I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in each form is the
same, but the REMOTE_ADDR reported is different.
Doing a search of the IP Addresses generates many hits, the user
apparently posts to many news groups.
The postal address entered is in MA while the IP Address from the first
entry has many log files posted of an address in MI.
Is some one trying to probe the script for vulnerabilities? If so, what
actions should I be considering?
Thank you.
--
Wayne http://www.glenmeadows.us
With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
—Steven Weinberg 4  1391 
wayne wrote:
I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in each form is
the same, but the REMOTE_ADDR reported is different.
Doing a search of the IP Addresses generates many hits, the user
apparently posts to many news groups.
The postal address entered is in MA while the IP Address from the
first entry has many log files posted of an address in MI.
Is some one trying to probe the script for vulnerabilities? If so,
what actions should I be considering?
Could be, as long as you you protected the from from header injections, it
should be no problem. Never, ever, construct a form that will send a
confirmation to multiple (user-given) email-adresses. Be waware there should
be no possiblty to adress multiple emailadresses, either by to:, cc: or
bcc:.
For extra protection, one could impose a time limit on contacts required by
the form,for instance 3 per minute, 6 per 5 minutes, 10 per half hour per
IP-adress (which isn't a really safe bet, but in nornal use good enough,
without resorting to far more dificult methods). That way you more or less
allow for follow-up questions, but limit the amount of possible spam.
Grtz,
--
Rik Wasmus
Rik wrote:
>
Could be, as long as you you protected the from from header injections, it
should be no problem. Never, ever, construct a form that will send a
confirmation to multiple (user-given) email-adresses. Be waware there should
be no possiblty to adress multiple emailadresses, either by to:, cc: or
bcc:.
For extra protection, one could impose a time limit on contacts required by
the form,for instance 3 per minute, 6 per 5 minutes, 10 per half hour per
IP-adress (which isn't a really safe bet, but in nornal use good enough,
without resorting to far more dificult methods). That way you more or less
allow for follow-up questions, but limit the amount of possible spam.
Grtz,
Rik,
Thank you for the quick response. I don't believe extra address can be
added, but is it possible to construct a form on a persons computer and
call the PHP script on the server from it?
I'm still learning how the scripts are used!
--
Wayne http://www.glenmeadows.us
With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
—Steven Weinberg
make sure you dont be lazy and use code like extract($_POST);
if your checking for things like sql injection or mail header
injections kill the script as soon as the error is found.. exit();
you cant do anything to stop it from happenign and i wouldnt worry,
just learn what holes people use and fix them in your scripts.
also to ensure that someone doesnt try and mass email make sure you
remove any commas from email addresses with str replace, or better yet
if the email address contains a comma.. exit();
flamer.
wayne wrote:
I have a PHP email script running on two separate websites. Today, I
received a form mail generated by the script from each site, with time
stamps 10 minutes apart. The entered email address in each form is the
same, but the REMOTE_ADDR reported is different.
Doing a search of the IP Addresses generates many hits, the user
apparently posts to many news groups.
The postal address entered is in MA while the IP Address from the first
entry has many log files posted of an address in MI.
Is some one trying to probe the script for vulnerabilities? If so, what
actions should I be considering?
Thank you.
--
Wayne
http://www.glenmeadows.us
With or without religion, you would have good people doing good things
and evil people doing evil things. But for good people to do evil
things, that takes religion.
-Steven Weinberg
wayne wrote:
Thank you for the quick response. I don't believe extra address can be
added, but is it possible to construct a form on a persons computer and
call the PHP script on the server from it?
Yes it is. If you are putting values in hidden <inputyou can not
assume what you put in comes back again. The firefox web developer
toolbar will allow a user to change these values. Also you could save
the page with the form to disk and go and modify it. Or even write your
own form. and just set the form's action to any page you like.
--
Fletch This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Chuck Anderson |
last post by:
Can anyone point me in the right direction? I want to use Php to
automate confirmation of someone joining an email list by them replying
to an email (so they don't have to have a browser?).
I...
|
by: mcp6453 |
last post by:
I'm posting in desperation and hopes that someone has a script that will
achieve these objectives:
1. Web interface using forms collects Name, Address, Email Address.
2. Web interface sends this...
|
by: Bill |
last post by:
Is it possible to somehow activate a page containing a php script by sending
an email to a mailbox on the server?
I have a script that sends out notification emails to an individual. He
wants to...
|
by: John Silver |
last post by:
I have a perl script running on machine A, a web server. A visitor
completes certain pieces of data and these are compiled into two emails, one
addressed to the visitor and copied to the site...
|
by: xxnonexnonexx |
last post by:
I am looking to do some email validation and many of the scripts I've located
online are great basic email validators.
They check to see that the email address is something along the lines of...
|
by: web_design |
last post by:
I put this together from some other scripts I am using on a site. I'm
trying to make a better email hiding script. It isn't working. Also, it
causes Internet Explorer 6 SP2 to block the script...
|
by: E.T. Grey |
last post by:
Is it possible to have a PHP script receive an email (CSV text). The
problem is this, I want a server to send me an email, and then I want to
be able to have a PHP script 'listening' for email and...
|
by: ianbarton |
last post by:
Hello all
I am trying to setup a feedback form on my webpage using some script
provided by my ISP. I really don't know a lot about PHP and it's syntax
etc.
The feedback form only has 4...
|
by: Jerim79 |
last post by:
I am no PHP programmer. At my current job I made it known that I was no
PHP programmer during the interview. Still they have given me a script
to write with the understanding that it will take me a...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| |
