how was this done with my email form? hacker?

I received a few emails that have me concerned as it went through an email
form on my site but they did something they were not supposed to or did
they? I am so confused.

Return-path: <nobody@server145.misinternet.org>
Envelope-to: admin@paidtoreads.com
Delivery-date: Sat, 10 Sep 2005 1822 -0400
Received: from nobody by server145.misinternet.org with local (Exim 4.52)
id 1EEDpd-0005dq-Cu; Sat, 10 Sep 2005 1821 -0400
To: admin@paidtoreads.com
Subject: Paid To Reads Website Inquiry
FROM: zquqjwuqk@paidtoreads.com
Content-Type: multipart/mixed; boundary=\"===============1126063459==\"
MIME-Version: 1.0
Subject: a19ad08a
To: zquqjwuqk@paidtoreads.com
From: zquqjwuqk@paidtoreads.com
Message-Id: <E1EEDpd-0005dq-Cu@server145.misinternet.org>
Date: Sat, 10 Sep 2005 1821 -0400

There above the TO: address is wrong and is something that should not have
been able to be changed.

and again here same thing:
Return-path: <nobody@server145.misinternet.org>
Envelope-to: admin@paidtoreads.com
Delivery-date: Sat, 10 Sep 2005 1819 -0400
Received: from nobody by server145.misinternet.org with local (Exim 4.52)
id 1EEDpb-0005dd-Hf; Sat, 10 Sep 2005 1819 -0400
To: admin@paidtoreads.com
Subject: Paid To Reads Website Inquiry
FROM: jkpoputuvf@paidtoreads.com <jkpoputuvf@paidtoreads.com
Content-Type: multipart/mixed; boundary=\"===============1577493130==\"
MIME-Version: 1.0
Subject: 38034938
To: jkpoputuvf@paidtoreads.com
From: jkpoputuvf@paidtoreads.com
Message-Id: <E1EEDpb-0005dd-Hf@server145.misinternet.org>
Date: Sat, 10 Sep 2005 1819 -0400

Now the first one I received is really interesting:

Return-path: <nobody@server145.misinternet.org>
Envelope-to: admin@paidtoreads.com
Delivery-date: Sat, 10 Sep 2005 1819 -0400
Received: from nobody by server145.misinternet.org with local (Exim 4.52)
id 1EEDpa-0005dY-Hr
for admin@paidtoreads.com; Sat, 10 Sep 2005 1818 -0400
To: admin@paidtoreads.com
Subject: Paid To Reads Website Inquiry
FROM: pkwlzioqy@paidtoreads.com <pkwlzioqy@paidtoreads.com>
Message-Id: <E1EEDpa-0005dY-Hr@server145.misinternet.org>
Date: Sat, 10 Sep 2005 1818 -0400

and here is the message:

Name: pkwlzioqy@paidtoreads.com
Email: pkwlzioqy@paidtoreads.com

pkwlzioqy@paidtoreads.com
Content-Type: multipart/mixed; boundary=\"===============2068453969==\"
MIME-Version: 1.0
Subject: c9f2b90e
To: pkwlzioqy@paidtoreads.com
bcc: mhkoch321@aol.com
From: pkwlzioqy@paidtoreads.com

This is a multi-part message in MIME format.

--===============2068453969==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

omtf
--===============2068453969==--

So does this mean that someone has been able to hack my email form? If so I
will remove it immediately.

Heidi

Heidi wrote:

> I received a few emails that have me concerned as it went through an
> email form on my site but they did something they were not supposed to
> or did they? I am so confused.
>
[snip]
>
> So does this mean that someone has been able to hack my email form?
> If so I will remove it immediately.

It's an attempt to add extra headers into the email to try to change the
recipient and message. I posted the following advice here a couple of
day ago to prevent it from happening:

The way I've been combating this is to check none of the single line
fields (eg first name, last name etc) contain newline characters, and
none of the multi line fields (eg message) contain 'Content-Type:',
'multipart/mixed' or 'boundary='. If any of them match the above then
they get a message back saying the form contained invalid data.

--
Chris Hope | www.electrictoolbox.com | www.linuxcdmall.com

"Heidi" <blackcat2@gmail.com> wrote in message
news:V5KUe.2252$h02.73@tornado.texas.rr.com...
> I received a few emails that have me concerned as it went through an email
> form on my site but they did something they were not supposed to or did
> they? I am so confused.
>
> Heidi

Does your form record the host and ip?

Allis

Allis wrote:
:: Heidi
:
: Does your form record the host and ip?
:
: Allis

no but I do see in the referrer logs where someone accessed the contact form
page like 5 times...
67.188.193.9

Allis wrote:
:: Heidi
:
: Does your form record the host and ip?
:
: Allis

Also my original post about this had this email addie as a bcc in the
message body:
bcc: mhkoch321@aol.com

"Heidi" <blackcat2@gmail.com> wrote in message
news:YBLUe.2294$h02.1158@tornado.texas.rr.com...
> Allis wrote:
> :: Heidi
> :
> : Does your form record the host and ip?
> :
> : Allis
>
> no but I do see in the referrer logs where someone accessed the contact
form
> page like 5 times...
> 67.188.193.9
>
>

That's me checking it for ya

ROFL

"Heidi" <blackcat2@gmail.com> wrote in message
news:KCLUe.2296$h02.274@tornado.texas.rr.com...
> Allis wrote:
> :: Heidi
> :
> : Does your form record the host and ip?
> :
> : Allis
>
> Also my original post about this had this email addie as a bcc in the
> message body:
> bcc: mhkoch321@aol.com
>
>
>

I would say that's probably who they wanted it to go to
Spammers don't bcc themselves or they'd get buggered

Search out some other IP's and consider adding the logging of IP and Host
info in the forms.


--
Allis
/advice_given_without_checking_with_my_admin