Problem:

I'd like to change my domain details. Unfortunately I've forgotten my password. One of the things I need to change is the email address - and when I click on the send password link, I think it is sending it to the old, no longer valid, email address.


Solution:

Verify that is what is happening by checking out the whois data. There is a whois tool at http://www.webquarry.com/whois.html

Assuming that you no longer have access to the old email address, you have two choices:

1. Get access to that email address somehow for a short period of time.

or

2. Go to http://www.adminchange.com and follow the instructions there. Be prepared to fax the requested documentation and await a response.

Our servers are secure. Unfortunately, your form handler program is not.

When you write a form processing program you need to make certain that you sanitize any data that comes from the outside world. If your script allows the insertion of a linefeed character into any of the outgoing email header lines then it can be hijacked.

How They Do It

If any of the form's user-supplied information is used in the email header of the outgoing email, that form field might be a security hole.

First, let's see what an email header looks like:

---------------------------------------
From: "John Smith" <johnsmith@example.com>
To: you@yourdomain.com
Subject: I just want to say...

Blah, blah, blah
Blah, blah, blah
---------------------------------------

Note that the first blank line separates the email header from the email body. It's normally that way. Once a blank line is encountered, sendmail assumes everything else belongs to the email body.

Suppose a form asked for the user's name and email address and subject. Any one of those can be used to exploit a hole in your form processing program. As an example, let's try the user's name.

Notice that the user's name is in the From: header line of the email being sent out. This is a good thing because it allows you, the form's recipient, to simply click reply when answering the form user.

A hijacker would build a program to submit to your form processing program.  Note they bypass your form completely and call the form processing program directly. When you look in your logs, you will see traffic for your form processor and relatively no traffic for your form page.

Instead of a user's name in the username form field, the hijacker might put a line feed character (which is simply a character that software sees as a signal to start a new line), then "Bcc:" followed by hundreds of @aol.com (or other) email addresses. Now, the above email headers would look like:

---------------------------------------
From: "
To: (any address on your domain)
Bcc: (hundreds of @aol.com addresses here)
Subject: Spammer's subject here

The spammer's email body here.
---------------------------------------

Did you catch that? This email has been hijacked and they used your script to do it!

Determining if Your Program is Being Hijacked

Hijackers tend to put hundreds of email address into the Bcc: header line. There will probably be bounces from many of those addresses.

When an email bounces, the returned email usually has the full headers of the email being returned.

Search the Received: header lines to determine the source of the email.

Preventing Your Form Handler from Being Expoited

To secure your forms against this type of hijack you need to strip all carriage returns and linefeeds out of email fields before submitting them to the mail subsystem. The implementation will depend on what language you are using. Examples in PHP and PERL are listed below:

PHP:
(for each field used in an email.)

$field = preg_replace( "/[\n\r]+/", " ", $field );

PERL:
(for each field used in an email.)

$field =~ s/[\n\r]+/ /g;

See http://www.webquarry.com for all your web hosting needs!

You will need to use SSH to get to the unix shell.

Get yourself a copy of putty.exe for windows. Tell it to log into your username and password on your server.

For Mac, just use the built in terminal app and tell it to:

ssh -l youruserid yourhostname