|
Posted by Shooter on 12/11/06 14:51
I think this is working - I got 2 new attempts this morning. I can see where
they still input the "Content-Transfer-Encoding: quoted-printable
Content-Type: text/html Subject: [spam]...", but they incl the BCC in the
field that I have for interested parties to submit their URL for me to
review. I can't tell from what I'm seeing online -- will the mail injection
work on ANY field in the form? Or can the CC or BCC be included only in the
FROM field? Do I need to apply the preprocessHeaderField function on ALL
fields in the form? I want to ensure that the BCC I'm seeing in the website
field didn't actually generate a spam to someone else.
Thanx,
Wm
"J.O. Aho" <user@example.net> wrote in message
news:4tvfnvF15lh0rU1@mid.individual.net...
> Shooter wrote:
>> I'm getting hit by a LOT of people using my mail forms (I think) to route
>> a lot of spam through my server. I see some of them come back to me, but
>> am not sure how much is going out to the real world. What's the best way
>> to block people injecting BCC: or CC: into my mail forms to spam people?
>> My attempts at replacing the BCC or CC aren't working, and my attempts to
>> kill the PHP script when a BCC or CC is detected is failing. How are
>> others protecting their php mail() forms from this?
>
> It's the usual none filtered FROM that is used directly into mail(),
> each row in a header has to end with a \n\r, so you should be able to
> explode() the $from and then look for the array for a cell with a valid
> format for e-mail address.
>
> Here is a function that doe it for you
>
> <?php
> /**
> * Clears header field to avoid injection
> * http://www.anders.com/projects/sysadmin/formPostHijacking/
> *
> http://www.davidseah.com/archives/2005/09/01/wp-contact-form-spam-attack/
> */
> function preprocessHeaderField($value)
> {
> //Remove line feeds
> $ret = str_replace("\r", "", $value);
> $ret = str_replace("\n", "", $ret);
>
> // Remove injected headers
> $find = array("/bcc\:/i",
> "/Content\-Type\:/i",
> "/Mime\-Type\:/i",
> "/cc\:/i",
> "/to\:/i");
> $ret = preg_replace($find,
> "",
> $ret);
>
> return $ret;
> }
> ?>
>
> You include the file to the script where you use the mail(), you process
> the $from variable before you use it in the mail(), example
>
> mail('myemail@example.com', 'The subject is this', $message,
> preprocessHeaderField($from));
>
> This should keep the spammer just spam you, if you want you could make the
> function to return false is the header isn't okey
>
> /* this works only if you have modified the function to return the header
> or false */
> if($new_from=preprocessHeaderField($from)) {
> mail('myemail@example.com', 'The subject is this', $message,
> $new_from));
> }
>
>
> //Aho
Navigation:
[Reply to this message]
|