Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

is IP# in $ENV{REMOTE_ADDR} spoofable?

by mandog (Curate)
on Oct 13, 2002 at 01:46 UTC ( [id://204843]=perlquestion: print w/replies, xml ) Need Help??

mandog has asked for the wisdom of the Perl Monks concerning the following question:

In an effort to thwart spammers, I've replaced /cgi-bin/formmail.pl with a script containing the code below. (Yes, I'm running the latest version of NMS FormMail.pl under a different name)

In the past 18 hours I've gotten 273 spam attempts, the problem is that there are 211 unique REMOTE_ADDR Is the SPAM mob so widely distributed or is the REMOTE_ADDR spoofable? Since there are only 8 subjects for the SPAM, I'm guessing the former.

sub lDump_CGI_Info {
    $file = shift;

    if ( !open( FH, '>>', $file ) ) { print "couldn't open $file\n"; r
+eturn; }

    my $cgi = new CGI;
    my $key;

    foreach $key ( sort keys %ENV ) {
        my $spaces = ' ' x ( 30 - length($key) );
        print FH "$key $spaces $ENV{$key}\n";
    }
    print FH "\n\n";
    no strict;
    $cgi->save(FH);
    use strict;
}
__DATA__


CONTENT_LENGTH                  1343
CONTENT_TYPE                    application/x-www-form-urlencoded
DOCUMENT_ROOT                   /home/sites/lctc/doc_root
GATEWAY_INTERFACE               CGI/1.1
HTTP_ACCEPT                     */*
HTTP_CONNECTION                 Close
HTTP_HOST                       www.lctc.org
HTTP_PROXY_CONNECTION           Close
HTTP_USER_AGENT                 Mozilla/4.0 (compatible; MSIE 6.0; Win
+dows 98; AIRF;
.NET CLR 1.0.3705)
HTTP_VIA                        WebSTAR Proxy (3.0b)
PATH                            /usr/local/bin:/usr/bin:/bin
QUERY_STRING
REMOTE_ADDR                     216.20.52.200
REMOTE_PORT                     52072
REQUEST_METHOD                  POST
REQUEST_URI                     /cgi-bin/FormMail.pl
SCRIPT_FILENAME                 /home/sites/lctc/cgi-bin/FormMail.pl
SCRIPT_NAME                     /cgi-bin/FormMail.pl
SERVER_ADDR                     10.0.0.5
SERVER_ADMIN                    webmaster@lctc.org
SERVER_NAME                     www.lctc.org
SERVER_PORT                     80
SERVER_PROTOCOL                 HTTP/1.0
SERVER_SOFTWARE                 Apache/1.3.26 (Unix) Debian GNU/Linux 
+mod_perl/1.26 P
HP/4.1.2
TZ                              US/Eastern
UNIQUE_ID                       Paf5YQoAAAUAACurNxQ


email=jettaqp%40hindin.com
realname=jettaqp%40hindin.com
recipient=%3Cbrucevani%40ameritech.net%3Ewww.lctc.org%2C%3Cbrucew%40ho
+ngkong.com%3Eww
w.lctc.org%2C%3Cbrucewayne%40integraonline.com%3Ewww.lctc.org%2C%3Cbru
+cewerk%40hotmai
l.com%3Ewww.lctc.org%2C%3Cbrucewherlock61%40hotmail.com%3Ewww.lctc.org
+%2C%3Cbrucewhet
ton%40msn.com%3Ewww.lctc.org%2C%3Cbrucewhite%40msn.co%3Ewww.lctc.org%2
+C%3Cbrucewho%40
aol.com%3Ewww.lctc.org%2C%3Cbrucewicks%40roadrunner.nf.net%3Ewww.lctc.
+org%2C%3Cbrucew
ray%40home.com%3Ewww.lctc.org%2C%3Cbrucewynn%40hotmail.com%3Ewww.lctc.
+org%2C%3Cbrucey
.gib%40aol.com%3Ewww.lctc.org%2C
subject=HAHAHAH%20LOL%20%20%3A%29
p28=%0D%0A%0D%0AHey%20it%27s%20Amber%20from%20school.%0D%0AI%20am%20ju
+st%20E-Mailing%
20everyone%20I%20know%20to%20inform%20you%20about%20this%20SLUT%20kris
+tina%20from%20s
chool.%20%20She%20has%20a%20Webcam%20set-up%20for%20my%20Boyfriend%20M
+att%20and%20she
%20sits%20there%20Naked%20in%20her%20room%20for%20him%20all%20day.%20%
+20FUCK%20That%2
0Whore%21%20%20Im%20Telling%20Everyone%20about%20her%20Webcam%21%20%20
+Here%20is%20the
%20Address%3A%20http%3A%2F%2Fwww.terra.es%2Fpersonal9%2Flatinhoney%2F%
+20%20%20%20%3C%
2Fa%3E%20a%20href%3D%22http%3A%2F%2Fwww.terra.es%2Fpersonal9%2Flatinho
+ney%2F%22%3E%20
Click%20Here%21%20%3C%2Fa%3E%20%20%20%20%20%20Go%20See%20This%20SLut%2
+0for%20Yourself
%21%20%20%20Thanks%20for%20helping%20me%20embarass%20this%20HO%21%20%2
+0%3A%29%0D%0A%0
D%0A%3C3%20AmBeR%20%3C3%0A%0A%0A%0A%0A%0A%0A%0Abdd
=

