Posted by Edward Vermillion on 08/17/05 21:17

Greg Schnippel wrote:
>>I'll reply soon off list, as I don't think it appropriate to give
>>potential spammers an archive full of new tricks.
>
>
> I don't know -- I think its always better to discuss this in the open
> if there is a real security risk that people should be aware of.
>

I tend to agree on things like this. If it's a generic problem then I
think it does everyone some good to discuss it in the open. Although I
can see the point of not discussing specific problems with specific
applications, at least not until a fix is in and notices have been sent
out. Then I think it falls back to the "it does everyone some good to
have it in the open" senerio. I learn a lot from my mistakes, but I also
learn from other's mistakes too, if I'm given the chance.



> 2) I believe that since the mail function already sent out the
> headers, any subsequent "headers" would just be ignored. Or they would
> be treated as text since they occurred in the message portion and not
> parsed literally.
>

I was wondering the same thing. That it would just send the message and
the MTA's would ignore any other addresses listed in the actual message
text.

> Not sure that there is any risk here, but I'm shrouding my contact
> script (changing the form variables and script name to something less
> obvious) just in case.
>
> - Greg
>

I think I'm just going to generate some random number to submit to the
processor and if it's not there then ignore it.

[Back to original message]