[thelist] Email header injection
Tim Burgan
email at timburgan.com
Fri Nov 11 20:53:34 CST 2005
I've been watching this thread and gaining a greater understanding of
basic problems designers face.
Thanks Phil for providing that summary.
Going on from what you said (attached below), so to:
a. Prevent issue #1:
Use techniques discussed in this thread.
b. Prevent issue #2:
Sanitise all input ( for example in PHP,
use the htmlspecialschars() function )
Is this correct?
Tim
Phil Turmel wrote:
>1) Prevent bots from filling in contact forms, so they don't bother the
>webmaster, and
>
>2) Prevent bots from injecting headers, so they don't use your server to
>bother the rest of the web.
>
>Failing in #1 will just fill the contact inbox.
>
>Failing in #2 will get your server blacklisted so fast it'll make your
>clients' heads spin.
>
>Client side games only address #1, and if a real human spammer
>investigates why his favorite script fails on your site, your defenses
>will crumble. (They're exposed in your html source, after all.)
>
>Sanitizing form input, where that input will be used in mailer code,
>addresses #2 in a way the spammer can't crack, as it's NOT exposed on
>the client side.
>
More information about the thelist
mailing list