13 Sep 2005
Email Injection Attacks
Just as Paul Silver mentioned it, I also started getting email injection attacks. Spammers have been targeting contact forms, attempting to insert extra data to let them email large numbers of people with their amazing offers.
If you have an email form, particularly one built with PHP, you need to make sure it’s not open to abuse. In most cases, ensuring anything inserted into
mail()’s additional_headers (usually to set the
From: header) doesn’t contain line feeds or carriage returns should prevent unwanted extra headers (ideally, strict server-side validation should already be catching such things, but it’s easy to overlook white space characters).
If you’re using a ready-made script then check for updates and information about whether it’s protected. Oh, and any code that creates headers could be vulnerable, it’s not purely a PHP problem or restricted to contact forms.
Because of the way my form is built, I don’t think the spammers succeeded, but I’ve added extra filtering as a precaution and will be doing more testing.