[Mimedefang] OT: Don't let this happen to you

Jim McCullars jim at info.uah.edu
Tue Feb 14 14:26:04 EST 2006

Maybe this is only semi-OT since we do sometimes discuss spam issues not
strictly within the confines of MD/SA, but I wanted to share with the list
what happened to me yesterday.

I'm the administrator for, among other things, our campus web server.  I
thought I had taken all the right precautions:  Keep the machine patched,
run the latest Apache server release, don't let users install their own
CGI scripts, etc.  In spite of all that, I discovered to my horror
yesterday that the web server had been used to send thousands of spam
emails.  It may have even been in the tens of thousands.

How did they do it?  Via PHP.  Or rather, a user-installed PHP script that
was insecure.  The user didn't actually write it, it was created by
something called PHP FormMail Generator.  The resulting script is subject
to SMTP header injection, where by sending form variables (which are not
sanity-checked) with newlines, they can create a message within a message,
and deliver their spam courtesy of me.  I believe the spammers found this
script by Google searching for some comments that the script generator
puts in the resulting script.

Unfortunately, turning off PHP was not an option.  Neither is my
personally checking all PHP scripts.  The solution had to be at the server
side.  That's when I found an Apache module called mod_security.  It is
conceptually similar to MD in that you can apply filters against the HTTP
requests and return an error status if a filter is triggered.  When I came
in this morning, I found that it had blocked hundreds of attempts to
exploit this script (which had been disabled anyway) and only three false
positives (and I have tweaked the filter so that won't happen again).

I won't go into more details here, but if anyone wants to discuss this
further, feel free to contact me off-list.  But I will *strongly* urge
anyone who hosts web sites for users and runs PHP to look into this.  I
believe this exploit may be fairly new, in that I could find very little
on the web about it.  Don't let this happen to you.

Jim McCullars
University of Alabama in Huntsville

More information about the MIMEDefang mailing list