How to Hack form 2 mail scripts

Angelos wrote:

Hi,

Because I am fed up with attacks on my form mail scripts I want to find a
way to hack them my self and test it while I am developing it....

Does anyone knows a good resource to learn how to hack my own forms ? or
anything relative to security precautions

Cheers

Hi Angelos,

That sucks. :-(
But it is hard to answer what to do if you don't give more details.

Where does the script send to?
I mean, do you set the 'to' field in your script and is the spammer somehow
adding new emailadresses to that?

What probably the best way to start defending yourself is:
- log all action on that script, and analyse them afterwards.
This can be done very easyly by storing the complete POST-part of the
requests in a file or database. (if you use post, otherwise take $_GET of
course)
Just serialize the whole $_POST, and write a script to display the content
of them, using unserialize and maybe just print_r().

Just study them afterwards, and I expect you will see what trick they use.
Then you know where to start.

Also: Store the IP adres of each request.

Knowledge is power.

just my 2 cents.

Good luck

Regards,
Erwin Moller

"Angelos" wrote:

Hi,

Because I am fed up with attacks on my form mail scripts I want to find a
way to hack them my self and test it while I am developing it....

Does anyone knows a good resource to learn how to hack my own forms ? or
anything relative to security precautions

Here's a good article on the subject:
http://securephp.damonkohler.com/ind...mail_Injection

--
phil [dot] ronan @ virgin [dot] net
http://vzone.virgin.net/phil.ronan/

Thanks for that,

at the moment I am trying this solution

<?php
$from=$_POST["sender"];
if (eregi("\r",$from) || eregi("\n",$from)){
die("Why ?? :(");
}
?>

And if that spam continues ...I'll have to find something else ....

What do "they" have to earn by sending all this SPAM ???
Is there any Money involved ... i don't think so ...

Anyway thanks for your replies !!!

On 17.11.2005 12:40, Angelos wrote:

Thanks for that,

at the moment I am trying this solution

<?php
$from=$_POST["sender"];
if (eregi("\r",$from) || eregi("\n",$from)){
die("Why ?? :(");
}
?>

And if that spam continues ...I'll have to find something else ....

What do "they" have to earn by sending all this SPAM ???
Is there any Money involved ... i don't think so ...

Anyway thanks for your replies !!!

Best way how to stop automated abuse is using php generated images,
similiar which yahoo uses to prevent automated sign-ups. Users then must
write down the control number/string for each submit and you compare if
the submited control numer corresponds to the one you have generated
before processing user input. PHP has functions to work with images like
imagettftext etc. Good luck.

Y.