Posted by Jim at May 10th, 2006

Sometime last year, I replaced the email addresses on a client’s site with an online form. The idea was that the online form would slow the ongoing barrage of spam. I don’t know whether it was successful at this, but I’m sure that at least a few less spambots collected their email addresses.

Amusingly, this form has been my window into how higher visibility sites can attract form misuse, abuse and associated hassle. I wrote last year about discovering the existence of email injection.

Having covered misuse and abuse in that post, I write now about “associated hassle.” Since email injection became better known, the larger hosting providers like Network Solutions have attacked the problem in structural ways. For example, Network Solutions along with other organizations no longer allows email addresses outside of the web site’s domain to be listed in the “from” field.

What this means on a practical level is that if someone hijacks your form and starts sending spam through it, listing an email address that might actually reach them (i.e. not one of yours), that spam will never get through. Unfortunately it also means that if you wanted to put a legitimate form user’s email address in the “from” field, allowing your client to contact them by pressing “reply” to the email they just recieved, well… that won’t work either.

Naturally, larger web hosting organizations cannot be bothered to notify their clients of this sort of change. Thus, late last week we started getting “mail returned” from the form. This was good in that we at least got the mail, but bad in that it wasn’t going the person who needed it. It was going to me.

Specifically, the returned emails included the information that our server’s ip address had been put on the CBL. The CBL’s pages include a number of reasons why you might be on their list. Many of them had to do with server configuration. Others had to do with software that we aren’t running. In short, they were little help at all.

Knowing that I couldn’t do anything about the server’s configuration, I called someone who could. Network Solutions generally has good technical support, but somehow I ended up talking to someone who didn’t know what was going on the first time I called. The second time, I was forwarded to someone who explained the situation.

I pass it on to you in the hope that you don’t need to know it, but the suspicion that you might someday.