Reply to Re: mail forms being abused

Your name:

Reply:


Posted by J.O. Aho on 12/09/06 09:59

Shooter wrote:
> I'm getting hit by a LOT of people using my mail forms (I think) to route a
> lot of spam through my server. I see some of them come back to me, but am
> not sure how much is going out to the real world. What's the best way to
> block people injecting BCC: or CC: into my mail forms to spam people? My
> attempts at replacing the BCC or CC aren't working, and my attempts to kill
> the PHP script when a BCC or CC is detected is failing. How are others
> protecting their php mail() forms from this?

It's the usual none filtered FROM that is used directly into mail(),
each row in a header has to end with a \n\r, so you should be able to
explode() the $from and then look for the array for a cell with a valid format
for e-mail address.

Here is a function that doe it for you

<?php
/**
* Clears header field to avoid injection
* http://www.anders.com/projects/sysadmin/formPostHijacking/
* http://www.davidseah.com/archives/2005/09/01/wp-contact-form-spam-attack/
*/
function preprocessHeaderField($value)
{
//Remove line feeds
$ret = str_replace("\r", "", $value);
$ret = str_replace("\n", "", $ret);

// Remove injected headers
$find = array("/bcc\:/i",
"/Content\-Type\:/i",
"/Mime\-Type\:/i",
"/cc\:/i",
"/to\:/i");
$ret = preg_replace($find,
"",
$ret);

return $ret;
}
?>

You include the file to the script where you use the mail(), you process the
$from variable before you use it in the mail(), example

mail('myemail@example.com', 'The subject is this', $message,
preprocessHeaderField($from));

This should keep the spammer just spam you, if you want you could make the
function to return false is the header isn't okey

/* this works only if you have modified the function to return the header or
false */
if($new_from=preprocessHeaderField($from)) {
mail('myemail@example.com', 'The subject is this', $message, $new_from));
}


//Aho

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация