468,505 Members | 1,790 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,505 developers. It's quick & easy.

PHP Email script being probed?

I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in each form is the
same, but the REMOTE_ADDR reported is different.

Doing a search of the IP Addresses generates many hits, the user
apparently posts to many news groups.

The postal address entered is in MA while the IP Address from the first
entry has many log files posted of an address in MI.

Is some one trying to probe the script for vulnerabilities? If so, what
actions should I be considering?

Thank you.

--
Wayne
http://www.glenmeadows.us
With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
—Steven Weinberg
Jul 6 '06 #1
4 1225
Rik
wayne wrote:
I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in each form is
the same, but the REMOTE_ADDR reported is different.

Doing a search of the IP Addresses generates many hits, the user
apparently posts to many news groups.

The postal address entered is in MA while the IP Address from the
first entry has many log files posted of an address in MI.

Is some one trying to probe the script for vulnerabilities? If so,
what actions should I be considering?
Could be, as long as you you protected the from from header injections, it
should be no problem. Never, ever, construct a form that will send a
confirmation to multiple (user-given) email-adresses. Be waware there should
be no possiblty to adress multiple emailadresses, either by to:, cc: or
bcc:.

For extra protection, one could impose a time limit on contacts required by
the form,for instance 3 per minute, 6 per 5 minutes, 10 per half hour per
IP-adress (which isn't a really safe bet, but in nornal use good enough,
without resorting to far more dificult methods). That way you more or less
allow for follow-up questions, but limit the amount of possible spam.

Grtz,
--
Rik Wasmus
Jul 6 '06 #2
Rik wrote:
>
Could be, as long as you you protected the from from header injections, it
should be no problem. Never, ever, construct a form that will send a
confirmation to multiple (user-given) email-adresses. Be waware there should
be no possiblty to adress multiple emailadresses, either by to:, cc: or
bcc:.

For extra protection, one could impose a time limit on contacts required by
the form,for instance 3 per minute, 6 per 5 minutes, 10 per half hour per
IP-adress (which isn't a really safe bet, but in nornal use good enough,
without resorting to far more dificult methods). That way you more or less
allow for follow-up questions, but limit the amount of possible spam.

Grtz,
Rik,

Thank you for the quick response. I don't believe extra address can be
added, but is it possible to construct a form on a persons computer and
call the PHP script on the server from it?

I'm still learning how the scripts are used!

--
Wayne
http://www.glenmeadows.us
With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
—Steven Weinberg
Jul 6 '06 #3
make sure you dont be lazy and use code like extract($_POST);
if your checking for things like sql injection or mail header
injections kill the script as soon as the error is found.. exit();
you cant do anything to stop it from happenign and i wouldnt worry,
just learn what holes people use and fix them in your scripts.
also to ensure that someone doesnt try and mass email make sure you
remove any commas from email addresses with str replace, or better yet
if the email address contains a comma.. exit();

flamer.
wayne wrote:
I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in each form is the
same, but the REMOTE_ADDR reported is different.

Doing a search of the IP Addresses generates many hits, the user
apparently posts to many news groups.

The postal address entered is in MA while the IP Address from the first
entry has many log files posted of an address in MI.

Is some one trying to probe the script for vulnerabilities? If so, what
actions should I be considering?

Thank you.

--
Wayne
http://www.glenmeadows.us
With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
-Steven Weinberg
Jul 6 '06 #4
wayne wrote:
Thank you for the quick response. I don't believe extra address can be
added, but is it possible to construct a form on a persons computer and
call the PHP script on the server from it?
Yes it is. If you are putting values in hidden <inputyou can not
assume what you put in comes back again. The firefox web developer
toolbar will allow a user to change these values. Also you could save
the page with the form to disk and go and modify it. Or even write your
own form. and just set the form's action to any page you like.

--
Fletch

Jul 7 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

12 posts views Thread by Chuck Anderson | last post: by
9 posts views Thread by mcp6453 | last post: by
4 posts views Thread by Bill | last post: by
reply views Thread by John Silver | last post: by
6 posts views Thread by xxnonexnonexx | last post: by
4 posts views Thread by web_design | last post: by
2 posts views Thread by E.T. Grey | last post: by
4 posts views Thread by ianbarton | last post: by
9 posts views Thread by Jerim79 | last post: by
reply views Thread by NPC403 | last post: by
3 posts views Thread by gieforce | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.