CDOSYS Email Header Injection
Recently our contact forms on the website have been receiving messages with html links in the text entry fields. I'm assuming that a bot or something is using my mail script and bypassing the contact form.
I have seen posts about most other mail scripts in PHP that say the bots are injecting their own header information and effectively writing the message to their own BCC list.
Does someone have a thread out there about this and what can I do to keep people from sending html links through my forms to their own list. How do I check to see if they're successful or if I'm just getting a bunch of tests hitting the form and that the messages are only coming to me, the specified recipient.
View Replies
ADVERTISEMENT
To sanitise the input from a form before it gets sent as an email, is it simply a matter of
Replace(Request.Form("formName"), " ' ", " ' ' ")
or is there more to it than that?
View Replies
View Related
I believe someone is using my contact form and sending out spam. I'm getting thousands of undeliverable emails.
I don't know anything about asp. Someone who use to work here wrote the form processing script and it seems that all the forms on different domains are being processed by this script. It seems like they didn't do any sort of validation or checks and on one website there are hundreds of pages with the contact form, i could do it in php but that is way too much work.....
View Replies
View Related
I have feedback forms on several of my sites and recently, they have been plagued with email injection attacks.
The forms are pretty straight-forward. Half a dozen fields get submitted to a formhandler.asp page where the contents are sent to some hard-coded email addresses using ASPmail.
From what I understand about how this works, spambots are used to add carriage returns after some of the form fields and then adding BCCs in to use the form to send out spam to other addresses. Here's an example of the emails I'm getting: .....
View Replies
View Related
does anyone know why the code below wont work ?
It doesnt thow any errors, but no email is being sent!
'--------------------------------------------------------------
'-------- now use CDOSYS to send email because im using IIS5.1
'--------------------------------------------------------------
Dim objConfiguration
Dim objFields
Dim objMessage
Set objConfiguration = CreateObject("CDO.Configuration")
Set objFields = objConfiguration.Fields
With objFields
.Item(cdoSendUsingMethod) = cdoSendUsingPort
.Item(cdoSMTPServer) ="localhost"
.Item(cdoSMTPServerPort) = 25
.Item(cdoSMTPAuthenticate) = cdoBasic
.Update
End With
Set objMessage = CreateObject("CDO.Message")
With objMessage
Set .Configuration = objConfiguration
.From = "mark@mark.com"
.To = "mark-wheeler@tiscali.co.uk"
.Subject = "Here comes a Subject"
.TextBody = "Here is a text body"
.Send
End With
Set objMessage = Nothing
Set objConfiguration = Nothing
View Replies
View Related
I am trying CDOSYS code to send out email. The problem is when I try to send email to gmail and hotmail account, it never works. Means, no email appears at gmail and hotmail account. But when I send it to yahoo mail, it works.
I run the code at localhost. I use Win XP Pro. I just wonder why this happen.
Can someone explain to me?
Below is the code that Im trying out: ....
View Replies
View Related
How can you create a hyperlink in the HTML body of CDOsys email? Line 7 is a link for yahoo.com, but the asp page does not work.
Set objMessage = CreateObject("CDO.Message")
objMessage.Subject ="Test Page - File upload"
objMessage.Sender = "" & Request.Form("email1") & ""
objMessage.To ="jason@yahoo.com"
objMessage.HTMLBody = "Email: " & Request.Form("email1") & vbCrLf & _
"Confirmation #: " & Request.Form("ConfirmID") & vbCrLf & _
"<a href="http://yahoo.com.com/">yahoo</a>" & vbCrLf & _
"FileName: " & Request.Form("file1") & vbCrLf & _
"Name: " & Request.Form("Name") & vbCrLf
View Replies
View Related
I used the below code to try and send an e-mail. On my local machine (XP machine) using IIS, the e-mail got generated and was placed in this folder.
C:InetpubmailrootQueue
So I am assuming the mail got generated correctly and the reason the e-mail did not get sent is that I do not have SMTP setup in my IIS. Do you agree with this statement? The reason I asked that is because I am not sure if I have SMTP setup or not in IIS and I am not sure how I check that.
To continue, I migrated my code up to the production web server and I tried executing it there. I have some display.write statements and they all were displayed so again, I am assuming the mail got generated correctly.
The problem is that the e-mail was not sent (or at least I am assuming it did not because I do not see the e-mail in my inbox).