[download]

Replies are listed 'Best First'.
Re: is IP# in $ENV{REMOTE_ADDR} spoofable?
by zengargoyle (Deacon) on Oct 13, 2002 at 02:38 UTC
    • don't call it 'formmail' to avoid the CGI scanners.
    • use .htaccess or something to restrict the script to the IP's you want to have access.
    • check the referrer to ensure the visitor came from one of your pages. (can be faked as well)
    • yes there are that many evildoers. i have a handfull of /24's that have *never* been allocated to a host. i forward them to an IDS and block several scores of evildoers every day.

    if you log and disect the numbers you'll learn to tell whether they're spoofing, how far away they are, what type of zombie they've been comprimised with, etc.

    i truly miss the internet of the late 80's. such a nicer place...

[reply]
Re: is IP# in $ENV{REMOTE_ADDR} spoofable?
by dws (Chancellor) on Oct 13, 2002 at 03:38 UTC
    Is the REMOTE_ADDR spoofable?

    Yes, but not by using the bulk email tools that most spammers are using at present. Most of them use simple applications that runs on Win32. Forging From: headers is about as far as these tools go, though many spammers use multiple ISP accounts.

[reply]
      Err. I'm not sure here, but I don't think it's possible to fake a remote address. Provided that the webserver is reporting the TCP connection address, and not a header that the client is sending, the REMOTE_ADDR should always be correct.

      The correct remote address is needed to build the TCP connection before the HTTP request is sent. This isn't true for things like ICMP where no 'connection' occurs.

      Of course, the computer connecting to you may be have been cracked or trojaned, so it might be worth the time to drop the server admin a line and let him know that someone is meddling with his box. If he doesn't respond positively, report him to the MAPS RBL.

      ____________________
      Jeremy
      I didn't believe in evil until I dated it.

[reply]

        Update: I just re-read what jepri said and realized that I was wrong in my initial response. He is correct that a spoofed IP address will prevent a TCP connection from being established, since the origin application will need to use the TCP sequence number from the destination server's SYN-ACK packet to completely establish the connection. The stuff I said only applies to connectionless IP protocols, not those with connections like TCP. Sorry. I have removed the original contents of this node to avoid misleading anyone.

        A TCP connection can only be spoofed if the TCP sequnce number returned by the server can be predicted. If it can, then an attacker with the ability to spoof IP addresses can just send all the packets for the HTTP request without requiring the acknowledging packets from the server. This is referred to as "Blind TCP Spoofing". This article provides a decent overview.

[reply]
Re: is IP# in $ENV{REMOTE_ADDR} spoofable?
by bigj (Monk) on Oct 13, 2002 at 02:01 UTC
    I don't know a lot about spoofability, so please excuse that I don't answer the real question. I only want to recommend to write 
    printf FH "$key %30s", $ENV{$key};

    [download]
    or 
    print FH $key, " ", sprintf("%30s", $ENV{$key});

    [download]
    instead of 
    my $spaces = ' ' x ( 30 - length($key) );
print FH "$key $spaces $ENV{$key}\n";

    [download]
    as the printf solutions are shorter, more Perlish and less errorprone.

    Greetings,
    Janek

[reply]
[d/l]
[select]
Re: is IP# in $ENV{REMOTE_ADDR} spoofable?
by c0rr (Initiate) on Jan 04, 2004 at 01:27 UTC
    From CGI? To put it simply, hell yes. A simple http proxy would mask that.
[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://204843]
Approved by mr2
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others perusing the Monastery: (5)
As of 2024-04-19 17:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found