Is .net vulnerable to this spam attack.

[vMike]

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

Here is a snip from the above link.

.... attacker is hoping to exploit unchecked fields in a "web to email" form.
The attack works by assuming a field used in an email header (such as the
"From:" address or the "Subject:") is passed unchecked to the mail
subsystem. Appending a newline character and a few more carefully crafted
header lines with a BCC list and a spam message body might trick the
underlying mail system into relaying spam for the attacker. An initial test
sending a BCC copy to (e-mail address removed) has been used on most forms
on my site to phish for vulnerable scripts. If you run a site, you should
check and strip fields for carriage return and newline characters used
directly in email headers.

...
I tested my forms and they seems to be finel, but was wondering if anyone
knows where asp.net is vulnerable to this atack.
I use SmtpMail.Send and I htmlencode all fields on the form.

Mike

 

[Kevin Spencer]

ASP.Net is NOT vulnerable to this attack. ASP.Net generates HTML, and
processes ASP.Net forms. It can spit out any HTML you want it to, and handle
the forms any way you want it to. IOW, ASP.Net is not at fault if a
developer doesn't implement the correct type of validation for his/her
forms.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

 

[darrel]

ASP.Net is NOT vulnerable to this attack. ASP.Net generates HTML, and

processes ASP.Net forms. It can spit out any HTML you want it to, and handle
the forms any way you want it to. IOW, ASP.Net is not at fault if a
developer doesn't implement the correct type of validation for his/her
forms.

Guns don't kill people, people do? ;o)

My (limited) understanding is that this type of attack (an email injection)
isn't existant on the .net platform due to the way .net handles the sending
of email. In PHP, I think the fields are sent directly as headers, where in
..net they aren't. But that's all just my limited understanding of the
situation.

Kevin is right, it makes sense to get in the habit of doing thorough
validation. Strip out all line breaks and extraneous @ symbols in the
TO/FROM fields for starters.

-Darrel

 

[Bruce Barker]

that is to say .net is only vulnerable to this attack (or others like sql
injection) if the site is not coded properly. .net does not prevent these
coding errors.

-- bruce (sqlwork.com)

 

[JIMCO Software]

ASP.Net is NOT vulnerable to this attack. ASP.Net generates HTML, and
processes ASP.Net forms. It can spit out any HTML you want it to, and
handle the forms any way you want it to. IOW, ASP.Net is not at fault
if a developer doesn't implement the correct type of validation for
his/her forms.

That's very true, but it's also important to realize that there is code in
ASP.NET itself to validate requests via the ValidateRequest property.
However, Microsoft recommends that you also validate form data.

Here's more information:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000003.asp

--
Jim Cheshire
JIMCO Software
http://www.jimcosoftware.com

FrontPage add-ins for FrontPage 2000 - 2003

 

[vMike]

That's very true, but it's also important to realize that there is code in
ASP.NET itself to validate requests via the ValidateRequest property.
However, Microsoft recommends that you also validate form data.

Here's more information:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000003.asp

--
Jim Cheshire
JIMCO Software
http://www.jimcosoftware.com

FrontPage add-ins for FrontPage 2000 - 2003

Thanks for the feedback. I do regex validate the from email address but only
client side and validate the domain name serverside based on the first @ to
the end, so if there is more than one @ then the page won't process the
email server side. The To address is not shown and the subject and body are
htmlencoded. The only think I need to tighten up is to redo the regex email
validation server side in case someone bypassed the client side validaton.
Thanks agiain.
Mike

 

[Kevin Spencer]

Guns don't kill people, people do? ;o)

Well, my Uncle Chutney sez "Guns don't kill people, and people don't kill
people either. Ideas kill people."

Whatever that means!

;-)

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

 

[Hans Kesting]

Thanks for the feedback. I do regex validate the from email address
but only client side and validate the domain name serverside based on
the first @ to the end, so if there is more than one @ then the page
won't process the email server side. The To address is not shown and
the subject and body are htmlencoded. The only think I need to
tighten up is to redo the regex email validation server side in case
someone bypassed the client side validaton. Thanks agiain.
Mike

If I understand correctly, when you use a .Net validator, the code is not
only run client-side, but *also* server-side, to prevent bypassing.
If you built you own validating script, then you will have to check server-side yourself.

Hans Kesting