I have never generated an e-mail before so this process is new to me. My code will be attached below but I was trying to understand some basic concepts.
-If I get my code to work on my local machine thru IIS, should it then also work in the production environment?
-It seems like I am calling so pretty specific components for the configuration settings. Is this the correct way to handle this?
-If you are familiar with this type of code, have I implemented this correctly? I would assume I have not since an e-mail is not getting set.....
View Replies
View Related
I have a form that needs to handle international characters withing the UTF-8
character set. I have tried all the recommended strategies for getting utf-8
characters from form input to email message and I cannot get it to work. I
need to stay with classic asp for this.
Here are some things I tried:
'CDONTS
Call msg.SetLocaleIDs(65001)
'CDOSYS
msg.HTMLBodyPart.Charset = "utf-8"
I included the following meta tag in the email HTML:
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
I also tried modifying the CharSet and CodePage of all involved Request and
Responses.
I was able to Response.Write the form content on post back to the screen and
it was properly rendered. However, none of my efforts can get the email to
render with the correct codebase. I have tried opening the email in Outlook
and Thunderbird. Neither one picks up on the UTF-8 charset meta tag.
View Replies
View Related
I want to send auto email using CDOSYS but in backdate. is it possible to set the date for an email? Code:
View Replies
View Related
can anyone post or direct me to a code snippet for sending a plaintext/html mutlipart email using CDOSYS? I can do basic code, but this is way beyond me. If a user enters html into a form, is there a way for code to strip that out and leave only plaintext behind?
The idea is that a user would fill in one html field, the form would email it in multipart, with one part using the html the user entered and the plaintext part using the same info but with the html code stripped out.
View Replies
View Related
I'm running a mailing list which has grown to around 5000 recipients. I'm currently using ASP to cycle through a database of recipients to send each a custom email with their name, unsubscribe link etc.
Currently I'm using CDOSYS to send the mail, and have set up a page to trigger the emails in batches of 50 so that they don't create blockages on the mail server.
Is it possible to queue emails with CDOSYS, since this would mean I could fire all the emails at once, safe in the knowledge that they will all be dealt with without a problem.
I've used the ASPEmail component before which does this, and it was very effective, but sadly it's not an option to use it on this domain.
View Replies
View Related
Can someone please tell me if its possible to create an instance of CDOSYS (to send an emails) on one host and have the email sent from another host.. or are there obvious gaps in my understanding of what takes place when one tries to send an email using CDOSYS or CDONTS?
View Replies
View Related
I contacted my hosting people and they said they're running Windows 2003, which uses CDOSYS and not CDONT. So, I followed the advice on the sitepoint site for converting to CDOSYS and have concocted the following script: ....
View Replies
View Related
cdosys body text is not being sent by email. Please see if you can spot the problem. Everything below emailHeader & emailFooter is not being sent by email.
see code below:
<!--- BEGIN CDOSYS CODE --->
<%
dim strBody
Set MailObj=CreateObject("CDO.Message")
MailObj.Subject="Your Online order from store-website"
MailObj.From= "store@store.com"
MailObj.To= Request.Form.Item("cEmail")
MailObj.Bcc="store@store.com"
MailObj.TextBody = strBody
emailHeader = "DELIVERY INFORMATION"
strBody = strBody & "DELIVERY INFORMATION (If Delivery was selected):" & VbCrLf
strBody = strBody & "Delivery Choice: " & Request.Form("dChoice") & " on " & Request.Form("choiceDate") & VbCrLf
strBody = strBody & "Delivery Name: " & Request.Form("dName") & VbCrLf
strBody = strBody & "Delivery Address: " & Request.Form("dAddress") & VbCrLf
strBody = strBody & "Delivery City: " & Request.Form("dCity") & VbCrLf
strBody = strBody & "Delivery Zipcode: " & Request.Form("dZip") & VbCrLf
strBody = strBody & "Delivery Phone: " & Request.Form("dPhone") & VbCrLf
strBody = strBody & "Delivery Instructions: " & Request.Form("dInstructions") & VbCrLf
