|
|
Posted by Gordon Burditt on 02/06/06 20:42
>> Do not permit any variable used in constructing the arguments
>> to the mail() function to contain line ending characters (\r or \n)
>> except for the message body, and that only after you have provided
>> a blank line to separate the headers from the body. You check
>> this with PHP, *not* javascript (which can be removed from the
>> spammer's copy of the form).
>>
>> Do not allow the form to specify any part of the to: or cc: address.
>
>Hi Gordon,
>
>Thanks for your input. I only have three user fields in the form. If I
>expand the colon removal to all three fields that'll do the trick
>won't it?
I am not convinced of that. If the fields only end up in the message
*BODY*, you're ok.
If they are trying to pull tricks to get spam through your script,
you shouldn't be just removing colons, you should be detecting
them, perhaps logging the attempt, and *NOT SENDING ANY MAIL AT ALL*.
There are other tricks spammers can pull, like making the email
bounce and putting the victim's email address in the *from* address
so it bounces to him. That might be doable without any colons
if your form allows specifying the from address.
>They need the colon to inject spurious cc: or bcc:
>addresses.
Maybe, maybe not. How many different characters are there in Unicode
that a Windows mail server might interpret as a colon (but which
PHP will not see as a colon, even if it looks a lot like one on the
display)? Even if you aren't using a Windows mail server, it might
pass through one. (There's potentially the same problem with newline
characters also, but I think less of one).
Gordon L. Burditt
Navigation:
[Reply to this message]
|