Jump to content

my websites email address has been high-jacked


Elemental
 Share

Recommended Posts

Hey Folks,I thought of posting this in the Flash forums but wasn't sure since I don't think it's a Flash issue...About four or five years ago I created my first website using Flash MX. About two years ago its email address got high-jacked and I started receiving SPAM emails from myself on a regular basis.I was informed by my friend, who was hosting the site at no cost to me, that with the right software anyone could do that; needless to say I removed the sites contact page soon after that but I didn't follow up on it.I still use Flash MX from time to time, never did update to the next version, wish I had, but I don't or haven't used it to create websites; however, I have a couple of questions about this and I'm hoping someone here can help me with an answer.How can this be done? What vulnerability on a website allows for this to happen to someone's email address, indeed to someone's website? and How can I prevent this from happening in the future?I would think that this could also happen to the traditional HTML/CSS website as well and suspect that it's not just websites that are vulnerable...Peace,Elemental

Link to comment
Share on other sites

The most common way of doing this is composing multipart emails inside the content field of your form - that way, along with the email meant to be sent using the form, they can send arbitrary emails anywhere they want. The solution is, as it often is, to sanitize everything - that way, the multipart delimiters should not be able to get through.P.S. nothing is happening to your email server - the spammers are just exploiting a vulnerability in your contact form's processing script. This is on the backend, and is separate from whatever front-end technology is used.http://mkruger.cfwebtools.com/index.cfm/20...ail%20injection

Link to comment
Share on other sites

Synook, Thanks for the info, much appreciated.The only content fields I'm now using are:senders name (usually just the first name), senders email address, confirm email address field and a message field; and maybe a phone number field as well.Having zero knowledge in scripting, I'm at a one now I think, when the user clicked on the contact me link whatever email program / method they used would be launched. I later changed that to a form but the issue still persisted thus I removed the form and page completely and just used an image with my email address; I'll get around to updating the whole site at some point, I need a reel.The only issue I've seen so far with the site I did for my friends (shadowlandfoundation.org) is the multiple emails being sent by the crawlers and I believe CAPTCHA, as mentioned in the article, may be a good solution for that but I'm not up to date on that yet.Since I'm not using a TO:, CC: or BCC: fields in my current form could that still be an issue?P.S. thanks for the link.Peace,Elemental

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...