By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
439,971 Members | 1,467 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 439,971 IT Pros & Developers. It's quick & easy.

PHP mailer

P: n/a
Hi

I am my wits end! I have a PHP script running that captures variables
posted from a form on the previous page. The script then emails the
results using the mail() function.

The script is currently being spammed in two ways:

1) The page is being loaded directly, therefore emailing blank results
2) The variables are made up of an accepted email address (all variables
are filled with it). This email address is random, created using any
cobinations of characters before the accepted domain.

Does anyone have any ideas of how I can stop this? The mails are
exceeding 60 per day now! Obviously it is some form of program doing it
but I don't know of a way that I can stop it, either to restrict the
variables or the script page or what?

Any help would be much appreciated!

Paul :s

marshallrp AT gmail DOT com

Sep 14 '05 #1
Share this Question
Share on Google+
7 Replies


P: n/a
"Paul Marshall" <ma********@gmail.com> wrote in message
news:43***********************@ptn-nntp-reader03.plus.net...
| Hi
|
| I am my wits end! I have a PHP script running that captures variables
| posted from a form on the previous page. The script then emails the
| results using the mail() function.
|
| The script is currently being spammed in two ways:
|
| 1) The page is being loaded directly, therefore emailing blank results
| 2) The variables are made up of an accepted email address (all variables
| are filled with it). This email address is random, created using any
| cobinations of characters before the accepted domain.

Try this...

if (!checkdnsrr(array_pop(explode("@",$_POST["email_address"])),"MX"))
{
$message='That email address does not seem to be valid';
}

D.
Sep 14 '05 #2

P: n/a
Paul Marshall wrote:
Hi

I am my wits end! I have a PHP script running that captures variables
posted from a form on the previous page. The script then emails the
results using the mail() function.

The script is currently being spammed in two ways:

1) The page is being loaded directly, therefore emailing blank results
2) The variables are made up of an accepted email address (all
variables
are filled with it). This email address is random, created using any
cobinations of characters before the accepted domain.

Does anyone have any ideas of how I can stop this? The mails are
exceeding 60 per day now! Obviously it is some form of program doing
it but I don't know of a way that I can stop it, either to restrict
the variables or the script page or what?

Any help would be much appreciated!


If all the fields are always being filled out with the same info then
check for that ie if they're all the same and they all contain your
email address then don't send the email.

I've noticed this happening on some of the sites I manage. Generally
what's actually happening is they're inserting a newline break in one
of the fields and attempting to add additional headers to the email
(including mime type headers to make it into a multipart document and
hide the rest of the submitted data).

The way I've been combating this is to check none of the single line
fields (eg first name, last name etc) contain newline characters, and
none of the multi line fields (eg message) contain 'Content-Type:',
'multipart/mixed' or 'boundary='. If any of them match the above then
they get a message back saying the form contained invalid data.

--
Chris Hope | www.electrictoolbox.com | www.linuxcdmall.com
Sep 14 '05 #3

P: n/a
| Try this...
|
| if (!checkdnsrr(array_pop(explode("@",$_POST["email_address"])),"MX"))
| {
| $message='That email address does not seem to be valid';
| }
|

Then, again, that won't stop the all injection attacks. To do that, scan
all fields for \r and \n and mime instructions. Do a quick Google for email
injection...

D.
Sep 14 '05 #4

P: n/a
In article <eS***********@newsfe2-win.ntli.net>,
"Virginner" <th*******@virginLOSEIT.net> wrote:
"Paul Marshall" <ma********@gmail.com> wrote in message
news:43***********************@ptn-nntp-reader03.plus.net...
| Hi
|
| I am my wits end! I have a PHP script running that captures variables
| posted from a form on the previous page. The script then emails the
| results using the mail() function.
|
| The script is currently being spammed in two ways:
|
| 1) The page is being loaded directly, therefore emailing blank results
| 2) The variables are made up of an accepted email address (all variables
| are filled with it). This email address is random, created using any
| cobinations of characters before the accepted domain.

Try this...

if (!checkdnsrr(array_pop(explode("@",$_POST["email_address"])),"MX"))
{
$message='That email address does not seem to be valid';
}

D.


That's a good way to block lots of valid email addresses.

--
Sandman[.net]
Sep 15 '05 #5

P: n/a
Paul Marshall schreef:
Hi

I am my wits end! I have a PHP script running that captures variables
posted from a form on the previous page. The script then emails the
results using the mail() function.

The script is currently being spammed in two ways:

1) The page is being loaded directly, therefore emailing blank results
2) The variables are made up of an accepted email address (all variables
are filled with it). This email address is random, created using any
cobinations of characters before the accepted domain.

