[thelist] Email header injection
Noah St. Amand
noah at tookish.net
Fri Nov 11 11:40:25 CST 2005
I've been seeing a bunch of these lately (as with Marc, I was getting a
pile of them a few weeks ago, then they disappeared; they've come back
in the last 24 hours or so).
One note -- I am checking the referrer, but allowing the mail to be sent
when there's no referrer (because products like Norton Internet Security
apparently strip the referrer).
Here are two solutions I'm considering:
1. setting a hidden variable in the form, and requiring that it be set
in order to send the mail; this is obviously not a complete solution,
but my thought is that setting the bar a little higher might cause the
person/bot responsible to move on
2. setting a session cookie on the form page, and checking for its
existence before mail is sent; setting a cookie that's completely
superfluous for the user is obviously not ideal, but I think this would
be effective
Anyway, I'm just interested in what other people with the same problem
think about these solutions.
Cheers,
Noah
More information about the thelist
mailing list