Get our Newsletter!I recently noticed a gaping security hole in one of my own websites. Thankfully, I’ve fixed the error and I never lost any sensitive information, but the experience has left me a bit embarrassed.
While I’ve never claimed to be a security expert, not have I ever claimed to be an email expert, there’s an important lesson to be learned — and I’d like to share it with you.
The website in question had been using the CDONTS libraries to send alert/confirm emails when a form had been submitted. For the longest time (we’re talking years) there was no problem… everything worked fine. The emails were sent (and would arrive) without issue.
However, a few weeks ago I began to notice that the emails suddenly stopped. Why? I have no idea why they stopped, but after some digging I did find the reason.
Using CDONTS, your application can specify any email address for the “To” and “From” addresses, then uses your Microsoft server to generate an email. However, the “From” address needs to have a domain that matches the originating website’s domain (e.g. “someemail@yourdomain.com” has to be sent from the website “www.yourdomain.com”).
The error bounced back from the server is “Diagnostic-Code: smtp;553 sorry, your mail was administratively denied. (#5.7.1)“.
In my case, I had been sending myself an email using the visitor’s email address in the “From” address… which meant my emails were bouncing back to the website visitor, showing them anything I had written in the message body. Very bad!
In all actuality, it wasn’t anything bad — just a message saying “joe@somedomain.com” had filled out my form. But it could have been very bad had I been transmitting sensitive information in the email’s body (a bad idea in general as email is notoriously insecure).
Lesson learned!
Thankfully, I haven’t been using CDONTS in a long time, so the rest of my website have not been affected.
