tony spencer

Earlier this week I became aware that one of my domains was blacklisted on SpamCop. Ouch. My first thought was that it was no big deal. I’ve often been blacklisted by Yahoo and others simple because I send out opt-in emails (very tame stuff like order confirmations). Its a pain but you typically just have to prove that you aren’t a spammer and you’ve just tripped a sensitive filter.

Unfortunately after much digging through logs I realized this wasn’t the case. I was the victim of a rapidly spreading exploit known as email injection that took advantage of my super secure, locked down tight as a drum code.

Heres how email injection works:
A would be spammer (the email variety, not a search engine spammer) googles for an email contact form. If they find a ‘contact us’ page that is vulnerable they manipulate the form fields to add/change email headers. They accomplish in much the same way a hacker would perform SQL injection or website search results injection. By entering hexadecimal characters in the form field they are able to add carriage returns and spaces. So the following string entered in a form field such as “Your Email”:

“sender@somesite.www%0ACc:victim@victimsdomain.xxx%0ABcc:victim2@victimsdomain.xxx,victim3@victimsdomain.xxx”

will result in a carbon copy of the email being sent to victim@victimsdomain.xxs and a blind carbon copy being sent to victim2@victimsdomain.xxx and victim3@victimsdomain.xxx

As you can see it is easy to manipulate the headers and as a result you can get really fancy and change the subject of the email, mime-type, sender, and the body of the message. The end result is an email open relay. I grabbed a couple of IP’s that were used to POST the data and sure enough they were listed in my database of current open proxies. SecurePHP has a full rundown of the examples.

To secure your email contact form, check each form field against this function. If any one of them fails you can report an error or just silently bail on sending the email. I don’t believe that its necessary to run this check on the body field of the message as this doesn’t have any effect on the headers.

function containsInjectionAttempt($input) {
if (eregi(“\r”, $input) ||
eregi(“\n”, $input) ||
eregi(“%0a”, $input) ||
eregi(“%0d”, $input) ||
eregi(“Content-Type:”, $input) ||
eregi(“bcc:”, $input) ||
eregi(“to:”, $input) ||
eregi(“cc:”, $input)) {
return true;
} else {
return false;
}
}

The problem even exists for the popular CMS Drupal. I can’t tell from this bug report if its been fixed yet but it appears to still be an open issue so you may want to run a test on your own site if you are running Drupal.

About a dozen SEO’rs met up last night for an informal meetup at a London bar. We sent out the invites about a week ago and someone managed to get an email to the infamous black hat master NIK. Low and behold he showed up! I don’t really know if anyone has actually seen him in the flesh. He got quite drunk but didn’t let any secrets slip. However with a little persuasion I did manage to snap a couple of photos with my cell phone. If you’re reading this NIK, please don’t bring down my sites for outting you.

Mike Nott and Andre Chaperon have actually backed me up on this so as they say in London I’m not just taking a piss.

I often remotely control Windows machines at my office via Remote Desktop and VPN when I’m traveling. Ocassionally a Windows machine will stop responding to requests for Remote Desktop and the only solution I’ve found is to restart the machine but thats difficult to do when you are in London, its 3AM EST, and there isn’t anyone in the office to flick the reset switch for you.

The Solution
First install OpenSSH. This handy app creates a Windows NT service on your machine that allows you to SSH to the box and run DOS commands remotely. Once the installer completes you need to setup the local Windows users that you want to be able to SSH with. (In my example I won’t specify a user which defaults to all Windows users)

Open up DOS and execute the following (change d:\apps\OpenSSH to your install folder):

cd d:\apps\OpenSSH\bin
mkgroup -l >> ..\etc\group
mkgroup -d >> ..\etc\group
mkpasswd -l >> ..\etc\passwd
mkpasswd -d ..\etc\passwd

Now start the OpenSH service for the first time:

net start opensshd

The OpenSSH service should be running now. To test it go to another machine and attempt to SSH in.

Cool! We’re in.

Finally we want to reboot the machine. Executing the following in the SSH client will restart the machine and force any apps to close. You will lose any unsaved work on the machine.

shutdown -r -f -m \\computername

The shutdown alert is displayed on the remote machine and 30 seconds later it is restarted!

.
I had to work fast to capture that screen shot!

If you are receiving the following message when trying to setup a new machine as a PVR with Windows Media Center Edition, the solution is simple albeit not obvious:

Guide listings could not be retrieved. Internet connection failure

Details: Unknown discovery service error. Code: 14

Would you like Media Center to try again?

The error message is so deceiving. The actual problem is that you haven’t set the clock on the machine. In my case it was set to January 1, 2004. I set the clock and continued downloading my local listings. I really thought Microsoft was getting wise and starting to produce meaningful error messages but apparently not.

Is this a joke or did NickW really sell Threadwatch.org to SEO Book’s Aaron Wall? I feel like I’m taking some serious link bait here but then a quick check of the Threadwatch feed and I see that Nick has indeed posted a message about moving servers. Checking the domain registration I see that its still showing Nick Wilson as the contact.

So what was the price tag?

Update:
Ok, so thanks to the instant gratification of feeds I’ve just seen that Jim Boykin verified it.