472,791 Members | 1,830 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > php email script being probed?

Join Bytes to post your question to a community of 472,791 software developers and data experts.

PHP Email script being probed?

I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in each form is the
same, but the REMOTE_ADDR reported is different.

Doing a search of the IP Addresses generates many hits, the user
apparently posts to many news groups.

The postal address entered is in MA while the IP Address from the first
entry has many log files posted of an address in MI.

Is some one trying to probe the script for vulnerabilities? If so, what
actions should I be considering?

Thank you.

--
Wayne
http://www.glenmeadows.us
With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
—Steven Weinberg
Jul 6 '06 #1
4 1365
Rik
wayne wrote:
I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in each form is
the same, but the REMOTE_ADDR reported is different.

Doing a search of the IP Addresses generates many hits, the user
apparently posts to many news groups.

The postal address entered is in MA while the IP Address from the
first entry has many log files posted of an address in MI.

Is some one trying to probe the script for vulnerabilities? If so,
what actions should I be considering?
Could be, as long as you you protected the from from header injections, it
should be no problem. Never, ever, construct a form that will send a
confirmation to multiple (user-given) email-adresses. Be waware there should
be no possiblty to adress multiple emailadresses, either by to:, cc: or
bcc:.

For extra protection, one could impose a time limit on contacts required by
the form,for instance 3 per minute, 6 per 5 minutes, 10 per half hour per
IP-adress (which isn't a really safe bet, but in nornal use good enough,
without resorting to far more dificult methods). That way you more or less
allow for follow-up questions, but limit the amount of possible spam.

Grtz,
--
Rik Wasmus
Jul 6 '06 #2
Rik wrote:
>
Could be, as long as you you protected the from from header injections, it
should be no problem. Never, ever, construct a form that will send a
confirmation to multiple (user-given) email-adresses. Be waware there should
be no possiblty to adress multiple emailadresses, either by to:, cc: or
bcc:.

For extra protection, one could impose a time limit on contacts required by
the form,for instance 3 per minute, 6 per 5 minutes, 10 per half hour per
IP-adress (which isn't a really safe bet, but in nornal use good enough,
without resorting to far more dificult methods). That way you more or less
allow for follow-up questions, but limit the amount of possible spam.

Grtz,
Rik,

Thank you for the quick response. I don't believe extra address can be
added, but is it possible to construct a form on a persons computer and
call the PHP script on the server from it?

I'm still learning how the scripts are used!

--
Wayne
http://www.glenmeadows.us
With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
—Steven Weinberg
Jul 6 '06 #3
make sure you dont be lazy and use code like extract($_POST);
if your checking for things like sql injection or mail header
injections kill the script as soon as the error is found.. exit();
you cant do anything to stop it from happenign and i wouldnt worry,
just learn what holes people use and fix them in your scripts.
also to ensure that someone doesnt try and mass email make sure you
remove any commas from email addresses with str replace, or better yet
if the email address contains a comma.. exit();

flamer.
wayne wrote:
I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in each form is the
same, but the REMOTE_ADDR reported is different.

Doing a search of the IP Addresses generates many hits, the user
apparently posts to many news groups.

The postal address entered is in MA while the IP Address from the first
entry has many log files posted of an address in MI.

Is some one trying to probe the script for vulnerabilities? If so, what
actions should I be considering?

Thank you.

--
Wayne
http://www.glenmeadows.us
With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
-Steven Weinberg
Jul 6 '06 #4
wayne wrote:
Thank you for the quick response. I don't believe extra address can be
added, but is it possible to construct a form on a persons computer and
call the PHP script on the server from it?
Yes it is. If you are putting values in hidden <inputyou can not
assume what you put in comes back again. The firefox web developer
toolbar will allow a user to change these values. Also you could save
the page with the form to disk and go and modify it. Or even write your
own form. and just set the form's action to any page you like.

