Home > Archive > PHP Language > December 2006 > webpage with php mail() function prone to spam?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
webpage with php mail() function prone to spam?
|
|
| Thanks 2006-12-16, 6:58 pm |
| We have an apache server with webpage written in php.
Few months ago we discover that tons of spams is being relay through our
webserver.
so we remove the email server link from php.ini
that stop the spams but also the 'contact us' form and 'email this page
form' function
stop working.
Note: the 'contact us' form and 'email this page form' is using the simple
mail() function to send mail.
Now we have to enable the 'contact us' form and 'email this page form'
function again.
So we downloaded the phpmailer from
http://phpmailer.sourceforge.net/
and install it into our webserver.
This mailer utility allows authentication when communicating with the email
server.
My question is will this be able to prevent spams?
Thanks for advice.
| |
| Justin 2006-12-16, 9:58 pm |
| Thanks wrote:
> We have an apache server with webpage written in php.
> Few months ago we discover that tons of spams is being relay through our
> webserver.
> so we remove the email server link from php.ini
> that stop the spams but also the 'contact us' form and 'email this page
> form' function
> stop working.
> Note: the 'contact us' form and 'email this page form' is using the simple
> mail() function to send mail.
>
> Now we have to enable the 'contact us' form and 'email this page form'
> function again.
> So we downloaded the phpmailer from
> http://phpmailer.sourceforge.net/
> and install it into our webserver.
> This mailer utility allows authentication when communicating with the email
> server.
> My question is will this be able to prevent spams?
>
> Thanks for advice.
>
>
>
Well you could go to the bother of installing a third party app but if
you googled "php email header injection" there are plenty of solutions.
| |
| Vince Morgan 2006-12-16, 9:58 pm |
| "Thanks" <Thanks@work.com> wrote in message
news:45848ea5$1_2@news.tm.net.my...
> We have an apache server with webpage written in php.
> Few months ago we discover that tons of spams is being relay through our
> webserver.
> so we remove the email server link from php.ini
> that stop the spams but also the 'contact us' form and 'email this page
> form' function
> stop working.
> Note: the 'contact us' form and 'email this page form' is using the simple
> mail() function to send mail.
>
> Now we have to enable the 'contact us' form and 'email this page form'
> function again.
> So we downloaded the phpmailer from
> http://phpmailer.sourceforge.net/
> and install it into our webserver.
> This mailer utility allows authentication when communicating with the
email
> server.
> My question is will this be able to prevent spams?
>
> Thanks for advice.
>
>
>
How are they using 'contact us' for relay? I would think that the first
argument "to" should be a fixed value. Without being able to change that
they could only spam that one address.
However, the 'email this page' is another story.
You could check that the body, or subject, depending on how you set it up,
is a URL first. Then that the URL matches only those from your site.
Of course they could circumvent that but without knowing why the emails
aren't sending in the first place, it would be very difficult for them.
Hopefully difficult enough to make it altogether very unattractive.
Of course you wouldn't send back a page describing the reason for the error
:)
You could look at using a "captcha" image as well.
I'll be interested in reading other's solutions too.
HTH
Vince Morgan
| |
| Norman Peelman 2006-12-17, 3:58 am |
| "Thanks" <Thanks@work.com> wrote in message
news:45848ea5$1_2@news.tm.net.my...
> We have an apache server with webpage written in php.
> Few months ago we discover that tons of spams is being relay through our
> webserver.
> so we remove the email server link from php.ini
> that stop the spams but also the 'contact us' form and 'email this page
> form' function
> stop working.
> Note: the 'contact us' form and 'email this page form' is using the simple
> mail() function to send mail.
>
> Now we have to enable the 'contact us' form and 'email this page form'
> function again.
> So we downloaded the phpmailer from
> http://phpmailer.sourceforge.net/
> and install it into our webserver.
> This mailer utility allows authentication when communicating with the
email
> server.
> My question is will this be able to prevent spams?
>
> Thanks for advice.
>
>
>
Google for 'obfuscate email' and you'll find what you need. Here's one
example:
http://www.fingerlakesbmw.org/main/flobfuscate.php
Norm
--
FREE Avatar hosting at www.easyavatar.com
| |
| Thanks 2006-12-17, 3:58 am |
|
"Justin" <legrice@nix2spam.i4free.co.nz> wrote in message
news:4584ab29@clear.net.nz...
> Well you could go to the bother of installing a third party app but if you
> googled "php email header injection" there are plenty of solutions.
Thanks, I found an interesting reading here ;
http://www.securephpwiki.com/index.php/Email_Injection
| |
| Vince Morgan 2006-12-17, 3:58 am |
| "Vince Morgan" <vinhar@REMOVEoptusnet.com.au> wrote in message
news:4584aba3$0$16557$afc38c87@news.optusnet.com.au...
> How are they using 'contact us' for relay? I would think that the first
> argument "to" should be a fixed value. Without being able to change that
> they could only spam that one address.
> However, the 'email this page' is another story.
> You could check that the body, or subject, depending on how you set it up,
> is a URL first. Then that the URL matches only those from your site.
> Of course they could circumvent that but without knowing why the emails
> aren't sending in the first place, it would be very difficult for them.
> Hopefully difficult enough to make it altogether very unattractive.