Does anyone have any ideas of how I can stop this? The mails are
exceeding 60 per day now! Obviously it is some form of program doing it
but I don't know of a way that I can stop it, either to restrict the
variables or the script page or what?

Any help would be much appreciated!

Paul :s

marshallrp AT gmail DOT com

Validating an email address does not solve the problem.

See http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

Excerpts:

Make sure you end your headers with \r\n\r\n.

change

$headers .= "From: " . $from . "\r\n";

to

$headers .= "From: " . $from . "\r\n\r\n";

It is always best to filter mail form inputs

// Strip \r and \n from the email address

$_POST['email'] = preg_replace("\r", "", $_POST['email']);
$_POST['email'] = preg_replace("\n", "", $_POST['email']);

// Remove injected headers

$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");

$_POST['email'] = preg_replace($find, "", $_POST['email']);
$comments = preg_replace($find, "", comments);

---------------------------------------------------------------------------------------------------------------

http://www.sinisterfrog.com
My latest news post suggests my solution. Basically for all variables use $name=stripslashes($_POST['name']);
---------------------------------------------------------------------------------------------------------------
try this in PHP:
clean_variables($_POST);
function clean_variables( &$value )
{
if(is_array($value)){
array_walk(&$value,'clean_variables');
return;
} else {
$value = str_replace(array("\r","\n","Content-Type:"),"",$value);
}
}

---------------------------------------------------------------------------------------------------------------
Seems like they're very active, again. Found this site via googling "be*******@aol.com". Luckily I was sitting at my computer yesterday around 21:50 when the first attempts dropped in at my EMail account. Took the formmail script off immediately and then searched every POST variable in PHP with the following code:

if (eregi("\r",$MailFrom) || eregi("\n",$MailFrom) || eregi("Content-Type:",$MailFrom)){
die("SPAM Injection Error :(");

---------------------------------------------------------------------------------------------------------------
I'm a PHP minimalist and the following seems to prevent from getting any more of these mails:

if(
eregi("\r",$_POST["email"])
|| eregi("\n",$_POST["email"])
|| eregi("@mydomain.net",$_POST["email"])
|| eregi("@mydomain.net",$_POST["message"])
|| eregi("boundary=",$_POST["message"])
)
{
die($sorry_string);
}

---------------------------------------------------------------------------------------------------------------
They always use bcc to send the mail so now we just block any mail with bcc

<% if (CGI.getValue("bcc").length()>0) { %>
<%//
// This is SPAM
//
// So dont sent any emails!
//%>

<% } else { %>
---------------------------------------------------------------------------------------------------------------

Looking at my logs, I noticed that the requests from the bots don't contain the HTTP_USER_AGENT field, and the HTTP_REFERER field is set to my home page, not to the address of my contact form.

So I added the following to my php script:
$valid_user_agent = isset($_SERVER["HTTP_USER_AGENT"]) && $_SERVER["HTTP_USER_AGENT"] != "";
$valid_referrer = isset($_SERVER["HTTP_REFERER"]) && $_SERVER["HTTP_REFERER"] == "http://{$_SERVER["HTTP_HOST"]}/contact.php";

if ( $valid_user_agent && $valid_referrer ) {
// send email
} else {
// spambot
}
---------------------------------------------------------------------------------------------------------------
If the $from variable in post #208 is from a input field of the form this code is unsecure. You have to apply a substitution as Anders has described in his article http://www.anders.com/projects/sysad...PostHijacking/ to disable email injections.

If you want to ignore such attemps apply a check similiar to post #81 from Uwe. But this does not ignore all attempts. Although they are harmless and only fill your mailbox.
---------------------------------------------------------------------------------------------------------------
he can only go so far before his emails will be malformed and worthless

if(eregi("Content-Transfer-Encoding",$_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])){exit;}

if(eregi("MIME-Version",$_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])){exit;}

if(eregi("Content-Type",$_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])){exit;}
---------------------------------------------------------------------------------------------------------------
here is my latest, i think it's working now.
note: as stated above ... miss 1 variable and he will get through.

he can only go so far before his emails will be malformed and worthless

if(eregi("Content-Transfer-Encoding",$_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])){exit;}

if(eregi("MIME-Version",$_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])){exit;}

if(eregi("Content-Type",$_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])){exit;}

MG from Bribane QLD Australia
#227 posted on Mon, Sep 12, 2005 05:47 PM
253 emails from jr********@aol.com

Matthias from Germany
#228 posted on Mon, Sep 12, 2005 05:49 PM
FoTo50 from Austria finally explains why I am always getting 3 hits: I got 3 fields in my form, 2 text fields and one submit button. The latter does not transmit any string, therefore it is not causing any spam injection.

