php e-mail

**Steve** · Nov 2 '05, 03:45 PM

Re: php e-mail

[color=blue]
> But I've started getting this in my inbox? I think I'm being used here
> - any ideas."Their e-mail address is:" is hard coded[/color]
[color=blue]
> here is the e-mail code:[/color]
....[color=blue]
> $email=$_POST['email'];[/color]
....[color=blue]
> if(mail($to,"E-mail from MySite",$messag e,"From:$email\ n")){[/color]

Take it down, it is being abused - or is about to be abused - by
spammers.

The last argument to mail() is a list of extra headers and because of
the way your script is structured a custom form or script can submit
extra Bcc: email addresses tagged on to the 'email' form field.

At the very least get rid of any newlines inserted in the 'email'
field:

$email = preg_replace( '/[\r\n]/', '', $email );

---
Steve

**feed_sheep** · Nov 2 '05, 03:45 PM

Re: php e-mail

>> $email=$_POST['email'];[color=blue]
> ...[color=green]
>> if(mail($to,"E-mail from MySite",$messag e,"From:$email\ n")){[/color]
>
> Take it down, it is being abused - or is about to be abused - by
> spammers.
>
> The last argument to mail() is a list of extra headers and because of
> the way your script is structured a custom form or script can submit
> extra Bcc: email addresses tagged on to the 'email' form field.
>[/color]

Can you expand on how this works and how to prevent spammers from using
this? I'm not sure I understand. Thanks!

David

**juglesh** · Nov 2 '05, 06:05 PM

Re: php e-mail

feed_sheep wrote:[color=blue][color=green][color=darkred]
> >> $email=$_POST['email'];[/color]
> > ...[color=darkred]
> >> if(mail($to,"E-mail from MySite",$messag e,"From:$email\ n")){[/color]
> >
> > Take it down, it is being abused - or is about to be abused - by
> > spammers.
> >
> > The last argument to mail() is a list of extra headers and because of
> > the way your script is structured a custom form or script can submit
> > extra Bcc: email addresses tagged on to the 'email' form field.
> >[/color]
>
> Can you expand on how this works and how to prevent spammers from using
> this? I'm not sure I understand. Thanks![/color]

do this first on the page:

$find =
array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i","/MIME\-Version\:/i");
$_POST = preg_replace($f ind,'BAD INPUT, NAUGHTY HACKER',$_POST) ;

Sivua ei löydy – Anders

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

http://securephp.damonkohler.com/index.php/Email_Injection

--
juglesh

**bokke** · Nov 22 '05, 12:06 AM

Re: php e-mail

So I tried this ..

<?
$fname=$_POST['fname'];
$lname=$_POST['lname'];
$phone=$_POST['phone'];
$email=$_POST['email'];
$email = preg_replace( '/[\r\n]/', '', $email );
$comment=$_POST['comment'];
$to="michael@xx x.com";

$message="First Name:$fname\n\n Last Name:$lname
\n\nPhone:$phon e\n\nTheir e-mail address is: $email\n\n
comment::\n\n$c omment";
if(mail($to,"E-mail from MySite",$messag e,"From:$email\ n")){
echo "Thank you $fname. Your Information has been inserted into my
contact database and forwarded to my E-Mail address. I'll get back to
you shortly.";
}else{
echo"There was a problem sending the message.";
}
?>

and today got this:

First Name:nachrally8 358@xxx.com

Last Name:nachrally8 358@xxx.com

Phone:nachrally 8358@xxx.com

Their e-mail address is: nachrally8358@x xx.com

comment::

for
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: could not so easily have torn himself away. need hardly
bcc: onemoreaddress@ hotpop.com

fad1169020f931d e3b2f524b3f0d3c 9a
..

So I took it down again .. please help.

**Steve** · Nov 22 '05, 12:06 AM

Re: php e-mail

[color=blue]
> So I tried this ..[/color]
....[color=blue]
> $email=$_POST['email'];[/color]
....[color=blue]
> $email = preg_replace( '/[\r\n]/', '', $email );
> $comment=$_POST['comment'];[/color]
....[color=blue]
> and today got this:[/color]
[color=blue]
> First Name:nachrally8 358@xxx.com
> Last Name:nachrally8 358@xxx.com
> Phone:nachrally 8358@xxx.com
> Their e-mail address is: nachrally8358@x xx.com
> comment::
> for
> Content-Type: text/plain; charset=\"us-ascii\"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Subject: could not so easily have torn himself away. need hardly
> bcc: onemoreaddress@ hotpop.com[/color]
[color=blue]
> So I took it down again .. please help.[/color]

The spammer doesn't know that your form is no longer abusable and
his/her script is still running somewhere - but it is now doing no harm
apart from being annoying.

The body of your email shows the headers the spammer is attempting to
add to the email, but is failing to do so.

---
Steve

**Feuergold** · Dec 13 '05, 08:35 PM

Re: php e-mail

First I take the Script that juglesh has postet (sorry about my bad
english please), but in the last few weeks every day I delete lot of
posts in my guestbook. That for I look for a alternativ to the replace,
and I found this:

if (preg_match( '/bcc\:|Content\-Type\:|cc\:|to\ :|MIME\-Version\:/i' ,
$email)) {
die ("BAD INPUT, NAUGHTY HACKER");}
else{
.....
}

Now the time to delete every day the posts is gone, and in my
mailformular I make the same, and I hope it is enough to stop the mails
the hacker have send through my formular.

Perhaps my little function is good enough to help other people with the
same problems.

php e-mail

php e-mail

Comment

Comment

Comment

Comment

Comment

Comment