strBody = strBody & "-----------------------------------------" & VbCrLf & VbCrLf
emailFooter = "CONTACT/BILLING INFORMATION"
strBody = strBody & "CONTACT/BILLING INFORMATION: " & VbCrLf
strBody = strBody & "Billing Name: " & Request.Form("cName") & VbCrLf
strBody = strBody & "Billing Address: " & Request.Form("cAddress") & VbCrLf
strBody = strBody & "Billing City: " & Request.Form("cCity") & VbCrLf
strBody = strBody & "Billing Zipcode: " & Request.Form("cZip") & VbCrLf
strBody = strBody & "Billing Phone: " & Request.Form("cPhone") & VbCrLf
strBody = strBody & "Billing Email: " & Request.Form("cEmail") & VbCrLf
strBody = strBody & "Amount to be paid with Gift Certificate: " & Request.Form("GiftCamount") & VbCrLf
strBody = strBody & "Gift Certificate Number: " & Request.Form("GiftCnumber") & VbCrLf
strBody = strBody & "Amount to be paid with Credit Card: " & Request.Form("cCardAmount") & VbCrLf
strBody = strBody & "Credit Card Type: " & Request.Form("cCard") & VbCrLf
strBody = strBody & "Credit Card Number: " & Request.Form("cCardNumber") & VbCrLf
strBody = strBody & "Credit Card Expiration: " & Request.Form("cCardExpiration") & VbCrLf
strBody = strBody & "-----------------------------------------" & VbCrLf
wantedCartColArray = Array(0,0,0,1,1,1,1)
wantedCartColNamesArray = Array("LineItemTax","LineItemTaxValue","ProductID","Quantity","Name","Price","Total")
wantedCartColFormatArray = Array(false,false,false,false,false,true,true)
currencyTypeArray = Array("$",0,-1,-2,-2,-2)
%>
<%
' UltraCart II Email Order Version 2.01
MailObj.TextBody = UCII.BuildEmailBody(false,emailHeader,emailFooter, _
wantedCartColArray,_
wantedCartColNamesArray,_
wantedCartColFormatArray,_
"Order ID",true,_
"Order Date",true,_
"Sub Total",true,_
"Tax",true,_
"Discount",false,_
"Shipping",false,_
"Shipping Method",false,_
"Grand Total",true,currencyTypeArray)
MailObj.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
MailObj.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "localhost"
MailObj.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
MailObj.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60
MailObj.Configuration.Fields.Update
MailObj.Send
Set MailObj = nothing
%>
<!--- END CDOSYS CODE --->
View Replies
View Related
I've set up a website contact page which uses CDOSYS to send form details to an email address.
However, the domain is set up such as the client is using their own mail server, and using my server only to host the website.
Ordinarily I would set up hosting with email and change the nameservers of the domain to point to my server, but in this case the client is keeping the nameserver details the same, but just updating the A record to point to my server to display the website.
Trouble is, the CDOSYS email doesn't seem to work with this set-up. Do I need to hard code their mail server IP somewhere to get it to work?
View Replies
View Related
I've been using CDOSYS Mail and this bit of code fine for a year. Well, we wanted to change the method of sending email from the Webserver sending it, to designating a specific SMPT server.
So, I found this code on MSFT's web site (MSFT CDOSYS SMTP ) that will allow me to do this, and it works, except that the redirect command that I have at the end of the file no longer works. I have no idea why.
Thi is the error I get:
error '8004020f'
/asp/send_email_foundation_conf.asp, line 78
Code: ...........
View Replies
View Related
I am trying to send myself an email using cdosys. The error i get is:
CDO.Message.1 (0x80040222)
The pickup directory path is required and was not specified. my code looks like this: Code:
View Replies
View Related
Has anyone been able to use a variable for the To: line with CDOSYS? When I
put in a specific address like: myMail.To = "webster@thisplace.org" it works
fine. When I put in a variable like: myMail.To = areaDirector it doesn't
work. I did a reponse.write on the areaDirector and it comes out like it's
supposed to: Join Bytes!
Any ideas? Does it have something to do with the quote marks?
View Replies
View Related
is it possible to rn a client side vbscript to send messages using cdo.message and cdo.configuration? what are the requirements to do this? my wks are xp and 2000 and all have cdosys.dll registered. do i have to have outlook express loaded.
i have workstations that don't have outlook but rather lotus notes and want to send email to an smtp server. these emails have local attachment thus the need to run client script versus server scripts. is this possible or am i on the wrong track.
