Email Injection

What is email injection?

Many websites send out emails in response to user actions. They email feedback to the site owner, they email confirmation of actions to users, they allow users to email links to interesting content to their friends. Email injection is a technique used to modify the emails being sent out. This can include changing the text of the email, and modifying the recipient list. The primary reason attackers use email injection is to send out spam messages from a website they do not own. This helps cover their tracks and avoid blacklisting efforts (since they can just move on to the next website when the current one is blacklisted). It is the website owner who will have to deal with the consequences.

What makes a site vulnerable?

Email injection can occur when an attacker is able to insert input into an email. A site will be vulnerable if it uses user-supplied input in the emails it sends out, without ensuring that this input is safe. In particular the attacker is likely to insert new lines into the email, so that he can add new email headers with, for example, additional recipients.

Impact of the attack

Malicious use of the site as a spam relay could affect the site's ability to send out legitimate emails or it may affect the performance of the site itself (constituting a denial of service). The attack also exposes the website to the risk of being blacklisted as a spam source. This would impact on the site’s ability to successfully send out emails in the future. If the site depends on its email functionality as part of its operation, then it may be permanently crippled.

Preventing email injection

To prevent email injection it is necessary to validate user input before using it in an email. This includes information used in the address fields (To, From, CC, BCC), subject lines, message bodies, and any other information. At a minimum, new line and carriage return characters should be removed from the input. This will prevent the attacker from adding further headers. However, it is not necessarily sufficient to prevent the attacks. An attacker could still modify current headers (to add additional recipients, for instance, by separating them with commas). To prevent this, the website should verify that the information supplied is of the expected type. For instance, if a single email address is requested, it should be checked that a single email address has been supplied (rather than multiple comma-separated email addresses).