onlyican Posted October 27, 2009 Share Posted October 27, 2009 Hi. I know this is probably the wrong place, but I cant find a suitable place for this. I come into work today to find someone has kindly sent Spam emails using one of our forms. I can not remember how this is done (I know they enter data into a form which produces the mass mail) I have tried googleing but can only find methods of blocking this. I want the method of doing this so I can test my method of blocking has worked. Can anyone help on how to inject forms (or point me in the right direction) for prevention purposes. Thanks Link to comment https://forums.phpfreaks.com/topic/179175-email-injection-prevention/ Share on other sites More sharing options...
Bricktop Posted October 27, 2009 Share Posted October 27, 2009 Hi onlyican, have a look here for a useful article explaining the email injection process. Essentially you need to check every input field for newlines (except textareas of course) and for words suchs as To:, Cc: and Bcc: for basic protection. Hope this helps. Link to comment https://forums.phpfreaks.com/topic/179175-email-injection-prevention/#findComment-945302 Share on other sites More sharing options...
cags Posted October 27, 2009 Share Posted October 27, 2009 What fields from your mail() call are dynamic based on what the user fills in? Generally speaking this type of e-mail injection is done where you are either inputing the $to address from a field the user inputted (generally on a feedback form that's not toing to happen though as you wish it to come to your e-mail. Another common method is if you are cc/bcc'ing an e-mail input by the user. All they whould have to do is input something like... [email protected]\r\[email protected]\r\[email protected] ...into the e-mail input. Faud Edit: D'oh Link to comment https://forums.phpfreaks.com/topic/179175-email-injection-prevention/#findComment-945306 Share on other sites More sharing options...
onlyican Posted October 27, 2009 Author Share Posted October 27, 2009 Thanks, I know the methods to look for. I am looking for the injection code they use (including Header manipulation) Link to comment https://forums.phpfreaks.com/topic/179175-email-injection-prevention/#findComment-945329 Share on other sites More sharing options...
cags Posted October 27, 2009 Share Posted October 27, 2009 Without knowing your code, thats impossible to say. As stated in my previous post it could be as simple as a string of e-mails deliemeted by newline characters. Link to comment https://forums.phpfreaks.com/topic/179175-email-injection-prevention/#findComment-945333 Share on other sites More sharing options...
onlyican Posted October 27, 2009 Author Share Posted October 27, 2009 I have prevention methods in place now. I have checks for characters, such as ; , \n \r vbcrlf cr lf < > Amongst other checks I just want to run as many tests as possible to prevent this going forward. Link to comment https://forums.phpfreaks.com/topic/179175-email-injection-prevention/#findComment-945335 Share on other sites More sharing options...
cags Posted October 27, 2009 Share Posted October 27, 2009 Providing you don't accept linebreaks, I'm fairly sure your safe. Assuming the header injection is coming from you allowing the user to input their e-mail address, which you are inserting into the From (or some other header) field, the simplest method IMO is to simply verify it as a valid e-mail address with a RegEx or a validation class. This will discount any form of injection. Link to comment https://forums.phpfreaks.com/topic/179175-email-injection-prevention/#findComment-945340 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.