One task I've been assigned at my new job is to find a reliable way of stopping spammers from exploiting an issue with Email-Simple. Basically, the email looks like this:
To: GetADiplomaOnline Content-Type: multipart/alternative; boundary=be638aa04b654852d0173c0e3f9b6d20 From: some@email.address.co.uk to: @huge_list_of_email_addresses
Because we have both a To: and a to: header (note case), Email::Simple reports the To: header ("GetADiplomaOnline") when doing this:
my $email = Email::Simple->new($email_text); my @headers = $email->header('to');
If the case of the headers were the same, then I'd get both headers. Because I don't get both headers, our validation checks ignore the second header. Peeking inside the email object reveals this:
'header_names' => { 'content-type' => 'Content-Type', 'to' => 'To', 'from' => 'From', 'subject' => 'Subject' }, 'order' => [ 'To', 'Content-Type', 'From', 'to', 'Subject' ]
Further research reveals the this module parses both headers, though it doesn't report both in this case. RFC 2822 says we can't have more than one header for to: (assuming I read it correctly), so I'm guessing that one way to stop this spam attack is to disallow email which has more than one to:, cc: or bcc: header.
Is this a reasonable approach? If so, how should I go about this? I don't want to reach into Email::Simple's internals to test this, but I have so little experience in this area that I'm not sure what best practices are.
Note: Email::Simple::Headers does not report the extra to: header, so that is not an option.
Cheers,
Ovid
New address of my CGI Course.
In reply to Spammers exploiting Email::Simple by Ovid
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |