[thelist] Email header injection

Tim Burgan email at timburgan.com
Fri Nov 11 20:53:34 CST 2005

I've been watching this thread and gaining a greater understanding of 
basic problems designers face.

Thanks Phil for providing that summary.

Going on from what you said (attached below), so to:
  a. Prevent issue #1:
       Use techniques discussed in this thread.
  b. Prevent issue #2:
       Sanitise all input ( for example in PHP,
       use the htmlspecialschars() function )

Is this correct?

Phil Turmel wrote:

>1) Prevent bots from filling in contact forms, so they don't bother the 
>webmaster, and
>2) Prevent bots from injecting headers, so they don't use your server to 
>bother the rest of the web.
>Failing in #1 will just fill the contact inbox.
>Failing in #2 will get your server blacklisted so fast it'll make your 
>clients' heads spin.
>Client side games only address #1, and if a real human spammer 
>investigates why his favorite script fails on your site, your defenses 
>will crumble.  (They're exposed in your html source, after all.)
>Sanitizing form input, where that input will be used in mailer code, 
>addresses #2 in a way the spammer can't crack, as it's NOT exposed on 
>the client side.

More information about the thelist mailing list