E-mail Injection

E-mail injection. Even the name sounds vile doesn’t it? In an e-mail injection attack spammers use forms on YOUR website to send out their spam.

The basic idea is that a spammer, let’s call him Lousy Larry, finds a form on your website. It could be anything from a contact form to an order form. Instead of typing regular things into the form Larry types in HTML code. (HTML code is the foundation of web pages.) Lousy Larry may not be a nice guy but he is very, very smart. He knows his HTML. The code he inserts (or injects) into the form field make the form behave in unintended ways. Instead of sending a message to you Lousy Larry uses your form to send his latest stock deal to 300 of his closest friends. Yikes!

How do web developers like myself stop Larry? We validate those e-mail forms. Larry needs to use certain characters in order to do his dirty tricks. These are characters and phrases NOT used by most folks filling out e-mail forms. So we prohibit those characters from being used on the form.

Web developers also need to keep learning. Lousy Larry and his cohorts are always coming up with new tricks. That means web developers need to be on the lookout for new vulnerabilities and new techniques to block those spammers.

Leave a Reply

Your email address will not be published. Required fields are marked *