Comments on: Is Your Site Sending Spam? Thousands of Volusion Sites Might Be. http://www.dotcult.com/is-your-site-sending-spam-thousands-of-volusions-sites-might-be Ryan Jones Blogs About Internet Culture, Marketing, SEO, & Social Media Tue, 07 Feb 2012 00:30:47 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Ryan http://www.dotcult.com/is-your-site-sending-spam-thousands-of-volusions-sites-might-be#comment-3485 Ryan Mon, 12 Nov 2007 20:53:23 +0000 http://www.dotcult.com/is-your-site-sending-spam-thousands-of-volusions-sites-might-be#comment-3485 Thanks for your post Michelle. While it's not the preferred method I'd take, it does provide a little bit of help. The proper solution is to store the recipient email on the server side, as well as provide validation. From what I can gather without looking at the code (I'm not a volusion client), it's simply taking whatever is in that field and sending the mail - thus still wide open for HTML header injection. Of course, I haven't tried it.. so you might be doing some validation. I'm not sure. I'm at least glad to see you're taking some steps in the right direction. I'm sorry I singled your sites out, as there are tons of other vulnerable sites out there, it's just that yours were the easiest to demonstrate on because of the consistent naming. --Ryan Thanks for your post Michelle. While it’s not the preferred method I’d take, it does provide a little bit of help.

The proper solution is to store the recipient email on the server side, as well as provide validation. From what I can gather without looking at the code (I’m not a volusion client), it’s simply taking whatever is in that field and sending the mail – thus still wide open for HTML header injection.

Of course, I haven’t tried it.. so you might be doing some validation. I’m not sure.

I’m at least glad to see you’re taking some steps in the right direction. I’m sorry I singled your sites out, as there are tons of other vulnerable sites out there, it’s just that yours were the easiest to demonstrate on because of the consistent naming.

–Ryan

]]> By: Michelle Greer http://www.dotcult.com/is-your-site-sending-spam-thousands-of-volusions-sites-might-be#comment-3484 Michelle Greer Mon, 12 Nov 2007 19:14:30 +0000 http://www.dotcult.com/is-your-site-sending-spam-thousands-of-volusions-sites-might-be#comment-3484 In version 5 of Volusion eCommerce software there is a required new field for sending emails through a form post. The new required field is an image verification code. This method of verification is also known as CAPTCHA and is widely accepted throughout the world wide web as an acceptable spam preventing mechanism. Such sites that have adopted this method are google and hotmail (maybe some more here). There is also a speaker icon for those who have trouble reading the scrambled images. As well as this layer of security there is a limit of five emails per day per IP address. Since the form is still open to a single person changing the input fields to what they wish, this will prevent them from sending very many "malicious" emails. For the sake of functionality, usablity, and customizability, the method we use is required. There is also a third layer, behind the scenes, in our email server that limits the number of emails that are sent. We also monitor this limit and if people are unexpectedly reaching their limits we take appropriate action. In version 5 of Volusion eCommerce software there is a required new field for sending emails through a form post. The new required field is an image verification code. This method of verification is also known as CAPTCHA and is widely accepted throughout the world wide web as an acceptable spam preventing mechanism. Such sites that have adopted this method are google and hotmail (maybe some more here). There is also a speaker icon for those who have trouble reading the scrambled images.

As well as this layer of security there is a limit of five emails per day per IP address. Since the form is still open to a single person changing the input fields to what they wish, this will prevent them from sending very many “malicious” emails. For the sake of functionality, usablity, and customizability, the method we use is required.

There is also a third layer, behind the scenes, in our email server that limits the number of emails that are sent. We also monitor this limit and if people are unexpectedly reaching their limits we take appropriate action.

]]>