I'm looking up information about the recent increase in email injection attempts we're seeing. I was about to implement the removal of \n and \r from header fields as suggested all over the net, but then I saw the post on the PHP mail() page - http://php.net/mail/ - stating that injected headers don't even need to use \n or \r
Does anybody have a definitive answer to this, or know the safe way to check the vulnerable fields?
