Skip to navigation

malevolent design weblog

This blog is now defunct, but you can find more stuff over at my personal site

Email Injection Attacks

Just as Paul Silver mentioned it, I also started getting email injection attacks. Spammers have been targeting contact forms, attempting to insert extra data to let them email large numbers of people with their amazing offers.

If you have an email form, particularly one built with PHP, you need to make sure it’s not open to abuse. In most cases, ensuring anything inserted into mail()’s additional_headers (usually to set the From: header) doesn’t contain line feeds or carriage returns should prevent unwanted extra headers (ideally, strict server-side validation should already be catching such things, but it’s easy to overlook white space characters).

If you’re using a ready-made script then check for updates and information about whether it’s protected. Oh, and any code that creates headers could be vulnerable, it’s not purely a PHP problem or restricted to contact forms.

Because of the way my form is built, I don’t think the spammers succeeded, but I’ve added extra filtering as a precaution and will be doing more testing.


I'm talking to 4-5 people about this at the moment and all of us are seeing plenty of attacks. Some are only to a form that has been proved vulnerable on the past, but I'm still getting the occasional attack to a form that isn't vulnerable in the way they're attacking (different language) and has never let spam through.

To me this looks like a few people doing research to see what's open, then passing on open forms to others for further attacks.

Paul, 14th Sep, 3:09pm

Yes, I am going through angst with the email injection attacks too. What worked for a while was code not allowing emails to come from the same domain name as the web site. That piece of code no longer seems to be working. So, I'm up to my ears trying to figure out how they are getting in--and how to stop them.

Jennifer Ryan, 17th Nov, 10:57pm

Comments are now closed for this entry.