09.14.05

Mail Form Injection Attacks

Posted in General at 3 pm

To: Our Clients
Re: Recent Mail Form Abuse

We are approaching this abuse from a multi-step process. As you might imagine, this bot has has been hitting web-2-mail forms all over the web. We’re dealing with this through a set of solutions for your forms as well as for other forms that we have created for clients going back over many years.

1) Our first step was to eliminate the ultimate goal of the ‘bot, which was to send a customized message to a hijacked AOL account. Our estimation of the purpose of this bot is to find web-2-mail forms that can be used to reflect spam to other victims. The initial e-mails that we are seeing coming through the forms are probes being used to test for the vulnerabilities. The first steps we took eliminated the option of sending these mails out to addresses that we did not designated in the form itself.

By plugging this hole, the form will no longer be a viable reflector for spammers. This should take the form off of the testing list at some point in the future. These first steps were critical to making the form less attractive to spammers in the first place.

However this step, as you’ve seen did not keep the probes themselves from being passed on to ‘approved’ mail addresses.

2) Our second step was to detect the probes in a very specific manner and to cull them out from the legitimate messages that are coming through the forms. We want to be *very* careful here in order to remove *only* the mails that are illegitimate probes/reflection spams. We identified a number of potential ‘fingerprints’ that could be used and decided upon one that should only be used by nefarious ‘bots, and not by actual customers.

While we have this in place, the messages that trigger the detector will be re-routed to us for analysis. If we happen to find a legitimate mail caught with this fingerprint, we will forward it back to you and adjust the detector as appropriate.

Comments are closed.

RSS feed for comments on this post · TrackBack URL