Topic awaiting preservation: SecurePHP : Email Injection

The SecurePHP wiki has an interresting page about Email Injection.
If it can be of any help

Was a thread about this recently at the Gurusnetwork for those interrested.

_________________________
"There are 10 kinds of people; those who know binary, those who don't and those who start counting at zero"
- the Golden Ratio - Vim Tutorial -

Yeah some simple checking of the email address should do it. Check out kuckus' contact page tutorial which also appears to be secure against this:

http://www.gurusnetwork.com/tutorial/contact_page/

___________________
Emps

The Emperor dot org | Revenant: The Zombie Magazine | Wonders | Justice for Pat Richard | FAQs: Emperor | Site Reviews | Reception Room

if I went 'round saying I was an Emperor just because some moistened bint had lobbed a scimitar at me, they'd put me away!

I've placed a hidden field in my form and if it is filled out then I know an automated submission was used. That's been working for me pretty well.

: . . DHTML Slice Puzzle : . . .

Bugimus: nice idea. I didn't thought the robots were that dumb

Bugimus said

quote:

---

I've placed a hidden field in my form and if it is filled out then I know an automated submission was used.

---

How does that work, Bugimus?

From what you said, it seems that when the users presses "Submit" the hidden field is not included in the data sent to the server. It's been a while since I worked with forms, but I thought hidden fields were one of the ways to pass data you don't want displayed on a page, to the server along with the rest of the data in the form.

.



-- not necessarily stoned... just beautiful.

hyperbole: Spam bots analyzes the HTML code and try to fill all the fields and submit the form ( by doing the HTTP request ). Therefore if a hidden field is not empty, there's all the chances that it's a spam bot.



(Edited by poi on 09-16-2005 17:56)

Precisely, poi. I was surprised they were that dumb too. It probably won't take long for them to learn this trick... especially with threads like this

: . . DHTML Slice Puzzle : . . .

I already know the name of my next hidden field : i_am_a_robot_from_hell

: . . DHTML Slice Puzzle : . . .

Just on a side note, the past serveral days I've gotten such emails from the webmail form I'm using on smarttab.org ...
Guess the fact that I'm receiving them means it's secure ;-)

quote:

---

Message: ywnhk@smarttab.org
Name: ywnhk@smarttab.org
Content-Type: multipart/mixed; boundary=\"===============0502806608==\"
MIME-Version: 1.0
Subject: 89ba86a3
To: ywnhk@smarttab.org
bcc: PeiCanteenMc@aol.com
From: ywnhk@smarttab.org

This is a multi-part message in MIME format.

--===============0502806608==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

jcsasww
--===============0502806608==--

Email: ywnhk@smarttab.org

---

(the header itself is correct and uninteresting - they apperantly didn't manage an injection. No wonder, sine both subject and receipient are fixed.)

now, don't ask me what anyone would gain from spamming jcasww...

so long,

->Tyberius Prime

this is getting worse and worse - we've a customer that regularly get's batches of about 30 of these emails.

With smarttab, the bot apperantly always tries 3 times (I've received about a dozen of these mails in batches of three, all with the same time).

Suggestions?

ok... how about a hidden field with an md5 or such of the current date. (so that it changes regularly)
If the field doesn't match on submit, we don't send an email, but report to some log...

Shouldn't exclude anyone and keep the stupid bots at bay.
Now, bots that transmit hidden fields intact... we'll have to think about this.

ok... hidden field changed || if newline in one of the single line field - reject.

Anyone seeing problems with that?

TP, that is exactly the same kind of email i got. see: weird website spam

it even uses the same aol email: PeiCanteenMc@aol.com