It's unclear to me how someone could "hijack" your sendmail using that script BUT I'm not saying its not possible (I just dont know). For what it's worth, I have actually gotten spam mail to my gmail account from my gmail account (same accounts in both instances).

think of thist though, and it requres nothing be faked: I have someone I dont like, and I know an e-mail addy for them. whats to keep me from using a similar item to repeatedly send them your page and accompany it with some sort of harassing message. Sure they may be adverting your site, but theyre also getting their crappy message sent, without attaching said message to their real e-mail addy.

None of that adresses your concerns very well and for that I apologize.

All anyone needs to do to hijack a form2mail script is to substitute their own header for the one in the script. This will allow them to add cc and bcc fields to the message. That's what appears to be happening here. I've had other problems where they seemed to be spoofing the return address but this seems to be the real thing. They are also trying to compromise the register and lost password scripts in b2evo. These also use sendmail and if the hijacker can paste their own header into the input fields then they can hijack a form unless there are security measures built into the script to stop such attempts.

The form2mail script I use for my contact forms is pretty secure. I'm going to see if I can integrate that into the send link script. Or, create a new 'send to friend' script based on that form processing script.

The problem didn't go away when I disabled the friend.php script, so it must be done with a different script. My apologies to Scott. His script was not at fault.

The only pages that show unusual activity are the register and login pages. The register page has been hit almost 3000 times and the login page has had over 4400 hits. None of the other pages on my site show suspicious activity.

what sort of activity are you seeing on the pages you are concerned about? is it email related, or not? if so, are emails hitting your server as a result of the "attempts"?

I'm seeing 4433 hits on register.php over the last 3 days when I don't even have that feature active on my blog. I've also seen over 2700 hits on login.php when I'm the only one who has to login and that's for admin. In the same time period the css file for the skin I use has only been accessed maybe 150 times in the last 3 days.

I renamed friend.php to friend.bak and still got bounced emails. I received 7 of them so far today. I've renamed register.php and login.php to .bak and am waiting to see if that stops the activity.

All of the messages have a subject line in the header similar to this - "Subject: =?iso-8859-1?b?Rmxhd2xlc3MgZHJ1ZyBPZmZlcmluZ3M=?="

The messages themselves have an ascii character as the first letter of each line -
ÂGood Afternoon
ÂOur customers return for our weekly specials.

The two of these taken together seem to imply that this is an actual hijack and not a simple matter of spoofed return addresses.

interesting...

http://unspammable.xtdnet.nl/2004//31633.html
https://lists.su.se/archive/public/devel-at-it.su.se/msg00704.html

seems to be a name already associated with spam.

PS: per our private messages I went ahead and moved and renamed this thread. Feel free to change the name of the topic if you like, just edit your first post :)

John,

Thanks for emailing me. I'm glad that the freind.php script wasn't the one hijacked. As per our private discussions, am eager to learn about the root cause of the problem.

As you suggested, I've rerouted all mail from our server from :blackhole: to a valid email address (did that a couple of days ago) and so far, so good, as I haven't received a single bouced email off our hosting server.

Keep us posted.

Cheers,

-stk :D

It looks like the problems I've been having are not hijacked forms. I finally got my hosting company to take a look at the sendmail logs and they said the messages are not passing through their server. This means the spammers are spoofing the return address with my domain as the source. There isn't anything I can do about this, because the messages all seem to come from a different source. This is annoying as heck, because I could still end up on a blacklist if the people who maintain it don't check the headers closely enough to realize that the return addresses are false.

I've added a little security to Scott's friend script and intended to dig deeper into the security that is built into those parts of b2evo that use sendmail.

ahhh, well it's a good to know that b2evolution is not the source of the problem. good luck, all the same.