[thelist] Email header injection

Phil Turmel philip at turmel.org
Fri Nov 11 18:57:26 CST 2005

Kasimir K wrote:
> Steve Lewis scribeva in 2005-11-11 23:00:
>>so I code my bot to make a curl request, read your hidden form field 
>>value, and send it back for each request.  cake.
> Obviously it is possible/easy to make bot that mimics human behavior so 
> well, that none of these gimmicks will stop it form attempting header 
> injections.
> But while the majority of the bots are dafter than that, the hidden form 
> field with unique id can save from a lot of annoyance.
> And once they all can pass a Turing test, well, I guess we'll be seeing 
> helluva lot less of contact forms out there ;-)
> .k

You have to realize there are two separate objectives here, one more 
important than the other:

1) Prevent bots from filling in contact forms, so they don't bother the 
webmaster, and

2) Prevent bots from injecting headers, so they don't use your server to 
bother the rest of the web.

Failing in #1 will just fill the contact inbox.

Failing in #2 will get your server blacklisted so fast it'll make your 
clients' heads spin.

Client side games only address #1, and if a real human spammer 
investigates why his favorite script fails on your site, your defenses 
will crumble.  (They're exposed in your html source, after all.)

Sanitizing form input, where that input will be used in mailer code, 
addresses #2 in a way the spammer can't crack, as it's NOT exposed on 
the client side.

I don't run any contact forms on my sites, so I can't offer further 
advice.  I'd did have an open SMTP relay once, though (for a very short 
time).  Blacklisting is no fun, and hard to clear up.  Good luck.


More information about the thelist mailing list