Hmm
Since you have a fixed "to:" address, I'm not sure what they can inject. As
far as I'm aware, CDO.Message doesn't just create a text file and drop it
into the "pickup" folder of the SMTP server (if it did, then it may be
possible to inject some text to create another To: or From: address).
Instead it uses SMTP commands to speak to an SMTP server. In that case, what
you set in the properties of your object instance would be what's sent. If
you do want to filter, then looking for more than one "@" symbol (and
encoded versions of such) would be all that's necessary.
In any case, your SMTP server should be configured to prevent unauthorized
third party relay. In that case, even if an attacker does manage to somehow
subvert your script, the SMTP server would reject the mail.
Cheers
Ken
--
IIS Blog:
www.adopenstatic.com/cs/blogs/ken/
Web:
www.adopenstatic.com
"TomR" <TomR.TakeThisOut@discussions.microsoft.com> wrote in message
news:331D3D41-4FC6-4D84-9ACC-E46C63F7AC5E@microsoft.com...
: I'm using a pretty basic VBScript to send "request for information" type
: e-mails to our sales force from a form on our web site (running IIS6.0 on
: 2003SP1) . The script builds the CDO.message object from the form in the
: usual way:
:
: iMsg.From = Request.Form.Item("Email")
: iMsg.To = "fixedaddress@me.org"
: iMsg.Subject = Request.Form.Item("Subject")
: iMsg.TextBody = Request.Form.Item("Comment")
: iMsg.Send
:
: Lately, we've been seeing attempts to relay spam through our site by
: providing mal-formed from, subject, or comment fields. I don't think
they've
: been working, but it's gotten me worrying: should I be doing any
validation
: on the user-supplied form values before building/sending the CDO.message?
:
: Thanks for any advice on this!
FAQ
Search
Profile
Private Messages
Log in/Register/Password