--
Fletch

Jul 7 '06 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

12
Using Php to receive - read email
by: Chuck Anderson | last post by:
Can anyone point me in the right direction? I want to use Php to automate confirmation of someone joining an email list by them replying to an email (so they don't have to have a browser?). I...
PHP
9
Personalized Email Script
by: mcp6453 | last post by:
I'm posting in desperation and hopes that someone has a script that will achieve these objectives: 1. Web interface using forms collects Name, Address, Email Address. 2. Web interface sends this...
PHP
4
email activating a web page impossible?
by: Bill | last post by:
Is it possible to somehow activate a page containing a php script by sending an email to a mailbox on the server? I have a script that sends out notification emails to an individual. He wants to...
PHP
0
Email server timing out in email script
by: John Silver | last post by:
I have a perl script running on machine A, a web server. A visitor completes certain pieces of data and these are compiled into two emails, one addressed to the visitor and copied to the site...
Perl
6
Email Validate with exclude
by: xxnonexnonexx | last post by:
I am looking to do some email validation and many of the scripts I've located online are great basic email validators. They check to see that the email address is something along the lines of...
Javascript
4
Email hiding JavaScript not working :(
by: web_design | last post by:
I put this together from some other scripts I am using on a site. I'm trying to make a better email hiding script. It isn't working. Also, it causes Internet Explorer 6 SP2 to block the script...
Javascript
2
PHP + email
by: E.T. Grey | last post by:
Is it possible to have a PHP script receive an email (CSV text). The problem is this, I want a server to send me an email, and then I want to be able to have a PHP script 'listening' for email and...
PHP
4
Feedback Email setup
by: ianbarton | last post by:
Hello all I am trying to setup a feedback form on my webpage using some script provided by my ISP. I really don't know a lot about PHP and it's syntax etc. The feedback form only has 4...
PHP
9
Database/Email Script
by: Jerim79 | last post by:
I am no PHP programmer. At my current job I made it known that I was no PHP programmer during the interview. Still they have given me a script to write with the understanding that it will take me a...
PHP
0
How to Become a Cyber Security Engineer
by: Rina0 | last post by:
Cybersecurity engineering is a specialized field that focuses on the design, development, and implementation of systems, processes, and technologies that protect against cyber threats and...
Security
3
isladogs
Access Europe meeting on Wed 2 August - An Access Developer Guide to creating applications in Blazor
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 2 August 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM) The start time is equivalent to 19:00 (7PM) in Central...
Microsoft Access / VBA
0
linyimin
Speedup your spring application
by: linyimin | last post by:
Spring Startup Analyzer generates an interactive Spring application startup report that lets you understand what contributes to the application startup time and helps to optimize it. Support for...
General
0
Development of Funny H5 Game - Toy Claw
by: kcodez | last post by:
As a H5 game development enthusiast, I recently wrote a very interesting little game - Toy Claw ((http://claw.kjeek.com/))。Here I will summarize and share the development experience here, and hope it...
HTML / CSS
14
DJRhino1175
Cancel Print Action if Sub form has No Records
by: DJRhino1175 | last post by:
When I run this code I get an error, its Run-time error# 424 Object required...This is my first attempt at doing something like this. I test the entire code and it worked until I added this - If...
Microsoft Access / VBA
5
To verify entry of a dropdown
by: DJRhino | last post by:
Private Sub CboDrawingID_BeforeUpdate(Cancel As Integer) If = 310029923 Or 310030138 Or 310030152 Or 310030346 Or 310030348 Or _ 310030356 Or 310030359 Or 310030362 Or...
Microsoft Access / VBA
0
React to native button blinking effect
by: lllomh | last post by:
Define the method first this.state = { buttonBackgroundColor: 'green', isBlinking: false, // A new status is added to identify whether the button is blinking or not } autoStart=()=>{
Software Development
0
How does React native implement an English player?
by: lllomh | last post by:
How does React native implement an English player?
Mobile Development
0
How to calculate date of retirement from date of birth
by: Mushico | last post by:
How to calculate date of retirement from date of birth
Data Management

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2023
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!