Phil from Davie / Florida / USA
#229 posted on Mon, Sep 12, 2005 06:02 PM
I've been getting hit by probes under the variation jr********@aol.com in connection with spam relaying. I think I've plugged all the possible leaks and the relaying has stopped. I'll try to report more details once I have documented the details. Phil

Barbara from uk
#230 posted on Mon, Sep 12, 2005 06:41 PM
This is for all those who want to get the attention of AOL. Ever read the 'review this site' posts on Alexa.com Usually reserved for very good sites and for scams.
Now, if everyone who is getting no response from aol about blocking the email addresses was to put a review about aol and how they allow spammers to carry on.....
After reading how aol was the first site to be attractive to phishing - getting unsuspecting aol members to part with user profiles so that they could use valid email addresses for their spoofs - I think that aol needs some encouragement to sort this out. Even if it means asking a genuine aol client to change their email address so that the hacke/phisherr can no longer use it.

Mike from UK
#231 posted on Mon, Sep 12, 2005 07:22 PM
Hi
If you want a simple contact form, this code should be fine. It is simple enough to expand the fields. I didn't write it, this site did http://www.totallyphp.co.uk.. basically, make note of its use of the "stripslashes" to clean up the output.
Just copy/paste this code to a page and call it something like contact.php (no other processor scripts required)

If anyone can see a flaw in this, I'd be happy to know about it :)

<?php
$your_email = "no****@yourdomain.com";
$subject = "Contact Form Submission (yourdomain.com)";
$empty_fields_message = "<p>Please go back and complete all the fields in the form.</p>";
$thankyou_message = "<p>Thankyou. Your message has been sent.</p>";

$name = stripslashes($_POST['txtName']);
$email = stripslashes($_POST['txtEmail']);
$message = stripslashes($_POST['txtMessage']);

if (!isset($_POST['txtName'])) {
?>

<form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>">

<p><label for="txtName">Name:</label><br />
<input type="text" title="Enter your name" name="txtName" /></p>

<p><label for="txtEmail">Email:</label><br />
<input type="text" title="Enter your email address" name="txtEmail" /></p>

<p><label for="txtMessage">Your message:</label><br />
<textarea title="Enter your message" name="txtMessage"></textarea></p>

<p><label title="Send your message">
<input type="submit" value="Send" /></label></p>

</form>

<?php

}

elseif (empty($name) || empty($email) || empty($message)) {
echo $empty_fields_message;
}

else {
$referer = $_SERVER['HTTP_REFERER'];
$this_url = "http://".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"];
if ($referer != $this_url) {
echo "Haven't you got anything better to do?";
exit;
}

// The URLs matched so send the email
mail($your_email, $subject, $message, "From: $name <$email>");

// Display the thankyou message
echo $thankyou_message;
}
?>

-----------------------------------------------------------------------------------------------------------------------
// Sputnik Internet's spam stopping script.
// If you have any text fields that should allow /r or /n,
// add them in the 2nd line separated by ||, as so:
// if ($postvar_name == "comments" || $postvar_name == "questions") {}
// www.sputnikinternet.com

foreach ($HTTP_POST_VARS as $postvar_name => $postvar_value) {
if ($postvar_name == "comments" || $postvar_name == "questions") {}
else {
if (eregi("\r",$postvar_value) || eregi("\n",$postvar_value)){
die();
}
}
}
-----------------------------------------------------------------------------------------------------------------------
This is what I am using now after 400+ email from jr********@aol.com.

if (isset($_POST['Submit']))
{
$find = array("/bcc\:/i",
"/Content\-Type\:/i",
"/cc\:/i",
"/to\:/i"
);
$_POST['name'] = preg_replace("/\\\\r/", "", $_POST['name']);
$_POST['name'] = preg_replace("/\\\\n/", "", $_POST['name']);
$_POST['name'] = preg_replace($find, "", $_POST['name']);
$name = $_POST['name'];

// other fields
// check all data is imputted
//send mail
}

It creates an array containing BCC CC etc and checks the posted data if anything is found remove the inforamtion, then it checks to see if and \r or \n occur in the field if so remove them as well. Also escape the from email address as above and add \r\n\r\n to the end to stop any extra headers being added. eg.

