|
Posted by J.O. Aho on 12/09/06 09:59
Shooter wrote:
> I'm getting hit by a LOT of people using my mail forms (I think) to route a
> lot of spam through my server. I see some of them come back to me, but am
> not sure how much is going out to the real world. What's the best way to
> block people injecting BCC: or CC: into my mail forms to spam people? My
> attempts at replacing the BCC or CC aren't working, and my attempts to kill
> the PHP script when a BCC or CC is detected is failing. How are others
> protecting their php mail() forms from this?
It's the usual none filtered FROM that is used directly into mail(),
each row in a header has to end with a \n\r, so you should be able to
explode() the $from and then look for the array for a cell with a valid format
for e-mail address.
Here is a function that doe it for you
<?php
/**
* Clears header field to avoid injection
* http://www.anders.com/projects/sysadmin/formPostHijacking/
* http://www.davidseah.com/archives/2005/09/01/wp-contact-form-spam-attack/
*/
function preprocessHeaderField($value)
{
//Remove line feeds
$ret = str_replace("\r", "", $value);
$ret = str_replace("\n", "", $ret);
// Remove injected headers
$find = array("/bcc\:/i",
"/Content\-Type\:/i",
"/Mime\-Type\:/i",
"/cc\:/i",
"/to\:/i");
$ret = preg_replace($find,
"",
$ret);
return $ret;
}
?>
You include the file to the script where you use the mail(), you process the
$from variable before you use it in the mail(), example
mail('myemail@example.com', 'The subject is this', $message,
preprocessHeaderField($from));
This should keep the spammer just spam you, if you want you could make the
function to return false is the header isn't okey
/* this works only if you have modified the function to return the header or
false */
if($new_from=preprocessHeaderField($from)) {
mail('myemail@example.com', 'The subject is this', $message, $new_from));
}
//Aho
Navigation:
[Reply to this message]
|