I admit it: I am a regular reader of the event log. In doing so, I came across an error message last week that I rarely get to see - invalid Viewstate:
Now, that wouldn't be a problem, usually at least. However, in this special case I went WTF? when I looked at the description more closely, especially at the PersistedState information:
PersistedState: a
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Mailer: EMUmail 4.5
Subject: jam n
bcc: <list of addresse removed by me />
comes from the loin in the middle of the back of the pig. t is a lean meaty
cut of bacon, with relatively less fat compared to other cuts. iddle bacon
is much like back bacon
daa6c5071189f202ceb370d0e9d38c33
.
Come again - spam in Viewstate? What would be the point of this? After some research together with Alex I came across this article: Interesting Crack Attempt to Relay Spam (a more detailed article is available too: Form Post Hijacking). How did I manage to not take notice of this attack vector any earlier I don't know, but I have to admit that the idea is pretty clever.
Counter-measures in general? Well, either don't allow users input in the headers at all, or vet the form fields for carriage return / line feeds. Note that I did not verify if any of the available mail components for .NET would be actually susceptible to this kind of attack.