> On Dec 4, 2016, at 12:58 AM, @lbutlr <krem...@kreme.com> wrote:
>
>> MAIL FROM<"<script
>> type='text/javascript'>alert('xss');</script>"@example.com>
>
> That result in "501 5.5.4 Syntax: MAIL FROM:<address>"
There's a missing ":" after FROM. In any case, even if a particular
exploit mechanism fails, or even all attacks happen to fail, what
you're doing is still unwise.
--
Viktor.
