You are here: Re: mail forms being abused « All PHP « IT news, forums, messages
Re: mail forms being abused

Posted by Shooter on 12/11/06 14:51

I think this is working - I got 2 new attempts this morning. I can see where
they still input the "Content-Transfer-Encoding: quoted-printable
Content-Type: text/html Subject: [spam]...", but they incl the BCC in the
field that I have for interested parties to submit their URL for me to
review. I can't tell from what I'm seeing online -- will the mail injection
work on ANY field in the form? Or can the CC or BCC be included only in the
FROM field? Do I need to apply the preprocessHeaderField function on ALL
fields in the form? I want to ensure that the BCC I'm seeing in the website
field didn't actually generate a spam to someone else.

Thanx,
Wm



"J.O. Aho" <user@example.net> wrote in message
news:4tvfnvF15lh0rU1@mid.individual.net...
> Shooter wrote:
>> I'm getting hit by a LOT of people using my mail forms (I think) to route
>> a lot of spam through my server. I see some of them come back to me, but
>> am not sure how much is going out to the real world. What's the best way
>> to block people injecting BCC: or CC: into my mail forms to spam people?
>> My attempts at replacing the BCC or CC aren't working, and my attempts to
>> kill the PHP script when a BCC or CC is detected is failing. How are
>> others protecting their php mail() forms from this?
>
> It's the usual none filtered FROM that is used directly into mail(),
> each row in a header has to end with a \n\r, so you should be able to
> explode() the $from and then look for the array for a cell with a valid
> format for e-mail address.
>
> Here is a function that doe it for you
>
> <?php
> /**
> * Clears header field to avoid injection
> * http://www.anders.com/projects/sysadmin/formPostHijacking/
> *
> http://www.davidseah.com/archives/2005/09/01/wp-contact-form-spam-attack/
> */
> function preprocessHeaderField($value)
> {
> //Remove line feeds
> $ret = str_replace("\r", "", $value);
> $ret = str_replace("\n", "", $ret);
>
> // Remove injected headers
> $find = array("/bcc\:/i",
> "/Content\-Type\:/i",
> "/Mime\-Type\:/i",
> "/cc\:/i",
> "/to\:/i");
> $ret = preg_replace($find,
> "",
> $ret);
>
> return $ret;
> }
> ?>
>
> You include the file to the script where you use the mail(), you process
> the $from variable before you use it in the mail(), example
>
> mail('myemail@example.com', 'The subject is this', $message,
> preprocessHeaderField($from));
>
> This should keep the spammer just spam you, if you want you could make the
> function to return false is the header isn't okey
>
> /* this works only if you have modified the function to return the header
> or false */
> if($new_from=preprocessHeaderField($from)) {
> mail('myemail@example.com', 'The subject is this', $message,
> $new_from));
> }
>
>
> //Aho

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация