Mail form crack attempt
I recently received two weird email messages. The first one, I could see, came from the contact form here on dotvoid.com. The second looked more like ordinary spam with faked from and to fields. The spam email was however curiously empty of any real content. I soon figured out what was happening. Someone was, successfully, trying to crack my email form so he could use it to relay spam…
In my contact form I only let the visitor enter two fields, a message and his email address. The user supplied email address is then used to set the From header in the email that is going to be generated. The To header in the email is set to a hard coded “secret” value by the script.
Obviously I was sloppy when I created the contact form. I’m very much ashamed to admit I was not sanitizing the user entered email address properly. Not sanitizing user input is, as we all know, a disaster waiting to happen.
If you can add a newline/carriage return on the end of any value that is going to be written in the email headers you can also add any email header you would want. In this case the attacker added Bcc headers. Suddenly my email contact form was effectively functioning as a spam relay.
I again learned the lesson I thought I knew. Always sanitize user input!
More on this particluar issue:
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