View Replies
View Related
I'm just looking into modifying a script for an asp page and I've come across this code.
sch = "http://schemas.microsoft.com/cdo/configuration/"
Set cdoConfig = Server.CreateObject("CDO.Configuration")
With cdoConfig.Fields
.Item(sch & "sendusing") = 1
.Item(sch & "smtpserverpickupdirectory") = "c:InetpubmailrootPickup"
.update
End With
Set cdoMessage = Server.CreateObject("CDO.Message")
Could someone please explain to me what the sch reference is for and if I need it.
I'm going to create an E-mail message and use CDOSYS to send it. I think it's necessary to understand what's going on before I continue....
View Replies
View Related
I am running Win XP and have installed the IIS SMTP service, however I'm not sure what I need to do to configure both the SMTP service and CDOSYS properly to allow me to send out email from an ASP script.
THE PROBLEM:
What is happening is the email is not sent and goes to the 'c:InetpubmailrootQueue' folder. I have checked the event viewer and the error I receive is:
Message delivery to the remote domain 'yahoo.com' failed for the following reason: The remote server did not respond to a connection attempt.
I believe the SMTP service isn't setup correctly or I haven't configured CDOSYS properly in my ASP script.
The CDOSYS part of my ASP script is setup as follows (I am using Javascript with ASP btw):
Code: .....
View Replies
View Related
I am new to asp i am facing in sending the contact form sending through email using cdosys the following is the code server space work on Microsoft Windows 2003 w/IIS 6.0.
When i press send button i get a error as The page cannot be displayed and HTTP 500 - Internal server error .....
View Replies
View Related
i recently finished a tutorial on cdonts and finished putting together the page and form etc. now ive been reading and it seems cdonts is being discontinued and cdosys is taking over. does this mean that my cdonts will not work and i have to trnasfer it to cdosys ?
how can i transfer it to cdosys ? or do i have to make a completely new mail script?
Code: ....
View Replies
View Related
I have a CDOSYS mail and it's working ok but it sends plain text massage. But i want to send with images and links. But when i put a link with image in the .HTMLBody field like <a href="http://www.mysite.com/"><img src="file:///C:/My Documents/image.gif" border="0"></a> so, i got an error message.
Microsoft VBScript compilation error '800a0401'
Expected end of statement
/cdo/cdosys.asp, line 41 .....
View Replies
View Related
I am trying to get a asp-mailer setup that will send a specified attachment.
I have tried both CDONTS and CDOSYS methods ... both are giving me headaches.
And the best part is how incredibly helpful the error is: (Sarcasm Intended)
Error Type:
(0x80004005)
Unspecified error <-- They should change that error to ... "Good Luck!"
/knowledgetree/emailer-drivers.asp, line 90
I hilighted the above line in the code as well.
Here is the code I am working with: Code:
View Replies
View Related
A client wants a splash page with the option of going to his website with the flash header or the one with the .JPG header.
Now it's only the header that will be different and all the content will be the same. I don't want to make two seperate websites, because I'll have to update it twice then. Is there a way to just have the header change, without using frames. Maybe SSI,
View Replies
View Related
I recently built a login page and a friend of mine was working on something similar and said that I need to protect the login from SQL injection. I am not really sure what exactly that is. I think I have a rough idea but can someone explain it to me?
In addition, I will need to obviously protect what I built and am not sure how to go about doing that either.
View Replies
View Related
if anybody has a list of dodgy characters that can be used for sql injection attacks so that i can figure out a way to strip them from user inputs?
Also if somebody was filling in a form, that inserts into a "memo" field in access could this be used to launch such an attack or would whatever they type simply be inserted into the field? i hope that bit is clear.
i have a form field "message" which is a multi line text box, if someone typed into that box
DELETE * FROM Messages WHERE MessageID =1205
or some other command would that simply be inserted in to the database or would the server try and execute the command??
View Replies
View Related
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
View Replies
View Related
how do i test for SQL injection ?
sdo i do a SELECT statement in my username login?
View Replies
View Related
I just wanted to share it with you guys and ask your opinions. Code:
View Replies
View Related
Is it possible to "intercept" all calls to conn.execute and have them go to
a checking routine that will either let the command go through or terminate
it if it contains some illegal instructions? My clients company has had its
hacker free status revoked due to the possibility of sql injection. I could
put a function before every single conn.execute but we have hundreds of
them. Just wondering if there is some way of telling it to do something else
first. Maybe I can redefine conn.execute somehow?
View Replies
View Related