[vox-tech] Strange web form submissions; regexp to filter?

Bill Kendrick nbs at sonic.net
Thu Dec 18 01:38:41 PST 2008 

On Thu, Dec 18, 2008 at 01:05:30AM -0800, Bill Kendrick wrote:
> 
> I've been notcing some weird submissions to the survey form I have on
> the Tux Paint website.  For most of the type-in fields, the values are
> gibberish.  Combinations of uppercase/lowercase alphabetic characters.
> (No spaces, no numbers, nothing else.)  Like so:
<snip>

Searching Google a bit, I thought at first that perhaps the valid-looking
email addresses were 'ping-backs'.  Some web forms are used to send full
emails out to people (spam them), but apparently first the nefarious
software tests the water.

It injects a Bcc header into the message that the form emailing software
sends.  (In other words, the form software does, for example,
"Reply-To: $email", but if the email field contains a carriage return
sequence, then the Bcc, and the form software doesn't clean that up,
they can utilize the form software to send whatever they want, to whomever
they want.)

They test the water by sending one message to the form with some ping-back
email address in the inserted Bcc line.  If that address gets a message,
they know they can abuse the form software, and set to it.


However, after searching for some of the valid-looking addresses I'm seeing
as part of the weird junk being sent to the survey form on the Tux Paint
website, I found some sites that seem to have been hit.  Web forums and
such.

It looks like my Tux Paint survey's backend script is only sending me
fields I know about, and that make sense for that form.  So I'm not even
seeing the junk that the spammers' bots think is being posted on some
online forum.  It just vanishes, and I'm left with the nonsense.
(Verus the "<a href="...">online dating!</a>", or whatever.)

So, I guess I need to get my backend script to send me EVERY posted field
from the request, even stuff which isn't actually part of the form on the
website.  From there, I'll be able to filter things.  (Or, I suppose,
just look for any attempts to send me more stuff than I expect.)

Yay.  I love arms races.

-bill!

More information about the vox-tech mailing list