What is an injection-based Spam attack?


Many of the older techniques for sending Spam out via remote servers either involves searching for open relays, using brute-force attacks against a server (to guess a username and/or password) or exploiting by bugs in scripts (or on a service).


However, we have recently come across a new style of attack - injecting extra data into custom-written contact forms.


How is this done?


Many custom-written contact forms do not properly check the data being sent to them, normally just inserting it straight into the e-mail to be sent. For example;


<?php

$to = 'test@example.com';
$from = "From: ".$_POST['from'];
$subject = 'Test E-Mail';
$content = $_POST['message'];

mail($to, $subject, $content, $from);

?>

would just add all the information from the HTML form straight into the e-mail, regardless of what was sent.


In this case, if someone send the following as part of the From field:


test@example.net
Bcc: testing@example.org, tester@example.org, tested@example.org

the e-mail would look like:


From: test@example.net
Bcc: testing@example.org, tester@example.org, tested@example.org
To: test@example.com
Subject: Test E-Mail

The message received from the website goes in here...

Although the e-mail would still be sent to you, and it would just look like some Spam or junk. The extra Bcc field in the header however would tell our servers to send to mail to many other people as well (here testing@example.org, tester@example.org, tested@example.org), without you knowing!


How do I prevent this?


There are two options - the basic method or the full method. Which one you use depends on the field being checked and/or your level of programming experience.


The basic method just involves making sure that there are no \r or \n characters in the e-mail. This prevents extra lines from being added into a header field (and therefore should be added to those that add into headers). Although, for some fields, such as Subject, this may be all you can check for.


The more complex, full, method is be actually checking the format of the response to make sure it's valid for it's purpose. For things like a name, this could be a just alpha-numeric (A-Z and 0-9) characters, along with some publication (such as '-', '_', etc., but not '@'). For e-mails, you may want to run a full check to make sure the e-mail address is in the correct format, and therefore will be valid when you pass it to the server to be delivered.


There are many articles to check e-mail addresses in just about any language you may write your site/program in:



If you have any questions about this, would like your code checked, or are updating your code and have become stuck, please Submit a Ticket to our Support Team who will do their best to assist you.

  • 123 Utenti hanno trovato utile questa risposta
Hai trovato utile questa risposta?

Articoli Correlati

How do I set-up custom error pages in Plesk?

There are two different ways to display error messages using Plesk on Linux. The first is...

How do I set-up custom error pages using .htaccess?

There are two different ways to display error messages using Plesk on Linux. The first is through...

What is Hotlinking and how do I prevent it?

If you notice a surge in the traffic coming to your site, it may not be because you are receiving...

How do I create a cron job?

A cron job (run by the cron daemon, or cron service) is a request for the server to run a...

How do I create an SSH tunnel?

The SSH protocol is a useful tool available on all our servers which allows our customers to...