[thelist] Email header injection

Noah St. Amand noah at tookish.net
Fri Nov 11 11:40:25 CST 2005

I've been seeing a bunch of these lately (as with Marc, I was getting a 
pile of them a few weeks ago, then they disappeared; they've come back 
in the last 24 hours or so).

One note -- I am checking the referrer, but allowing the mail to be sent 
when there's no referrer (because products like Norton Internet Security 
apparently strip the referrer).

Here are two solutions I'm considering:

1. setting a hidden variable in the form, and requiring that it be set 
in order to send the mail; this is obviously not a complete solution, 
but my thought is that setting the bar a little higher might cause the 
person/bot responsible to move on

2. setting a session cookie on the form page, and checking for its 
existence before mail is sent; setting a cookie that's completely 
superfluous for the user is obviously not ideal, but I think this would 
be effective

Anyway, I'm just interested in what other people with the same problem 
think about these solutions.


More information about the thelist mailing list