Hi.. I am back from my native after the weekend.. and here is some useful stuff..
eMail Header Injection – What it is?
You have a web form, having some text fields and a submit button, the values are posted to a server sided page , which sends you the details submitted. Take a simple contact us form. If you are a newbie to this, you will not think beyond just capturing the post valaues and sending a mail. But.. do you know that people can send unsolicited emails using the same server sided script, without you getting to know it?
How they do mail header injection?
Its easier to send mailing commands as POST values to your script. Your script will process these instructions and send spam mails to the recipients mentioned in it. You will not have an idea about the abuse of your script, unless you will see a heavy bandwidth usage or your server people blocking your account for sending spam mails.
How to Prevent eMail Header Injection ?
Following are some common steps to prevent mail header injection.
1. Enable for posting from only your domain. You can check the referring domain from which the form is posted. You can disable form posts from unknown domains.
2. Cecking user agents : Most of the spam posting engines will have empty User-Agent Strings. So you can add this condition in your server sided code to block spammers.
3. Check for mail commands in POST values. For example,
$badStrings = array("Content-Type:",
"MIME-Version:",
"Content-Transfer-Encoding:",
"bcc:",
"cc:");
the above array contains some of the words you find in a spammers POST values. So you can block the POST, checking the presence of any of these words.
More techniques, if you know any, please feel free to share. Thank you