$from = "From:$email\r\n\r\n";

The way I use this code is:

<?php

if (isset($_POST['submit'])) //user presses send
{

$find = array("/bcc\:/i",
"/Content\-Type\:/i",
"/cc\:/i",
"/to\:/i"
); //set up array to find information that should not be there. You can add other things here but cc and bcc are the most important to stop the spammer sending out email from your address

if ($_POST['name'] == NULL) {$name = false; $message_e .= 'please enter your name<br>';}
else
{
$_POST['name'] = preg_replace("/\\\\r/", "", $_POST['name']);
$_POST['name'] = preg_replace("/\\\\n/", "", $_POST['name']);
$_POST['name'] = preg_replace($find, "", $_POST['name']);
$name = $_POST['name'];
}
//you need to change the $_POST['name'] to $_POST['your_variable']
You will need to do this for all the variables that are posted to the script that sends out the email

if ($_POST['email'] == NULL) {$their_email = false; $message_e .= 'please enter your email address<br>';}
else
{
$_POST['email’] = preg_replace("/\\\\r/", "", $_POST['email’]);
$_POST['email’] = preg_replace("/\\\\n/", "", $_POST['email’]);
$_POST['email’] = preg_replace($find, "", $_POST['email’]);
$their_email = $_POST['email’];
}

If ($name && $email) //if the name and email field are fill in send email else return to form and display $message_e
{
$from = "From:$their_email\r\n\r\n";
$body = "Enquiry From: $name \r\n message: $enquiry \r\n how did you hear about us: $about";
mail('m*@somewhere.co.uk', $subject, $body, $from);
}
//if mail has been sent redirect to thank you page

}
Else
{
?>
<Html Display the from html >
<?php
}
?>

Additionally before submitting the email address is run through a regular expression to ensure that it is formatted correctly. For those interested in the expression:
"^(([A-Za-z0-9]+_+)|([A-Za-z0-9]+\-+)|([A-Za-z0-9]+\.+)|([A-Za-z0-9]+\++))*[A-Za-z0-9]+@((\w+\-+)|(\w+\.))*\w{1,63}\.[a-zA-Z]{2,6}$"

I've been getting loads of these through recently (same addresses as everyone else). My PHP mail function now looks like this:

function safeEscapeString($string) {
if (stristr($string,"Bcc")) {
die("F*ck off spamming c*nt...");
} else {
$temp = preg_replace("\r", "", $string);
$temp = preg_replace("\n", "", $temp);
return mysql_escape_string($temp);
}
}

<?php

function diescript($errmsg, $user, $domain) {
// set up message to display if user doesn't fill out the form right or if injection exploit detected
$errormsg = "Sorry. You have entered invalid contact information, please check your input and try again. ";
$errormsg .= "<a href='javascript:history.back(1);'>Click here to go back</a>.<br /><br />";
$errormsg .= "If you continue having problems, use your email program and email me at: ".$user."@".$domain." Thank you.<br /><br />\n";
echo $errormsg . $errmsg . "</body></html>";
die;
}

if (isset($_POST['submit'])) { // user pressed submit button

// who are we sending the email to
$user = "you"; // change this to your username
$domain = "yourdomain.com"; //change this to your domain name

// set up array to find information that should not be there - using 3 different arrays for different form fields
$findfrom = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i","/@mydomain.com/i","/boundary=/i","/\r/","/\n/","/%/","/;/","/,/");
$findhead = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i","/@mydomain.com/i","/boundary=/i","/\r/","/\n/","/%/");
$findbody = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i","/@mydomain.com/i","/boundary=/i");

$email = $_POST["email"];
$name = $_POST["name"];
$address = $_POST["address"];
$city = $_POST["city"];
$state = $_POST["state"];
$zip = $_POST["zip"];
$phone = $_POST["phone"];
$comments = $_POST["comments"];
$subject = "Website Contact"; // change this to whatever you want to show in the subject line

// check from email against $findfrom array
foreach ($findfrom as $n) {
// checking email field
if(preg_match($n, $email)) {
$error = "Detected Potential Spam Attempt in Email: ".$n."<br />\n";
diescript($error, $user, $domain);
}
}

// check head email items against $findhead array
foreach ($findhead as $n) {
// checking name field
if(preg_match($n, $name) || preg_match($n, $address) || preg_match($n, $city) || preg_match($n, $state) || preg_match($n, $zip) || preg_match($n, $phone)) {
$error = "Detected Potential Spam Attempt: ".$n."<br />\n";
diescript($error, $user, $domain);
}
}

