John D. Hardin wrote:
http://www.impsec.org/~jhardin/stupid_spammer_tricks_01.txt
Clumsy (and stupid) people can manage to put the entire body of their message
into the Subject: header (how they don't notice the mistake before hitting
[SEND] I don't know), but *this* genius spammer managed to paste not only the
spam body, but the C-T-E and C-T headers, the blind CC: list, and *two*
different subjects into the Subject: header.
This looks like a failed header injection attack.
Some background: Lots of web form handlers, including the most basic
Perl and PHP tools, will build the headers and body of a message as one
long string, then pass it to Sendmail. If a form allows user-supplied
data for any header content -- most often a subject, a sender's name or
email address -- and the form does not properly sanitize the input, an
attacker can add a newline to the data and build up their own headers
and message body.
An attacker might fill in the name field with this:
"Fakename
bcc: target addresses
Subject: Buy our stuff!
Big long sales pitch
goes on forever."
That gets plugged in, and the spammer hijacks the form to do his
bidding. OK, so there's some "garbage" from the original form way at
the end, but what does he care?
The website can foil this in one of two ways:
1. Reject submissions that include newline characters in any field that
will go in the headers.
2. Remove newline characters from any field that will go in the headers.
Solution #2 results in the entire long header being inserted into the
subject -- just like the sample you posted.
Incidentally, "Eine eCard von" is German for "An eCard from". If I were
to guess, someone tried to hijack an eCard form, they used solution #2,
and you got the "lucky" address that was actually put in the original
"To" field.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
