[thelist] Email header injection
Phil Turmel
philip at turmel.org
Fri Nov 11 18:57:26 CST 2005
Kasimir K wrote:
> Steve Lewis scribeva in 2005-11-11 23:00:
>
>>so I code my bot to make a curl request, read your hidden form field
>>value, and send it back for each request. cake.
>
>
> Obviously it is possible/easy to make bot that mimics human behavior so
> well, that none of these gimmicks will stop it form attempting header
> injections.
>
> But while the majority of the bots are dafter than that, the hidden form
> field with unique id can save from a lot of annoyance.
>
> And once they all can pass a Turing test, well, I guess we'll be seeing
> helluva lot less of contact forms out there ;-)
>
> .k
Careful...
You have to realize there are two separate objectives here, one more
important than the other:
1) Prevent bots from filling in contact forms, so they don't bother the
webmaster, and
2) Prevent bots from injecting headers, so they don't use your server to
bother the rest of the web.
Failing in #1 will just fill the contact inbox.
Failing in #2 will get your server blacklisted so fast it'll make your
clients' heads spin.
Client side games only address #1, and if a real human spammer
investigates why his favorite script fails on your site, your defenses
will crumble. (They're exposed in your html source, after all.)
Sanitizing form input, where that input will be used in mailer code,
addresses #2 in a way the spammer can't crack, as it's NOT exposed on
the client side.
I don't run any contact forms on my sites, so I can't offer further
advice. I'd did have an open SMTP relay once, though (for a very short
time). Blacklisting is no fun, and hard to clear up. Good luck.
Phil
More information about the thelist
mailing list