// check body email items against $findbody array
foreach ($findbody as $n) {
// checking comments field
$comments = str_replace("%"," percent",$comments); // convert % sign to percent text
if(preg_match($n, $comments)) {
$error = "Detected Potential Spam Attempt in Comments: ".$n."<br />\n";
diescript($error, $user, $domain);
}
}

$emailmsg = "Name: " . $name . "\r\n\r\n" . "Subject: " . $subject . "\r\n\r\n" . "Email: " . $email . "\r\n\r\n" . "Address: " . $address . "\r\n\r\n" . "City: " . $city . "\r\n\r\n" . "State: " . $state . "\r\n\r\n" . "Zip: " . $zip . "\r\n\r\n" . "Phone: " . $phone . "\r\n\r\n" . "Comments: " . "\r\n\r\n" . $comments;
$headers = "From: ".$email;
mail($user."@".$domain, $subject, $emailmsg, $headers);
$successmsg = "Thank you for submitting your contact information.<br /><br /><a href='javascript:history.back(1);'>Click here to go back.</a>"; // change link to whatever you want
echo $successmsg;
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="" />
<meta name="description" content="" />
<meta name="robots" content="all" />
<title>Your Site</title>
</head>
<body>

<?php
} else {
?>

<form id="contact" method="post" action="<?php $_SERVER['PHP_SELF'] ?>">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td>Name:</td><td colspan="2">Address:</td></tr>
<tr><td><input type="text" name="name" size="30"></td><td colspan="2"><input type="text" name="address" size="35"></td></tr>
<tr><td>City:</td><td>State:</td><td>Zip Code:</td></tr>
<tr><td><input type="text" name="city" size="30"></td><td><input type="text" name="state" size="5"></td><td><input type="text" name="zip" size="10"></td></tr>
<tr><td>E-mail (required):</td><td colspan="2">Phone:</td></tr>
<tr><td><input type="text" name="email" size="30"></td><td colspan="2"><input type="text" name="phone" size="25"></td></tr>
<tr><td colspan="3">Questions / Comments:</td></tr>
<tr><td colspan="3"><textarea name="comments" cols="55" rows="3"></textarea></td></tr>
<tr><td colspan="3" style="padding-left: 2px;"><br /><input type="submit" name="submit" value="Submit Form"></td></tr>
</table>
</form>

<?php
} ?> </body> </html>
-----------------------
Sep 15 '05 #6

P: n/a


Paul Marshall wrote:
Hi

I am my wits end! I have a PHP script running that captures variables
posted from a form on the previous page. The script then emails the
results using the mail() function.

The script is currently being spammed in two ways:

1) The page is being loaded directly, therefore emailing blank results
2) The variables are made up of an accepted email address (all variables
are filled with it). This email address is random, created using any
cobinations of characters before the accepted domain.

Does anyone have any ideas of how I can stop this? The mails are
exceeding 60 per day now! Obviously it is some form of program doing it
but I don't know of a way that I can stop it, either to restrict the
variables or the script page or what?

Any help would be much appreciated!

Paul :s

marshallrp AT gmail DOT com
Thanks for your suggestions everyone, I found a post by someone else
having the same problems who suggested setting a session that pemits any
emailing unless it has been set on the page containing the form. This
seems to have done the trick for now! If not I will try the slashes
suggestions.

Thanks again guys!

Paul :)


Sep 15 '05 #7

P: n/a
Paul Marshall wrote:
Thanks for your suggestions everyone, I found a post by someone else
having the same problems who suggested setting a session that pemits any
emailing unless it has been set on the page containing the form. This
seems to have done the trick for now! If not I will try the slashes
suggestions.


One more suggestion. When these spambots starting hitting my sites (one
in particular), I started doing what other folks suggested to clean the
entries. But that is just more work. Here's what I am doing now:

foreach ($_POST as $k=>$v) // check all posted fields for
//'Content-Type'
if (strpos($v,'Content-Type:') !== false) {
//
// Removed tracking email I send back to myself when this occurs
//
header("HTTP/1.0 404 Not Found"); // Put up a 404
exit(); // get out
}
//
// If it gets past the above, check if the submit value has been
changed
// from what you expect. In this instance I expect the value to be
// 'Send RequestThe spambots are not using your form, but have
// screen scraped your form and have gotten the names you pass back
//
if (isset($_POST['submit']) && ($_POST['submit'] != 'Send Request')) {
//
// Removed tracking email I send back to myself when this occurs
//
header("HTTP/1.0 404 Not Found");
exit();
}

Putting out the 404 message hasn't stopped the spambots from trying,
but no mail has been sent by any of them since I implemented this
check.

Ken

Sep 17 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.