By chueewowee on

I'm getting numerous spam in Feedback from my Drupal site www.mightyzero.com. E.g.

Subject: Feedback: nuuwkwoal@mightyzero.com
Content-Type: multipart/mixed; boundary="===============1387240381=="
MIME-Version: 1.0
Subject: 48004429
To: nuuwkwoal@mightyzero.com
bcc: jrubin3546@aol.com
From: nuuwkwoal@mightyzero.com

The word back from my ISP provider is:

Looks like your feedback form is being abused, note the header 'bcc: jrubin3546@aol.com' which is a telltale sign that a mail injection hack of some sort is being used.

Please see the url below for guidance on coding your form processing scripts more securely:

http://securephp.damonkohler.com/index.php/Email_Injection

Regards,
Colin.

So How do I proceed to improve the Drupal feedback form?

Comments

gerd riesselmann’s picture

gerd riesselmann commented

I just filed a bug for this: http://drupal.org/node/34181

I suggest patching the user_mail() function, since this is where all emailing comes down to in the end. The function is in file user.module.

------------------
Gerd Riesselmann
www.gerd-riesselmann.net

he_who_shall_not_be_named’s picture

he_who_shall_not_be_named commented

Thanks for the fix.

henk@sharewareblogs.com’s picture

henk@sharewareblogs.com commented

I've also been hit by this. This fix is very important and should make it to all installations ASAP. Fixes like this should be included in minor security updates, with recommendations that everyone installs them.

gerd riesselmann’s picture

gerd riesselmann commented

As kbahey has pointed out, the patch may cause unwanted sideeffects. If you applied it, you should at least carefully watch the discussion here.

------------------
Gerd Riesselmann
www.gerd-riesselmann.net