Spammers are constantly searching for ways to send out their spam/virus messages. One such way they attempt to send out these messages is by trying to exploit form processing scripts that people have on their websites. If you use the form processing script formmail.cgi, offered by LexiConn, then you are not vulnerable, as this script has already been patched to avoid this type of abuse.
If you are using your own custom script, then you will want to be sure that it is not vulnerable to these types of abuse. The way to achieve this is through the use of validation. You will want to check fields in the header for hard returns and extra data that hackers use to send out spam. Example code and resources that can help you do this can be found below.
A typical attack consists of injecting malicious data into a form field that will be used in an email header (e.g. the from: email address, the subject, etc.). If the script processing this form does not check for the existence of malicious data, then spammers can use this script to send out unlimited spam emails. A good discussion of this type of attack can be found at:
http://securephp.damonkohler.com/index.php/Email_Injection
If you are using a php script, some example validation code that can be used to filter out malicious data is:
function checkit($tname) {
return(str_replace(array("r", "n", "%OA", "%oa", "%OD", "%od",
"Content-Type:","BCC:","bcc:"), "", $tname));
}
to clean a variable such as $email or $to:
$email = stripslashes(checkit($email));
$to = stripslashes(checkit($to));
The above code strips out slashes, hard returns, and ASCII equivalent characters that try to insert their own line feeds.
If you are using perl, a quick function to check that an email address is valid could be:
if ($email !~ /^[^@]+@[^@]+.[A-Za-z]{2,4}$/) {exit;}
A good article on validating an email address in php can be found at:
http://www.devshed.com/c/a/PHP/Email-Address-Verification-with-PHP/
