What is Form Hijacking?

Form Hijacking is the exploitation of vulnerable web forms to send unauthorized email. It is used predominately to send spam emails and uses the server on which the form is hosted to deliver the spam emails. This effectively makes the domain and server that processes the form the spam source allowing the real spam originator to remain anonymous. This can have serious consequences for the hijacked domain including blacklisting of the domain.

• Originators of spam email do not want to be identified. By having spam sent from an unrelated server the spammers identity is hidden, the email is delivered by the hijacked server.
• Using someone else's server to send spam emails costs nothing because the owner of the hijacked server is paying for the transmission bandwidth used.
• The spammer domain remains anonymous and will not be blacklisted or blocked. The spam comes from the hijacked domain / server.
• If a hijacked domain / server becomes blocked the spammer can simply continue spam delivery by hijacking a different domain / server.

When you submit a form the form input is processed by a script which processes the form data. This processing often involves sending the form input data to an email address. The location of the script that processes the form is included as the action value of the form tag within the form. For example <form action="http://www.mydomain.com/process.php" method="post">. In this example the form processing script would be http://www.mydomain.com/process.php.

Automated robot scripts crawl the internet looking for web forms, following web page links from site to site. When they identify a web form they test the form processing script to see if it is vulnerable to hijacking. The hijacking robot script attempts to send the form processing script a character combination that will corrupt the headers of the form delivery email, this is known as email injection. These headers are basically the email delivery instructions. They can include To: From: Subject: BCC: and a range of other information applied in delivering the email. If the headers can be corrupted it is possible to set these values and the body of the email. This enables a hijacker to send an email with any subject, with any message, including any attachment, to any email address (usually as a BCC) and it is sent by the hijacked server.

This test probing often results in a form delivery email where most of the form field data is set as a random email address for the domain hosting the form ie xhkjh@mydomain.com. Generally multiple tests will be undertaken on a processing script with each test looking for a vulnerability in a different form field. The form field being tested will include not only the random email address but this will be followed by a line break and then the injected email headers. The injected email headers may include a monitoring email address usually as a BCC (Blind Carbon Copy). This an email address monitored by the form hijacker. If the form is vulnerable to hijacking an email will be sent to this address and the hijacker now knows that this form processing script can be compromised and can send spam emails via the hijacked form.

If you view the source of an email you will be able see the full headers. The headers of a hijack test email may include headers that have been injected via a form field similar to:

pcftt@mydomain.com
Content-Type: multipart/mixed; boundary="===============1992989315==\"
MIME-Version: 1.0
Subject: 4e6f1449
To: pcftt@mydomain.com
Bcc: test@hijacker.com
From: pcftt@mydomain.com

This is a multi-part message in MIME format.

--===============1992989315==
Content-Type: text/plain; charset=ISO-8859-1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Body message in hijacked form
--===============1992989315==--

There are a range of pretentative measures available. The most important is:

• The form processing script must check submitted characters and remove line breaks from data that is used in email headers.

Other methods to increase form security include:

• A manual review of the submitted data prior to email transmission. For example display the data and request confirmation by the form submitter. This requires a manual action and is difficult for an automated script to mimic.
• Use a single form file that includes the displayed form and the processing script in one. When the processing script is called by the hijacking script only the displayed form is generated. The processing script is not triggered increasing the protection against hijacking and email injection.
• Have the processing script perform data validation. Check for required fields and email address validation. JavaScript field validation offers no protection as it only runs in a browser.
• Have the processing script check that the domain / server on which the form is submitted is allowed to run the script. Usually this is done by only processing form submissions from forms that are hosted on allowed domains.

You can also use the Human Intelligence Identification Script (Hii) as an additional method in preventing Form Hijacking. Human Intelligence Identification prevents form submissions by automated robots:

• The Human Intelligence Identification Script (Hii) is designed to prevent web forms being submitted by automated robot scripts. Automated robot scripts are used maliciously to send Form Spam and Hijack Web Forms. The Human Intelligence Identification Script only allows form processing if a correct answer to a set question is provided when the form is submitted. The question can be in any format or structure. A script robot cannot interpret the meaning of a text question nor does it have the capacity to provide a correct answer. In fact it does not even know an answer is required. This applies for even the simplest of questions and effectively prevents a non-human from completing a form submission.

As spammers are continually searching for new methods to deliver spam no method should be considered an all time guaranteed solution, however knowledge is power and applying a combination of methods provides a strong level of protection.

Consider the form processing script used for your forms. Most commercially available scripts minimize form hijacking vulnerability, include a range of functional options that can be applied to further increase form security, and undergo continual development to enhance their functionality and security.

If you run a form processing script on your server make sure it minimizes form hijacking vulnerabilities. All Form1 based scripts including Form1 Builder Software, Form1 Builder GoldMine and Form1 Builder MYSQL include a range of form hijacking pretentative measures.

An alternative to running the script on your sever is using a hosted service such as ezyForm Hosting. Using a hosted service ensures that the processing script is always current and eliminates the possibility of your server being hijacked.

Form hijacking, spam, email address harvesting and associated activities occur predominantly because they generate revenue. So to stop form hijacking and spam...

• Never respond to spam emails.
• Never purchase or use email mailing lists that are not 100% verifiable as opt in.