PixelPost and spam relaying

I’m seeing an interesting new attack on my website where the attacker is hoping to exploit unchecked fields in a “web to email” form. The attack works by assuming a field used in an email header (such as the “From:” address or the “Subject:”) is passed unchecked to the mail subsystem. Appending a newline character and a few more carefully crafted header lines with a BCC list and a spam message body might trick the underlying mail system into relaying spam for the attacker. An initial test sending a BCC copy to killerhamster@punkass.com has been used on most forms on my site to phish for vulnerable scripts. I had an old perl script which didn’t check for new lines in the “email” field which alerted me to the problem and allowed me to quickly fix it. If you run a site, you should check and strip fields for carriage return and newline characters used directly in email headers.

Interesting Crack Attempt to Relay Spam

This morning my hosting provider pulled down my websites all of a sudden. When asked the reason was that some one is using my PixelPost installation at http://www.navakrish.com/photoblog to relay spam messages and that they have received numerous complaints from AOL within the last 24 hours.

Most of these messages were BCCd to ‘battsl1005@aol.com’ . A quick search on Google and I found the reference in this article – “Interesting Crack Attempt to Relay Spam”.

Thought it could help others and so I am sharing this here. I do not have much time to dig further into this problem and so I am temporarily disabling the comment feature in my photoblog.

technorati tags: , , , ,