Saturday, September 19, 2009

Webmasters! Web Developers! Heed this call!

Stop making your stupid contact forms use whatever random email address the user puts in as the FROM address of the email!

It's been a common spammer tactic for months now to send mail FROM an account TO an account. Most servers have been rejecting these emails for years anyway but it seems that Contact Form developers haven't heard the word yet.

When they try to use a filtering mail service that knocks out these blatant forgeries, as dictated by their carefully thought out SPF records, or because what the spammer entered into their web form was 100% spam, they of course BOUNCE! This bounce then become collateral spam to the innocent 3rd party who had their email address entered into the form, and now all a spammer has to do is use an automated script from his thousands of compromised machines to bounce storm his spam out to the world and ruin your web servers' reputation.

If you have a contact form on your website, please follow these simple guidelines and help make the world a saner place.

  • DO NOT TRUST USER INPUT - EVER. Take whatever they entered and sanitise it by only allowing known characters. A person's name should not need to have <script> tags in it. Don't forget about "Bobby'); DROP TABLE students;". For PHP, check out filter_var() which will even validate an email address in one call.

  • Use a WORKING email address to send the email FROM and do not allow the user to influence this. Bounces to this address should go to a human so problems can be spotted quickly, or at least some processing script that alerts a human if something is fishy.

  • If you can, do not allow the user to influence the TO address ..

  • Or if that's the whole point of the form, do not allow users to enter both content AND an email address that the form will send to. This is just asking for abuse.

  • DO NOT TRUST USER INPUT - EVER! I'm hoping that has sunk in by now. When using the PHP mail() function, look out for users including the characters "\r\n.\r\n" followed by their own email headers and content. It is a common mailform exploit which should have been weeded out 10 years ago. Keep in mid that the \r\n is not literally, but a single Carriage Return character followed by a single New Line character.

Now, if only there was some sort of qualification or test you needed to pass before you were allowed to program on the internet.