My webhost, who I won't name, claims that a very simple script is allowing somebody to spam the web. From my stats I can't even see where anybody has accessed this page recently so I don't buy it, plus this script is way too easy. Perhaps one of y'all might have an opinion if its possible related.

Oh yeah, they told me that the problems would stop after I deleted all my cgi and pl files - of course, they didn't.

Here's the important part of the script...see, really easy and the mail goes only to me right now (since I don't have time work on this)...the rest of the page is just html to support this...

if ($_POST['thanks']) {
$headers .= "From: <$email>\r\n";
$headers .= "Reply-To: <$email>\r\n";
$headers .= "Return-Path: <info@a.com>\r\n";
$msg = "Subscribe: $email";
mail ("info@a.com","SUBSCRIBE",$msg,$headers);
header("location:subscribe.php?a=thanks");
}
if ($_POST['nothanks']) {
$headers .= "From: <$email>\r\n";
$headers .= "Reply-To: <$email>\r\n";
$headers .= "Return-Path: <info@a.com>\r\n";
$msg = "Unsubscribe: $email";
mail ("info@a.com","UNSUBSCRIBE",$msg,$headers);
header("location:subscribe.php?a=nothanks");
}

Oh crap, I put this in the wrong forum. I'd repost but I don't think that would be appreciated...

???

Can't tell from this bit, but are you checking the input and sanitizing it? If the $email variable is from user input, and you aren't keeping them from being naughty...well, they might just be.

So, you are saying that it IS possible with this script?

But the email only goes to me and I'm not recieving spam via this script at all...none so far. They claim it's sending spam out there, not just to me - can that be?

I'll start using some email validation though...ack.

Possibly, yes. There are clever people out there.
This is interesting:
"they told me that the problems would stop after I deleted all my cgi and pl files"
The script you posted seems to be PHP? What does that have to do with CGI/PL scripts (typically PERL)?

Previously they told me that. Last week they said it was being caused by a perl script on my site. So, I deleted them all (becaues I wasn't using them). But the problem persists. Today, it's my mail script after they told me that they had installed Mailscanner and that it was solved. Ai caramba!!

I wouldn't argue with them about it, but I would request to see the logs that show it. Maybe there's something in there to help you learn how to prevent it (by seeing how it was done).

Originally posted by vaaaska
Oh crap, I put this in the wrong forum. I'd repost but I don't think that would be appreciated...

??? Thread moved. :)

Well, maybe I should turn this question around. I keep recieving spam that claims to be from me. But I have never, not once, recieved an email from an angry person of an undeliverable message in regards to these - does this mean that these emails are probably not being sent all over the web but rather that the server for whatever reason is only addressing the individual email to me that way?

I mean, if I don't get undelivered messages filling up my email box I'm probably ok right?

Or, should I be shopping for a new host?

I couldn't possibly say with any certainty, but maybe this script is sending these to you, and the CC or BCC field they *might* be injecting is where the spam is being sent to on the web? You see one copy, while piles of others go out to everyone else with the same message.

A new host may or may not fix your issue. I'd be inclined to believe them at this point, until proven incompetent. It could be they are exactly right, and moving will do nothing to remedy your issue.

This script could be easy used to send spam unless you are doing something more with vaaraibles before using them (I doubt that based on the fact that you had to ask). You allow anyone to specify the adress the email is sent to and address email is sent from .

You can try playing with something like this

wget http://yoururlhere -d "thanks=1" -d "email=spamer@...." -d "headers="Cc: victom@eomeplace...\r\n"

Thanks, it's an easy fix but I've never done any research before on just how spammers use php scripts like these to spread their cheese - I'm learning some of the techniques now for the first time.

But, I DON'T see any spam coming from this script. It's coming from another email account which is in no way attached to any kind of script that's on a website. Does it make more sense that their claim doesn't make any sense? Plus, I only put this script up recently, all the problems started before this.

Anyways, I got to the head of the company yesterday (who is really a great person to work with) and she's going to find out what support has been up to.

Well, I'd be curious to see the outcome, so please let us know.

i don't think this script is the source of the problem. You do not allow POST or GET variables to modify the recipients of the message.

I would look for scripts like formmail.pl on your server though.

Originally posted by ottenhoffs
i don't think this script is the source of the problem. You do not allow POST or GET variables to modify the recipients of the message. Then where does this get its value?:
if ($_POST['thanks'])
$headers .= "From: <$email>\r\n";
$headers .= "Reply-To: <$email>\r\n";

Presumably, the form that submits to this script has a field the user enters info into.

Originally posted by bear
Then where does this get its value?:
if ($_POST['thanks'])
$headers .= "From: <$email>\r\n";
$headers .= "Reply-To: <$email>\r\n";

Presumably, the form that submits to this script has a field the user enters info into.

Right, but that is the from address... he is just trying to email it to himself.... but I suppose you could do something like this.


?email=from@example.com>\r\nCC: <spam@spam.com>\r\nBCC: <spam2@spam.com

Yes, correct. I'm quite certain that if a spammer did try to use it, I would have recieved the spam. However, I never recieved any via this script. Never. And the email address is not even the email address that is recieving the spam created from my own server.

Formmail was deleted a long time ago. ;)

Additionally, as an update. I just now recieved some of the spam in question that says it came from me. I took the subscribe file off the server about 12 hours ago just to prove my point. It wasn't the script.

Originally posted by vaaaska
Additionally, as an update. I just now recieved some of the spam in question that says it came from me. I took the subscribe file off the server about 12 hours ago just to prove my point. It wasn't the script.

IMHO having one script like that is reason enough to suspend your account and to pass on you any spam related expanses that your host might inccour.

Wow, love the hostility there. Can take and leave it...

Originally posted by vaaaska
Wow, love the hostility there. Can take and leave it...

Sorry if that sounds too harsh. It is just my personal opinion and you are not my client so there is nothing to worry about :)

Originally posted by vaaaska
Wow, love the hostility there. Can take and leave it...

Its how you "Took" it, but i doubt sasha was being hostile. Sasha more than likely was admonishing you that you are playing with fire putting script on your account that can cause a great amount of damage to the IP space of your provider. Most providers have a clause that IF you do this, you pay, and you're gone.

Research it, you'll realize Sasha wasn't being hostile at all, was trying to make you understand how serious this is.

sasha: register_globals could be turned off, or $headers could be getting initialized to '' earlier in the script...

vaaaska: Depending on the MTA running on the server, the script might be vulnerable to a "blah@example.com>\nCc: victim@example.com" sort of attack (as has already been said). Like you said, you'd still get a copy of the spam (unless a filter is blocking it). Your host sounds pretty clueless.

Seems like if someone were using the \nBCC: blah trick you'd still get a copy of each message sent, though (speculation) wonder what happens if someone did blah@blah.com\nTo: sucker@somewhere.com would it fool the mta into redoing the To: line to the new setting? What would it do if To: was declared twice in the header PHP sends to the mta.

Also, are you sanitizing your email inputs? In the script I use on one of my sites it compares "$email" to (roughly) [a-z,A-Z,0-9,-,_,.]*\@[a-z,A-Z,0-9,-,_,.]* and if it doesn't "fit" this pattern it just complains and has them re-enter the email address. so if \ or any other symbol shows up in $email it complains.

No worries. I've rewritten this to be secure but I haven't uploaded it yet. I took the script in question from the site days ago and I'm still being spammed per my explanation earlier in the thread. Yes, the webhost is totally clueless and their outsourced support people still can't offer any explanation about what is going on.