Email attacks on websites

I’ve been lucky, in 10 years of web development I’ve only had two sites using phpmailer attacked by a spammer using an email injection attack.

The first site used the “To” address in the email form and substituted their own text.

The second was more devious and attacked through the subject line of the email. I had email verification on the form so they bluehost优惠码 couldn’t use a malformed email address but I did substitute a hidden form variable into the subject line and they attacked this.

Here is the how they did it (I have changed some of the email addresses to protect the site owners)

Return-path: 23423423
Envelope-to: 234234
Delivery-date: Sat, 27 Aug 20xx 05:19:55 +0100
Received: from 3423423424234
by store5.mail.uk.easynet.net with esmtp (Exim 4.32)
id 1E8sAd-000C9n-9v
for 234234234; Sat, 27 Aug 20xx 05:19:55 +0100
Received: from 234234234
by 2323423423324)
id 1E8sAT-000OE6-0P
for 234234324; Sat, 27 Aug 20xx 05:19:45 +0100
Received: (qmail 37339 invoked by uid 2527); 27 Aug 20xx 03:21:20 -0000
To: 234234
Subject: A new user has signed up for the
Content-Type: multipart/mixed; boundary=”===============0960820620==”
MIME-Version: 1.0 Subject: e6e85f17 To: bcc:
From:   This is a multi-part
message in MIME format.  –===============0960820620== Content-Type:
text/plain; charset=”us-ascii” MIME-Version: 1.0 Content-Transfer-Encoding:
7bit  pkamjstswf –===============0960820620==–  area
Date: Sat, 27 Aug 20xx 04:21:20 +0100
From: 2342342332
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer [version 1.72]
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”b1_9e78c3092caa17626a2149749a37da36″
Delivered-To: 42342342234234

Note the extended Subject:

For anybody using mail() in PHP I would suggest that you don’t use form variables which alter the email’s subject line as this can be a method of attack.

I would suggest that the next version of phpmailer does not allow anyone to set a new line in either the email “To” field or the email subject line. I would suggest that references to $this->Subject

are replaced by a method call

$this->getSubject() which then allows the class to strip out new lines and restrict the length of the subject.