This is a message I sent to the AOL postmaster on September 19, 2005:
I have recently figured out that an AOL member known as "homerragtime" has developed a method to exploit unvalidated form posts to send SPAM e-mail. For several months homerragtime was successful sending e-mail through my unvalidated forms, and I was perplexed at receiving so many rejected spams that appeared to have come from my own site.
About two months ago I finally began validating my forms, and began to find form postings like the following being captured by my validation process:
pictureID aorg@johnmarshphotography.com
comments aorg@johnmarshphotography.com
send aorg@johnmarshphotography.com Content-Type: multipart/mixed; boundary=\"===============1010877498==\" MIME-Version: 1.0 Subject: 90c4558b To: aorg@johnmarshphotography.com bcc: homerragtime@aol.com From: aorg@johnmarshphotography.com This is a multi-part message in MIME format. --===============1010877498== Content-Type: text/plain; charset=\"us-ascii\" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit wygqm --===============1010877498==--
The tip-off for me was seeing the BCC field. It appears homerragtime has a robot that crawls the web and posts these kinds of messages. If he gets one of the messages that he is BCCed on, he matches that with the number in his subject line, and then knows that the form can be exploited. I did a search for homerragtime, and see this same signature in many places.
Please research this further. I believe homerragtime is violating your company policy not to send spam, even though technically, he is sending the spam through other people's web sites.
A few more notes:
- I have found this problem has occurred on all three of the web sites I maintain. They are all fixed now.
- My sites are all in PHP, but it is quite possible that this exploit could be used in other languages.
- Bottom line: validate your forms. This person was very aggressive at sending out spam through my sites, judging by the large number of rejected e-mails I was getting returned to me.