Email Injection Attacks
Just as Paul Silver mentioned it, I also started getting email injection attacks. Spammers have been targeting contact forms, attempting to insert extra data to let them email large numbers of people with their amazing offers.
If you have an email form, particularly one built with PHP, you need to make sure it’s not open to abuse. In most cases, ensuring anything inserted into mail()’s additional_headers (usually to set the From: header) doesn’t contain line feeds or carriage returns should prevent unwanted extra headers (ideally, strict server-side validation should already be catching such things, but it’s easy to overlook white space characters).
If you’re using a ready-made script then check for updates and information about whether it’s protected. Oh, and any code that creates headers could be vulnerable, it’s not purely a PHP problem or restricted to contact forms.
Because of the way my form is built, I don’t think the spammers succeeded, but I’ve added extra filtering as a precaution and will be doing more testing.
Tue 13th Sep 2005, 11:41pm GMT
Filed under: Email, Hints and Tips, Security and Privacy, Server-side Coding, Web
Comments
Yes, I am going through angst with the email injection attacks too. What worked for a while was code not allowing emails to come from the same domain name as the web site. That piece of code no longer seems to be working. So, I'm up to my ears trying to figure out how they are getting in--and how to stop them.
Comments are now closed for this entry.
Matt Round’s company blog, covering web development, media, technology and pretty much anything else.
- Web Sites
- Good-looking, effective, accessible sites.
- Multimedia
- Logos, Flash games, animation and illustration.
- Advice
- Help with strategy, planning and getting noticed.
—
Paul, 14th Sep, 3:09pm