Posted by Ric on 12/17/06 11:06

Vince Morgan schrieb:
> "Vince Morgan" <vinhar@REMOVEoptusnet.com.au> wrote in message
> news:4584aba3$0$16557$afc38c87@news.optusnet.com.au...
>
>> How are they using 'contact us' for relay? I would think that the first
>> argument "to" should be a fixed value. Without being able to change that
>> they could only spam that one address.
>> However, the 'email this page' is another story.
>> You could check that the body, or subject, depending on how you set it up,
>> is a URL first. Then that the URL matches only those from your site.
>> Of course they could circumvent that but without knowing why the emails
>> aren't sending in the first place, it would be very difficult for them.
>> Hopefully difficult enough to make it altogether very unattractive.
>> Of course you wouldn't send back a page describing the reason for the
> error
>> :)
>> You could look at using a "captcha" image as well.
>> I'll be interested in reading other's solutions too.
>>
>> HTH
>> Vince Morgan
>>
>>
> A very naive reply. I should have examined header injection long ago.

If one allows header injection he should not develop any kind of software.

Basic principle: when a user has to fill in info you tell him if the
input is within the expected range if it comes to email this means,
checking if he entered name@domain.
You don't even have to know about header injection you just have to
follow basic principles, above would make sure there is no header injection.

> What I didn't know was far far more than I actualy did know :)
> Sorry for the idiotic reply.
> Vince Morgan
>
>

[Back to original message]