SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    HI silver trophy Silverado4x4's Avatar
    Join Date
    Jan 2001
    Location
    USA
    Posts
    953
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Someone using Contact form to send spam...

    Someone sent a mass email using the "Contact Us" form which is supposed to send an email only to the administrator. Here is what the headers look like:

    PHP Code:
        $headers  "MIME-Version: 1.0\n";
        
    $headers .= "Content-type: text/plain; charset=iso-8859-1\n";
        
    $headers .= "X-Priority: 3\n";
        
    $headers .= "X-MSMail-Priority: Normal\n";
        
    $headers .= "X-Mailer: php\n";
        
    $headers .= "From: \"".$_POST['name']."\" <".$_POST['email'].">\n"
    Here is the text that was submitted:
    Code:
    Content-Type: text/plain; charset="us-ascii"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Subject: Rated 10 of 10
    bcc:
    email@email.com,
    email@email.com,
    email@email.com,
       
    email@email.com,
    email@email.com,
    email@email.com,
    
    ~spam message~
    Is it possible that they somehow altered the headers by inputing something into the form? How can I prevent this from happening in the future? Right now it is disabled.

  2. #2
    SitePoint Evangelist
    Join Date
    May 2003
    Posts
    590
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Somehow, because you are modifying the 'headers' for the email, they were able to pass "bcc: etc,etc", so just check _before_ the mail() function that there is no "bcc" in the $headers var, and if you find one, take appropriate action (probablt don't send the email at all).

    HTH

  3. #3
    SitePoint Wizard Lats's Avatar
    Join Date
    Jun 2003
    Location
    Melbourne, AU
    Posts
    1,142
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Do a check in your processing script...
    PHP Code:
        if(eregi("MIME-Version",$message))
        {
            
    $message "Spammer Caught\n\n";
        } 
    Some people throw up a notice showing the spammer that they have failed, whereas I prefer to let them think they got away with it. I then their IP to my hosts_deny file.
    Lats...

  4. #4
    SitePoint Zealot allstar's Avatar
    Join Date
    Sep 2005
    Location
    in my box.
    Posts
    126
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    $_POST['name']
    You are giving them free access to inject headers. You didn't even check to see if what they were doing is anything wrong.

    Something that will help you out. Filter the content of the $_POST varibles.
    PHP Code:
     function sanitize($content)
     {
       
    $parsed $content;
       
    $parsed htmlentities($parsed);
       
    $parsed strip_tags($parsed);
       
    $parsed stripslashes($parsed);
       
    $parsed str_replace('\r'''$parsed);
       
    $parsed trim($parsed);
       return 
    $parsed;
     } 

  5. #5
    HI silver trophy Silverado4x4's Avatar
    Join Date
    Jan 2001
    Location
    USA
    Posts
    953
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks everyone for your help -- it is very much appreciated.

  6. #6
    SitePoint Addict
    Join Date
    Aug 2004
    Location
    Chicago
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by allstar
    You are giving them free access to inject headers. You didn't even check to see if what they were doing is anything wrong.

    Something that will help you out. Filter the content of the $_POST varibles.
    PHP Code:
     function sanitize($content)
     {
       
    $parsed $content;
       
    $parsed htmlentities($parsed);
       
    $parsed strip_tags($parsed);
       
    $parsed stripslashes($parsed);
       
    $parsed str_replace('\r'''$parsed);
       
    $parsed trim($parsed);
       return 
    $parsed;
     } 
    \r needs to be in double quotes. You should also check for \n, but...
    PHP Code:
     function sanitize($content)
     {
       
    $parsed $content;
       
    $parsed htmlentities($parsed);
       
    $parsed strip_tags($parsed);
       
    $parsed stripslashes($parsed);
       
    // removes both types of line endings
       
    $parsed str_replace(array("\r""\n"), ''$parsed);
       
    $parsed trim($parsed);
       return 
    $parsed;
     } 
    Why's (Poignant) Guide to Ruby
    learn ruby with foxes, wizards, and chunky bacon

  7. #7
    Smart programmer silver trophy M.Zeb Khan's Avatar
    Join Date
    Jan 2004
    Location
    Luton, Beds
    Posts
    1,792
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Lats
    if(eregi("MIME-Version",$message))
    {
    $message = "Spammer Caught\n\n";
    }
    HEY!, what that really do? MIME-Version only contains in emails which uses BCC and CC ? or ?

  8. #8
    SitePoint Wizard REMIYA's Avatar
    Join Date
    May 2005
    Posts
    1,351
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by bjcffnet
    \r needs to be in double quotes.
    There is no difference what kind of quotes are used

    About the mail script. It is not given the whole code, so no assumptions are to be made before seen.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •