About Me

PBX I'm Paul Bissex, and e-scribe.com is my consulting business. I build web applications using open source software, especially Django. I teach photographers web design and professional skills. In the '90s I did graphic design for newspapers and magazines. Then I wrote technology commentary and reviews for Wired, Salon.com, Chicago Tribune, and lots of little places you've never heard of. Feel free to email me.

Book

I'm co-author of "Python Web Development with Django", an excellent guide to my favorite web framework. Its strong points include an introduction to Python, and better coverage of Django 1.0 than nearly anybody else. Published by Addison-Wesley, it is available from Amazon and your favorite technical bookstore as well.

Colophon

Built using Django, served by Apache and mod_wsgi. The database is SQLite. The operating system is FreeBSD, on a VPS hosted at Johncompanies.com. Comment-spam protection by Akismet. Vintage topo imagery from the Maptech archive. The markup engine is Markdown.

Pile o'Tags

Stuff I Use

Akismet, del.icio.us, Django, dpaste.com, Emacs, FreeBSD, Freenode, jQuery, LaunchBar, MacPorts, Markdown, Mercurial, OS X, Postfix, Python, SQLite, Subversion, TextMate, Trac, Ubuntu Linux, wmii

Spam Report

At least 67589 pieces of comment spam killed since January 2008, mostly via Akismet.

Form hijacking

Does your website contain mail forms that aren't sanitizing input as aggressively as they should? There seems to have been a recent surge in automated (or semi-automated, it's hard to tell) probes and exploits of form mail scripts, all revolving around injecting headers into sent mail.

Here's how it works: Let's say you have a form that allows the user to enter their email address. The black hat's exploit script submits a value for that field that includes a newline, followed by whatever email headers they want to insert: Bcc, for example, or even full-blown MIME-encoded parts.

This is especially a problem in PHP because what's commonly thought of as the "From" parameter to the mail() function is actually an "additional headers" parameter. It accepts a single string containing an arbitrary number of headers separated by newlines -- which the spammers are happy to provide.

The defense is very basic input scrubbing (or bulletproof validation of From addresses) that you'd think would already be in place everywhere, but I was surprised to find several forms on my various sites that were vulnerable to this -- in some cases forms that had been online for several years with zero abuse.

Rather than cast about for the perfect email address validator, I changed the form processing scripts to strip newlines from user input. That's enough to prevent hijacking, but not enough to prevent incredible annoyance, since some forms were being probed dozens of times a day, filling up my spambox with garbled mail. So I added a second check that simply rejects any submission if the string "MIME-Version" is in any of the submitted fields. Crude but effective.

Damon Kohler's "Secure PHP" site has a more detailed explanation of this type of exploit.

Tuesday, November 15th, 2005
php + risks + spam + tips
1 comment

Some related posts: Protecting the server with mod_evasive • Library of 1000 scammy spams • Spam, del.icio.us spam • I filled up my GMail box • Comcast's blacklist • Akismet anti-comment-spam • Trac spam • More quick-not-dirty PHP • RapidWeaver spamming vulnerability • Quick, but not dirty, PHP

• Comment from web design blog , 2 years later

They like to inject forms and enter tons of characters in attempts to break the page. You can add filters, and even things like mod_security for enhanced protection. However, I am still looking for a way to be able to monitor this kind of thing on the server level.