email form injection - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: email form injection

Michael Austin wrote:

Quoted text here. Click to load it

That's what I do with my contact forms.

Quoted text here. Click to load it

What risk?  My contact forms ask the visitor to fill in their email
address (in a field labeled "Your email address:") if they want a reply.
It is then verified as being a validly-constructed address. Then my code
sends me (or my clients) an email using that address as the FROM: data.
I can then simply Reply.

A quick glance at the address will normally tell you if it is a fake.

If the visitor fills in an invalidly-constructed address, they are sent
back to the form with a note to edit/check it. If they leave it blank,
they can send me any comment they wish. (Only once did I have a problem
with a nutcase abusing a form, and it didn't last long as I blacklisted
his IP address.)

I do not use CAPTCHAs as .. you are right .. they are a pain.

   -Friends don't let friends drive Windows

Re: email form injection

salmobytes wrote:
Quoted text here. Click to load it

   Nothing is no matter what.  I've had problems with the intended
recipient getting spam. That is no small problem.

   What others have suggested about the linefeeds is sufficient to keep
from relaying it elsewhere. But if a bot fills out your form and
repeatedly submits it all that junk is going to your email (or your
client). That is *not* a happy occurance. You'll need another bag of
tricks for that.

   I saw a form recently that had the action of the form set to mailto.
After the shock of seeing that I thought for half a moment "genius", no
server to hijack. It is, of course, completely stupid as customers with
webmail are out of luck.


Site Timeline