[triangle-zpug] zp hacked by spambot

Geoff Davis geoff at geoffdavis.net
Fri Mar 30 15:47:25 CEST 2007 

Frank,

This sounds like an approach spammers have taken in the past.  Here's  
the gist of it:

The data sent to your SMTP server looks something like this

To: recipient at address.com
From: sender at otheraddress.com
Subject: subject here

message body

One thing spammers have done in the past is to insert carriage  
returns into the To: or From: fields.  They can then change the  
headers that your SMTP server gets.  For example, if I use as my  
"From" address, "31337 at spammer.com\nBcc: recipient1 at mail.com,  
recipient2 at mail.com...", then the mail server will get

To: recipient at address.com
From: 31337 at spammer.com
Bcc: recipient1 at mail.com, recipient2 at mail.com,...
Subject: subject here

message body

There's code in Plone that filters such things out, but perhaps  
zm_sendMail doesn't call it.  I think the filtering code is something  
like secure_sendmail in PloneTool.

Geoff

On Mar 30, 2007, at 9:38 AM, Stephan Altmueller wrote:

> Hi Frank,
>
> I don't fully understand how the bcc field could be inserted, it's not
> used in any of the
> code below (unless the "zm_sendMail" script/function reads it from the
> request object).
>
> If this is a basic "Script (Python)" script then the fundamental  
> problem
> is that it uses
> unvalidated request parameters. You could replace it with a form
> controller script (.cpy)
> and add a validation (.vpy) script via the metadata that validtes all
> parameters.
>
>        - Stephan
>
> Dimauro, Frank wrote:
>> One of our python scripts that was sitting in our custom skins folder
>> (developed by Cignex to serve as the basis script that handles our  
>> email
>> forms) was exploited by a spammer and caused a whole mess of spam  
>> to be
>> generated from our Exchange email server. The script was not in  
>> use but
>> "someone somehow" knew it was there and exploited it. Here it is  
>> below.
>> We have since turned off smtp port 25 on the server and our email  
>> forms
>> are dormant. Can anyone suggest a fix that will prevent future  
>> hijack?
>> The spammer added a bcc: field to the form and bcc'd the spam to
>> thousands. The giveaway was the MIME header on one of the relayed  
>> emails
>> that listed the email l_mail_to
>> ='mohammad_ismail at akebonosoft.com'...ismail was a cignex contract
>> employee who was one of the original developers of our site...
>>
>> Frank DiMauro
>>
>> "Our Age of Anxiety is, in great part, the result of trying to do
>> today's jobs with yesterday's tools."
>> -M.McLuhan
>>
>> ##################################################################### 
>> ##
>> ## Script (Python) "zp_contactus"
>> ##bind container=container
>> ##bind context=context
>> ##bind namespace=
>> ##bind script=script
>> ##bind subpath=traverse_subpath
>> ##parameters=
>> ##title=
>> ##
>> #
>> --------------------------------------------------------------------- 
>> ---
>> ------------------------
>> #  Name:  zp_contactus
>> #
>> #  Purpose : Sends contact information
>> #
>> #  Mandatory REQUEST parameters: None
>> #
>> #  Optional REQUEST parameters: None
>> #
>> #  Development History:
>> #   Date          Author     Description
>> #   -----------   -------    --------------
>> #   04/24/2004    CIGNEX     Created
>> #
>> --------------------------------------------------------------------- 
>> ---
>> ------------------------
>>
>> request = container.REQUEST
>> RESPONSE =  request.RESPONSE
>>
>> # Determine - whom to send the mail
>> l_mail_to ='mohammad_ismail at akebonosoft.com'
>> l_email=request.get('email')
>>
>>
>> # Form the mail subject
>> l_mail_subject = "UNCH - Contact Us form"
>>
>> # Form the mail body
>> l_body = '\n'
>> l_body = l_body + 'Name = ' + request.get('name') + '\n'
>> l_body = l_body + 'Address = ' + request.get('address') + '\n'
>> l_body = l_body + 'Phone Number = ' + request.get('phone') + '\n'
>> l_body = l_body + 'Email = ' + request.get('email') + '\n'
>> l_body = l_body + 'Comments = ' + request.get('comments') + '\n'
>>
>> # Result page Object
>> l_resultPage = container['zpt_confirmation']
>>
>> # send form in email
>> context.zm_sendMail(context,
>>            mail_from=l_email,
>>            mail_to=l_mail_to,
>>            mail_subject=l_mail_subject,
>>            mail_body=l_body)
>>
>> # show result page
>> url = 'http' + context.absolute_url()[4:]
>>
>> target= '%s/%s?p_message=%s&p_heading=%s' % (url, 'l_resultPage',
>>         'We will go through your feedback and get back to you soon.',
>>         'Thanks for contacting us')
>>
>> return context.REQUEST.RESPONSE.redirect(target)
>>
>>
>>
>> _______________________________________________
>> triangle-zpug mailing list
>> triangle-zpug at starship.python.net
>> http://starship.python.net/mailman/listinfo/triangle-zpug
>>
>
>
> -- 
> --------------------------------------------------------
> Stephan Altmueller
> Applications Analyst
> OASIS - Office of Arts and Sciences Information Services
> University of North Carolina at Chapel Hill
> Phone: 919-962-4205
> Email: stephan_altmueller at unc.edu
>
>
> _______________________________________________
> triangle-zpug mailing list
> triangle-zpug at starship.python.net
> http://starship.python.net/mailman/listinfo/triangle-zpug
>

More information about the TriZPUG mailing list