TL;DR
This guide shows you how to stop attackers adding malicious headers to emails processed by your antivirus (AV) software. We’ll focus on validating user input and escaping special characters before they are used in email header construction.
Understanding the Problem
If your AV software allows users to specify parts of an email header (e.g., subject, recipient), attackers can inject extra headers that could cause problems like:
- Spam bypass: Adding headers to trick spam filters.
- Phishing: Changing the ‘From’ address to look legitimate.
- Data theft: Redirecting replies to an attacker’s email.
Solution Steps
- Identify Input Sources: First, find all places where user-supplied data is used to build email headers. This includes web forms, APIs, and configuration files.
- Input Validation: Check the input against a strict whitelist of allowed characters and formats. Don’t rely on blacklists (blocking specific bad things) as they are easily bypassed.
- Subject Line: Limit length and allow only alphanumeric characters, spaces, and common punctuation.
- Recipient/Sender Email Address: Use a regular expression to validate the email format. Example:
^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,}$ - Other Headers: Define exactly what is permitted for each header.
- Escaping Special Characters: Even after validation, escape any characters that could be interpreted as part of an email header command.
- Common special characters to escape include
,",',<,>, and newline characters. - The specific escaping method depends on the language you are using. Here’s an example in PHP:
$subject = str_replace([""
- Common special characters to escape include