[thelist] Re: blasterattacko at aol.com?

Wed Mar 24 12:35:20 CST 2004

>Date: Tue, 23 Mar 2004 14:17:40 -0500
>From: Kevin Martin <evolt at brasscannon.net>
>To: thelist at lists.evolt.org
>Subject: [thelist] Re: blasterattacko at aol.com?
> ...
>You also have to look for Unicode CR/LF equivalents, or anything that
>"unescapes" to become a CR/LF.  (That's the "arms race" to which I
alluded.)

What I do is only *allow* certain characters, so that everything else is
disallowed (as I've read is the best security practice). The code is simply:

   my %params = $cgi->Vars;   # Copies all CGI params to a hash

   foreach( qw( from name subject )) {   # Only certain characters in
headers
      $params{$_} =~ s/[^\w !@\$%&\(\)\?\/\+=\-_"',.:;]+//mg;
   }

The "from", "name", and "subject" headers are the only ones I use directly.
(The "to" parameter is used as a key into the address book, and there is a
hard-coded BCC and Type (text/plain) header, and those are all the headers I
use at all. The name parameter, if included, is added to the from parameter,
in the form "name <from>", so that the real name will show up.) This regexp
is meant to allow only alphanumerics, underscore, space character, and the
following punctuation, which ASAIK is not a problem:

   ! @ $ % & ( ) ? / - , . : ;

>If you telnet to your SMTP port and negotiate the dialog to send a message,
it
>tells you to end your message by typing a period on a line by itself,
followed
>by a CR/LF.
>
>If inserting this sequence into a message and following it up with faked
>headers does NOT result in a second message being sent, you're in pretty
good
>shape.  Hmm, I'd better give that a shot with cgiemail to make sure it does
>the right thing!

   I'm using MIME::Lite to send the mail, the code is:

      $msg = MIME::Lite->new( From     => $params{from}  # may include name
                            , To       => $params{to}    # from address book
                            , Bcc      => $params{bcc}   # hard-coded
                            , Subject  => $params{subject}  # filtered param
                            , Type     => "text/plain"
                            , Data     => $params{text}  # message body
                            );
      $msg->send;

   I tested it, and it looks like it's not a problem. The "." on a line by
itself came through as part of the single message body. However, to be
completely sure, since I don't know all the ins and outs of MIME::Lite, I've
modified my script to replace any single periods on a line by themselves
with spaces instead. Version 1.5 is now available at [1].

>Interesting.  I spend hours fighting spam and spammers every day, and
really
>hated having to replace my mailto: links because of them. Sounds like you
have
>an interesting alternative.  Thanks for sharing it!

   I just want to make sure it's secure, so I don't get a reputation like
poor Matt Wright! ;-)

[1] http://www.pobox.com/~JohnBrook/codelib/
<http://www.pobox.com/~JohnBrook/codelib/> 
-- 

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like. 