Friday, January 19, 2007


So it turns out that my problems with an "overzealous spam filter" in Gmail were actually due to my hosting company being considered a spam source by Google, so all email forwarded from my domains was automatically suspect. As soon as I switched hosting companies, the problem went away. Not that I haven't had any spam problems since. Oh no. Although this time it was really my fault.

About two weeks ago I started noticing that mail forwarded from my domains was taking a long time to come through. Days, sometimes. So I complained to the new hosting company. They wrote back, suggesting I look at the outgoing mail queue on my virtual server.

The web interface showed, all neatly lined up and waiting patiently for my poor overloaded server to churn through them, no fewer than 1,278 outgoing mails, each of them bcc'd to hundreds of recipients, all of them pure, unadulterated, spam.

Where did they come from? Nope, not an open relay. Turns out a contact form I had whipped up in PHP was vulnerable to header injection. This happens when a spammer types into a web form, extra information which is interpreted by PHP as being part of the message which is emailed when the form button is pressed. This extra info is the spam, plus the bcc'd addresses. The result is that a form that I intended to email only me, with contact info from the site, emailed thousands of people with information about worthless penny stocks. How did the spammer find my form? He used a robot which goes around trying to enter test messages into every form it finds; the test message tries to send to his email address, and contains info on the location of the form. If he receives an email, he knows the form is vulnerable, and also its location.

After taking the form down, and deleting the queue, I set about fixing the form. The trick relies on the newline character, a backslash followed by an "n" or an "r". This is because email relies on newlines to indicate different parts of the message. So a newline followed by "bcc:" and one or more email addresses, is interpreted as a command to bcc the message to those addresses. Since no-one typing information into a contact form would ever need to type such a sequence, you simply need to add a check to the PHP code that uses a regular expression to find such a sequence, and if it does, to reject the attempt.

So far, touch wood, things seem OK. And I'm only checking the mail queue every half hour or so. I should be down to once a day in about a year...


Post a Comment

<< Home