Posted by Erwin Moller on 10/06/54 11:34

xmp333@yahoo.com wrote:

> Hello,
>
>
> A spammer is apparently using email injection on my form, however my I
> thought email injection requires mainpulation of the headers parameter
> in mail() and I'm not using that parameter. My mail call looks like:
>
> mail($to,$subj,$body)
>
> So how is the spammer getting me? Is mail() translating to a raw
> stream so that headers can be inserted in the body, or is there some
> kind of buffer overflow that can be exploited? Since I'm using dynamic
> variables, I can't see how this would occur, but then I'm no PHP
> expert.
>
> Any help would be greatly appreciated. I know beefing up input
> validation should take care of this, but I want to understand what the
> spammer is doing so I can reproduce and validate this fix.
>

Hi,

Log $to, $subj, $body somewhere (flatfile or database).
Check after spamming what the spammer did.

You can probably find many resources on the net adressing this issue, but
first you need to know WHAT you excactly are calling with the mail().

Regards,
Erwin Moller

> Thanks in advance.

[Back to original message]