Archive for the ‘Website Design’ Category

Google Analytics

Thursday, November 17th, 2005

Google has just released a free website statistics (analytics) tool. The program seems to have similar features to the free StatCounter but can be integrated with your AdWord accounts so you can easily track keyword performance and cut the ones that are under-performing. However you do not need need to have an AdWord account to use Analytics.

Check it out at Google Analytics.

Posted in Website Design. ⋅ Tags: SEO, stats, tools

Typetester

Sunday, October 23rd, 2005

Want to test out the look of a bunch of fonts on the screen a the same time? Check out the free online resource: Typetester. It’s an application for comparing fonts for the screen and make website design easier/faster.

Very useful when you need to check or choose a typeface (including the colors of the text and the background) for your next project. The fonts are pulled from your system so there is worry that you will pick fonts you don’t have available.

Highly recommended.

Posted in Website Design. ⋅ Tags: fonts, tools

PHP Mail Form Email Injection Hijack

Tuesday, September 13th, 2005

Spam is one thing, but hijacking form mail scripts and spoofing other people’s domains and email is downright wrong. We need tough(er) penalties against these guys.

Lately my customers and I had been receiving hundreds of email sent from the forms on our sites. All form fields were filled out with email addresses from the domain in which it was sent. After checking the headers it was found that most had a BCC address of jrubin3546@aol.com.

After a little research, and a heads up by a fellow website designer in my area, it looks like this automated hijack is going to become a very big and widespread problem.

Hijack Overview

The “attacker” sends an automated bot to exploit unchecked fields in contact forms. It works by assuming a field used in an email header (e.g.: “From:” or “Subject:”) is passed unchecked to the mail subsystem. Appending a newline characters and more header lines with a BCC list and a spam message body might trick the underlying mail system into relaying spam messages. Currently it seems to be just phishing for vulnerable scripts sending emails via Bcc.

Current List of Bcc Recipients (in alphabetical order):

angelrrsmr@aol.com
bergkoch8@aol.com
cameronmtc@aol.com
damnitmayn@aol.com
Homeiragtime@aol.com
Homeragtime@aol.com
jrubin3546@aol.com
jshmng@aol.com
killerhamster@punkass.com
kolyathekid1@aol.com
kshmng@aol.com
kshmng@aol.com
lshmng@aol.com
mhkoch321@aol.com
wnacyiplay@aol.com
wolfione@aol.com
wwjdkid14@aol.com

The Fix?

It seems that stripping fields for carriage return (\r) and newline characters (\n) used directly in email headers resolves the problem. Note all your Post-Data variables (var) must be protected:

if (eregi ("\r", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}
if (eregi ("\n", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}
if (eregi ("Content-Transfer-Encoding", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}

For even more protection add:
if (eregi ("MIME-Version", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}
if (eregi ("Content-Type", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}

More Information

Crack Attempt to Relay Spam

Posted in PHP. ⋅ Tags: email, PHP, spam

« Newer Posts

About this Blog…

Hello, welcome to the “company” blog. Owned and operated by Matthew Ginop, MCGWD is a small website design company located in northern lower Michigan. I provide affordable sites using web standards and semantic markup.

Blog Post Categories