[Mimedefang] OT: Email web form exploits

[Chris Gauch]

Our largest issue with these web form mail exploits is not really
spam-related (in terms of scripts causing our web servers to become spam
relays); our clients are receiving these fake forms (obviously generated by
a kiddie script) constantly throughout the day, and the script writer isn't
accomplishing the intended task (which is to spam some random AOL account).
The AOL account shows up in the form as the BCC, but shows up *only* as
text, as if it were part of the form.      

Here's another example of a fake form that one of our clients received:

<snip>
City:  jeeukfllf at somedomain.com
Fax:  jeeukfllf at somedomain.com
Company:  jeeukfllf at somedomain.com
Zip:  jeeukfllf at somedomain.com
Title:  jeeukfllf at somedomain.com
Address1:  jeeukfllf at somedomain.com
Address2:  jeeukfllf at somedomain.com
Submit:  jeeukfllf at somedomain.com
LName:  jeeukfllf at somedomain.com
Phone:  jeeukfllf at somedomain.com
FName:  jeeukfllf at somedomain.com
Content-Type: multipart/mixed; boundary="===============1128226633=="
MIME-Version: 1.0
Subject: 1e9c11ce
To: jeeukfllf at somedomain.com
bcc: mhkoch321 at aol.com
From: jeeukfllf at somedomain.com
This is a multi-part message in MIME format.
--===============1128226633==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
zecyjmgc
--===============1128226633==--

How_Heard:  jeeukfllf at somedomain.com
Email:  jeeukfllf at somedomain.com

End of form information
</snip>

Now, what is emailed out is exactly as shown above, but since the recipients
of the form are actually hard-coded in the formmail script, this message
does NOT go out to mhkoch321 at aol.com (shown in the bcc field), rather this
is just a stupid text field that the script writer thought would go out to
that AOL address somehow.  

The main problem is the annoyance to our clients -- they complain to us when
they receive this stuff, and we just host their website, we have nothing to
do with the implementation or scripts that are running (yes, we do enforce
guidelines to an extent, but tell a client they can't run their mail script
to send out contact forms, and you start losing business).  This has been
very difficult for us to trace as we are fairly confident that these scripts
are interacting with the HTML forms themselves, and NOT the scripts.  So,
the question is how can we really stop someone from using an HTML form (and
the NUMBER verification technique is not an acceptable solution for our
clients)?

- Chris

------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net