I admit it: I am a regular reader of the event log. In doing so, I came across an error message last week that I rarely get to see - invalid Viewstate:
Now, that wouldn't be a problem, usually at least. However, in this special case I went WTF? when I looked at the description more closely, especially at the PersistedState information:
PersistedState: aContent-Transfer-Encoding: 8bitContent-Type: text/plainX-Mailer: EMUmail 4.5Subject: jam nbcc: <list of addresse removed by me />
comes from the loin in the middle of the back of the pig. t is a lean meaty cut of bacon, with relatively less fat compared to other cuts. iddle bacon is much like back bacon
daa6c5071189f202ceb370d0e9d38c33.
Come again - spam in Viewstate? What would be the point of this? After some research together with Alex I came across this article: Interesting Crack Attempt to Relay Spam (a more detailed article is available too: Form Post Hijacking). How did I manage to not take notice of this attack vector any earlier I don't know, but I have to admit that the idea is pretty clever.
Counter-measures in general? Well, either don't allow users input in the headers at all, or vet the form fields for carriage return / line feeds. Note that I did not verify if any of the available mail components for .NET would be actually susceptible to this kind of attack.
