Non-medical injections are rarely a good idea; even when they're fun. This general life-rule is upheld in the domain of email headers too. Nefarious webform spammers are now abusing forms to not only (or necessarily) annoy the webmaster concerned, but rather use them to transmit email elsewhere. The Poorhouse imagines this will only increase as more and more people realise the need to lock down their mail servers from being an open relay and hence spammers need turn elsewhere to continue their evil.

The technique discussed here is known as email header injection as it consists of the spam-menace adding extra headers to the email that your webform will send to make it behave in ways that it really shouldn't; the obvious candidate being to send the form's "feedback" to a million innocent recipients rather than the single person that the webform designer had in mind.

So, how does it work? Well, firstly, it goes without saying that the To header of any email that a webform will send should be impenetrable and not subject to a web visitor altering it. Most usually this can be done by hardcoding in the address - you usually know in advance who you want to receive the email generated by the form, right? As a side note, try to avoid having the email address available in visible text form on the final page source code. Even if it's not actually displayed to the average web user, a spam bot could still steal it and send you lots of adverts for Viagra.

More significantly, anywhere where some user input gets put into a mail headers - for instance the "From" bit on a "Email this page to a friend" or a normal contact form - is vulnerable.

Imagine you have a feedback form with a place for the responder to put their email address (which you want in the From: header of the resulting email) and then a section for their comments (which you want in the body section).

If they type "me@me.com" as their email address and "I like it" as their comments, the final mail looks like

All good. Imagine though if they managed to put a newline character into the email address bit; followed by, say "Bcc: president@whitehouse.gov". This could be done by, for instance, making their own front-end form to your script (you could perhaps check page referrer to avoid this - but it can be faked) or putting the linefeed hex code "0A" in. For example, they type "me@me.com%0ABcc:president@whitehouse.gov" as their email address. The output:

See the problem? George Bush gets a message of support! Imagine the message was less a positive glorification of the website, and more an advert for horse-porn, and the Bcc list was done 100,000 times and the problem is perhaps a little more apparent.

One solution is to not allow any user input into the headers at all. In PHP, this would mean ensuring the addition_headers part of the mail function was not at all dependent on a user's input, for example:

whereby the only variable (indicated by a $ sign in front of it) is the message itself.

More satisfactory is allowing user-modified headers if they are convenient, but being sure to check what they contain before actually sending the email. If you are wanting a "From" address to be supplied as in the examples above, then check that what you have been supplied is an email address, or at least not dangerous. The valid email address format is defined in RFC822, so you could check the input against a regular expression to ensure it was of the right format. If that's a little taxing to work out, it is a safe assumption that if the user's "From" address contains newline characters it is dodgy. Using a script language like PHP, it is very easy to check this out and abort the mail sending procedure if it does.

For example:

Don't help the spammers- protect your forms!

More information available on the SecurePHP site or JellyAndCustard.com (the latter of which is where the Poorhouse stole the final regular expression from thank you very much!).