Attempted Abuse of Comment Notification Mails

A while ago I received a bunch of comment notification mails. What happened? My blog is pretty quiet in respect to comments, only every now and then one comes in. Now I saw ten of them on the same Thursday morning. Did I finally became famous? I doubted it and even at first glance I noted the signs of someone mischievous working for the SPAM industry. It was an attempt to abuse the comment notification feature of COREBlog. Let's take a closer look at those notification mails...

The lowly SPAM troll tried to find a hole in a simple made mailto form. Assuming our mailto form was constructed to assemble a mail to the administrator, filling in some header values from the form input. This could look like this:

To: weblogadmin@myserver
From: entered@fromtheform
Subject: Entered from the form

Text of mail as entered from the form...

Obviously there would be a few more headers and a bit more stuff around it. Now imagine we entered into our form in the "from" field something like

entered@fromtheform
bcc: testmail@throwawayaccount

(Note the line break!) Then the mail would turn out something like this:

To: weblogadmin@myserver
From: entered@fromtheform
bcc: testmail@throwawayaccount
Subject: Entered from the form

Text of mail as entered from the form...

and since the SPAM crook would have managed to add an additional bcc:-header, ... it get's send to "testmail@throwawayaccount" too, which is what the guy who is trying to send out SPAM wants (who probably has selfesteem equivalent in size and quality to mouse droppings). As we will see from the life examples, the mail address used is probably some throwaway account for testing. Later while actually mass abusing any mailto forms found, there would be hundreds of addresses added.

This only works if the mailto script is very primitive, and after many years with mailto forms on the Web, one would assume no such primitive scripts remain. To avoid such exploits, a mailto script should at least:

• Do not use any form entered value in mail headers
• Check for proper input (e.g. valid mail addresses), especially if it can't be avoided to use user input in header fields somewhere
• Have a programmer who RFTM, which in this respect means to look up security on web applications and input checking.

COREBlogs comment notification works fine in this regard, as we will see shortly in the examples the little turd of a SPAMmer provided us with. I left out most of the headers, since they are not interesting to the job at hand. I obscured only my own mail addresses, not the ones that were obviously used by the SPAMmer. Wherever you see something like 123@betabugch, this was entered by the SPAMmers abuse tool, and in proper shape, I removed the dot to spare my mail server the bots who could pick up that fake address.

There were 10 mails within 14 seconds. Not such a bad performance for my old server and a sign that this is likely an automated tool, not just some kid playing around. I marked the field that is trying to overflow in each example. Let's see what we got:

To: weblogadmin@myserver
Subject: A comment added!
From: defaultfrom@myserver
Date: Wed, 02 Nov 2005 21:43:41 +0100

Author   : r4287@betabugch
Title    : r4287@betabugch
URL      : glance
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: was only for
bcc: battsl1005@aol.com

04b101426afa6a8b952bc3b6f05b55f3
.

EntryID / Moderate :
https://www.

Body:
r4287@betabugch

In our very first example the sucker is trying to find the most foolish of mailto scripts, those piping their input straight into sendmail. Not only does it set content-type and MIME headers, it also sets the subject (likely important for the lowly lifeforms known as SPAMmers). Then with a blank line it introduces the body of the mail and it even finishes the input to the mail server with a dot on a line by itself.

To: weblogadmin@myserver
Subject: A comment added!
From: defaultfrom@myserver

Author   : dhriven643@betabugch
Title    : dhriven643@betabugch
URL      : dhriven643@betabugch
EntryID / Moderate :
https://www.

Body:
dhriven643@betabugch

This one left me more curious. There is nothing obvious being done, and when the spammer hopes to abuse some scripts who send a copy to the author (mail address entered into the forms "from" field), the he will not find out, as he is using a fake address. Maybe he tried to find out if the comment form per se can be abused. Another possibility would be that he got me here and I did not even notice. But I also did not see a successfull abuse from my mail server logs. And then, successfull abuse of the form would likely have led to a slew of SPAM being sent out, showing up as at least some more comment notification mails.

To: weblogadmin@myserver
Subject: A comment added!
From: defaultfrom@myserver

Author   : where
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: down
bcc: battsl1005@aol.com

f875e032d33080b905834e914991bfc1
.

Title    : avenue8900@betabugch
URL      : avenue8900@betabugch
EntryID / Moderate :
https://www.

Body:
avenue8900@betabugch

Same one as above the first one, he cycles through the various fields, trying to find one that might have ended up in the mail headers. The "URL" field above was not a likely candidate, but the abuser who made this did not mind going a bit further, just in case. It's not his server resources he is wasting after all.

To: weblogadmin@myserver
Subject: A comment added!
From: defaultfrom@myserver

Author   : beautiful
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: at a melancholy
bcc: onemoreaddress@hotpop.com

02ddfe636ffee50072a6dd9af55fda78
.

Title    : city7843@betabugch
URL      : city7843@betabugch
EntryID / Moderate :
https://www.

Body:
city7843@betabugch

This one is not a new development (they are all the same, and I left out something of a repeat of number 2), but it is educating in respect of the address used: "onemoreaddress". And the last one (I left out some more, not to bore you):

To: weblogadmin@myserver
Subject: A comment added!
From: defaultfrom@myserver
Date: Wed, 02 Nov 2005 21:43:55 +0100

Author   : park6237@betabugch
Title    : park6237@betabugch
URL      : tates
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: passage, they had only not yet discovered the right place
bcc: onemoreaddress@hotpop.com

7a94a23b892267b782670953138358cf
.

EntryID / Moderate :
https://www.

Body:
park6237@betabugch

I skipped most of the others, all alike. The last one here is one more try in the same effect. Not sure what the repetition is for. The timestamps reveal that the mails came in just 14 seconds from first to last.

The body that the spammer is attempting to send is likely some encoded value which refers back to which page/form allowed the abuse. I'll investigate a bit further when I have time. Ideas and hints appreciated! Here are all 8 of them (each on one line):

04b101426afa6a8b952bc3b6f05b55f3
f875e032d33080b905834e914991bfc1
ba29c3efe2b428f058c0726478151788
02ddfe636ffee50072a6dd9af55fda78
73e79cb44fadcfae35aa899fd50cf0d6
9adea6f556bcc320b3fcdc44cc1dfc58
45ecbfbc812e282144e6ed291b8f1759
7a94a23b892267b782670953138358cf

Name:

Email Address: (will not appear in public)

URL: (will appear in public)

Title:

Comments:

Remember your info. on cookie?