ColdFusion Muse

Email Injection Attack Part II - More Information

Mark Kruger September 19, 2005 5:29 PM Security Comments (7)

This blog is a follow up to a previous post, on the Email Injection Attack exploit and its occurrence on CF servers. Several questions and comments that were added indicates to me that I wasn't clear enough in describing what I believe is actually occurring. Let me see if I can shed some additional light on the subject.

Let's say you have a contact us form that is sent to "". The email message is set up to be "from" the person making the contact so that joe can easily click reply and respond. The user also has control over a part of the subject and the message. The code would look like this:

<Cfmail from="#form.from#" to="" subject="Email From contact form: #form.subj#">
Simple enough right?

Suddenly Joe (your client) calls you and says, "I'm getting spammed by fishy messages!" When you look at the messages in question you see the following.

  • The from address is - the same as the clients domain.
  • The Message seems to consist of the same address.
  • There are 3 or 4 right in a row with similar characteristics.
  • There may be a bounced message and it may show an attempted header in the body that says "bcc: someemail@somedomain".
Well now, that certainly does seem suspicious. Is it spam? Well, if by spam you mean sending gobs of unsolicited mass email, then no, it's not spam. Technically it's a probing attack - most likely by a bot.

The bot finds a contact page and hit's it 3 or 4 times with several known methods of inserting headers into email messages. For example, it submits as the from address

If your scripting language assembles a mail message using a format - in other words if it concatenates headers and messages into a string representing a mail message - then this would result in a header entry like: Being inserted into the message. The key is, the secret email address would then receive a message from your contact page. If the bad guy does receive such a message he has found out something very important and valuable. He knows that he can send email to any email address from your domain. You have in effect created an open relay for him to use on your domain. His next step is to work with your form to do the same thing with content by concatenating boundary and mail part commands. Should he succeed, he has a way to send arbitrary messages from your domain to whomever he likes - he can spam through you. The red flag that you have a problem is not receiving 3 or 4 messages at a time with bogus email addresses. The red-flag is if you suddenly see hundreds of bounces - or your traffic on your contact form goes through the roof.

The important thing to know is that those extra 3 or 4 messages are not spam - but merely probing looking for this vulnerabilty. CF is not vulnerable (as far as I know) to this problem because the CFMAIL tag controls the creation of headers and mail parts using the java mail classes.

So if you see those email messages from your domain explain what is going on to your site owners. Meanwhile there are a few things you can do to "fix" this problem. First, message formats dictate line breaks as the delimiter for headers in a mail message. If you use form parameters in "from" or "subject" you can check for the existence of line breaks and not allow the message if any are found. This is not a perfect solution because there may be browsers that have issues with line breaks - and you may end up shutting out those folks. Let me add, I don't know of any such problems, I'm just trying to cover my but (ha). Here's how you might do it:

<!--- check for format and line breaks

   <cfif isEmail(form.from) AND NOT find(chr(10),form.from) AND NOT find(chr(13),form.from)>
      <Cfmail from="#form.from#" to="" subject="Email From contact form: #form.subj#">
Of course you should already be checking for proper email format - so your regex might already be doing the trick.

  • Share:


Leave this field empty

Write a comment

If you subscribe, any new posts to this thread will be sent to your email address.

  • Pete Freitag's Gravatar
    Posted By
    Pete Freitag | 9/19/05 4:04 PM
    Good post, thanks.
  • Mark W. Breneman's Gravatar
    Posted By
    Mark W. Breneman | 9/20/05 10:27 AM
    I have been looking for a good way of dealing with these attacks so my clients stop calling and asking me what these emails are about.

    Maybe you can elaborate a bit on this...

    It is my understanding that if you have 8 form fields the bot will try inserting the header info in each of the fields in turn. So, thus you will be receiving 8 emails.

    In you example you suggest looking for line break in one of the fields. Am I correct in assuming that as a result you will only get 7 emails from that form when the bot attacks it? And, that to fully stop all emails one would need to check each field for a line break?

    Or am I missing something here?
  • Mark's Gravatar
    Posted By
    Mark | 9/20/05 10:41 AM
    Mark - I believe you are exactly right. The only field where linebreaks should be present is any "text area" field where the user is sending his "message". If you excluded linebreaks from all fields but that one, then looked for email addresses in the "message" that end in your domain - you would kill 99.99 percent of them (I never say 100 :)
  • James B (Clarkee21)'s Gravatar
    Posted By
    James B (Clarkee21) | 6/22/06 8:58 AM
    I just came across this post through a Google search and as I'm having exactly the same problems as you describe I thought I'd give it a shot. I've got all my code in place now but the issue is how do you test it?? :)

    I apologise if this sounds like a studpid question but how do you insert Chr(10) and/or Chr(13) characters into a single field?
    (I guess this is like becoming a spammer to beat the spammers!!!)

    Also, I don't know if this helps but I posted a similar question about this issue on the last year. They came back with a quite simple technique that might be of interest to you as well:
  • mkruger's Gravatar
    Posted By
    mkruger | 6/22/06 9:03 AM

    You will probably need to create a custom form - or a test script that does not use form variables. For example you could create a custom form that had a "textarea" instead of a "text" style box - and then post from that box. In some browsers you could create your content (including the chr(10) - chr(13)) in notepad or an editor and then "cut and paste" them into the text field.

    In short, there are a lot of ways to do this :)
  • Bob's Gravatar
    Posted By
    Bob | 10/2/06 5:28 PM
    Here's a good method I use for ColdFusion. Do a RegEx find on the form e-mail address to make sure it's valid.

    <cfif REFindNoCase("^[\w\.-]+@[\w\.-]+\.[a-zA-Z]{2,3}$",form.FORM-EMAIL) gt 0>
    ... Do your stuff
    <!--- It's not a valid e-mail address --->

    This will validate that the passed e-mail address as well as make sure it doesn't contain any illegal characters.

  • John Crow's Gravatar
    Posted By
    John Crow | 10/11/06 2:38 PM
    I believe I'm seeing the same attacks through a CGI script and don't know how to stop it. (Please see below)

    If anyone has any suggestions or knows where I can get a cgi send mail script that doesn't have this HOLE in it I would be most grateful.

    John Crow (Please e-mail me direct regarding this posting)

    FunnyStory =
    Post_Address =
    Contact = lues
    Content-Type: multipart/alternative;
    X-Mailer: Pegasus Mail for Windows (v4.01)
    Subject: into the

    Content-Transfer-Encoding: 7bit
    Content-Type: text/plain

    months of arch pril ay. t some point during this time many of the producers
    will also rub a paste of

    Content-Transfer-Encoding: base64
    Content-Type: text/plain