form on the Tux Paint
website, I found some sites that seem to have been hit.  Web forums and
such.

It looks like my Tux Paint survey's backend script is only sending me
fields I know about, and that make sense for that form.  So I'm not even
seeing the junk that the spammers' bots think is being posted on some
online forum.  It just vanishes, and I'm left with the nonsense.
(Verus the "<a href="...">online dating!</a>", or whatever.)

So, I guess I need to get my backend script to send me EVERY posted field
from the request, even stuff which isn't actually part of the form on the
website.  From there, I'll be able to filter things.  (Or, I suppose,
just look for any attempts to send me more stuff than I expect.)

Yay.  I love arms races.

-bill!
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.