> Of course you wouldn't send back a page describing the reason for the
error
> :)
> You could look at using a "captcha" image as well.
> I'll be interested in reading other's solutions too.
>
> HTH
> Vince Morgan
>
>
A very naive reply. I should have examined header injection long ago.
What I didn't know was far far more than I actualy did know :)
Sorry for the idiotic reply.
Vince Morgan
| |
|
|
> Google for 'obfuscate email' and you'll find what you need. Here's one
> example:
>
> http://www.fingerlakesbmw.org/main/flobfuscate.php
how is that going to to help stop spam on a contact form, that is simply for
making it hard for spammers to get your address if you display it on a
webpage. The ops email is not getting displayed at all.
| |
|
| Vince Morgan schrieb:
> "Vince Morgan" <vinhar@REMOVEoptusnet.com.au> wrote in message
> news:4584aba3$0$16557$afc38c87@news.optusnet.com.au...
>
> error
> A very naive reply. I should have examined header injection long ago.
If one allows header injection he should not develop any kind of software.
Basic principle: when a user has to fill in info you tell him if the
input is within the expected range if it comes to email this means,
checking if he entered name@domain.
You don't even have to know about header injection you just have to
follow basic principles, above would make sure there is no header injection.
> What I didn't know was far far more than I actualy did know :)
> Sorry for the idiotic reply.
> Vince Morgan
>
>
| |
| Norman Peelman 2006-12-17, 6:58 pm |
| "peter" <submit@flexiwebhost.com> wrote in message
news:em3515$fvj$1@aioe.org...
>
one[color=darkred]
>
> how is that going to to help stop spam on a contact form, that is simply
for
> making it hard for spammers to get your address if you display it on a
> webpage. The ops email is not getting displayed at all.
>
>
My misunderstanding. It's a good thing to know anyway! :) Now what they
are looking for are some simple checks against the form input fields. I
believe someone else provided a link for a good expanation on email
injection. Here is a class
http://framework.zend.com/manual/en/zend.mail.html that says it has some
protection built in. I have found that by using regexs to validate my
email forms I have prevented alot of spam from my sites (well, i've not seen
any anyway). Example:
--validate email--
if (isset($_POST['field1']))
{
$pattern =
"^([-!#\$%&'*+./0-9=?A-Z^_`a-z{|}~])+@([-!#\$%&'*+/0-9=?A-Z^_`a-z{|}~]+\\.
)+[a-zA-Z]{2,6}\$";
/*
$pattern =
"^([-!#\$%&'*+./0-9=?A-Z^_`a-z{|}~])+@([-!#\$%&'*+/0-9=?A-Z^_`a-z{|}~]+\\.
)+";
$pattern .= "([aero|biz|coop|com|net]";
$pattern .= "{2,6}[\.]{0,})[ac|ad|ae|af|ag]{0,}\$";
*/
// stop unwanted email hosts here
$unwanted = array(
0 => 'spamhole',
1 => 'mytrashmail',
2 => 'mailexpire',
3 => 'spamgourmet',
4 => 'mailinator',
5 => 'woodyland',
6 => 'spammotel',
7 => 'sneakmail',
8 => 'jetable'
);
foreach($unwanted as $key => $value)
{ // first void unwanted email domains
$value .= '{1}';
if (eregi($value,$_POST['field1']))
{
header('Location: hxxp://www.mydomain.com/error.php?error=5');
exit;
}
}
// now vaildate email if we're still here
if (eregi($pattern,$_POST['field1']))
{// email passed verification
... do your thing here
}
---
Before anyone starts, I know this may or may not be the best 'pattern'
for validating email but, i'm on Windows and I have'nt had much luck with
the workarounds of not being able to use getmxrr(). I'ts close enough for me
(for now).
Norm
--
FREE Avatar hosting at www.easyavatar.com
| |
| J.O. Aho 2006-12-17, 6:58 pm |
| Norman Peelman wrote:
> Before anyone starts, I know this may or may not be the best 'pattern'
> for validating email but, i'm on Windows and I have'nt had much luck with
> the workarounds of not being able to use getmxrr(). I'ts close enough for me
> (for now).
From the manual page:
Note: This function is not implemented on Windows platforms. Try the PEAR
class Net_DNS.
You could still check the domain with gethostbyaddr(), except you will deny
those addresses that don't have a valid ip, but a valid MX record.
Sadly without getmxrr() you can't do a check directly against the mailserver
to validate the e-mail address, for me it would feel quite crippled to not be
able to use getmxrr().
--
//Aho
| |
| Thanks 2006-12-17, 6:58 pm |
|
"Ric" <antispam@randometry.com> wrote in message
news:em38b0$1mp$1@online.de...[color=darkred]
> Vince Morgan schrieb:
>
> If one allows header injection he should not develop any kind of software.
>
> Basic principle: when a user has to fill in info you tell him if the
> input is within the expected range if it comes to email this means,
> checking if he entered name@domain.
> You don't even have to know about header injection you just have to
> follow basic principles, above would make sure there is no header
> injection.
>
The company responsible for development our website doesn't want to answer
our call/email for solving the problem.
I haven't check whether the spam was cause by header injection or not
because I am not the technical support for our webserver.
I only know the spam came in and the technical support disable email server
link from the webserver and that stop the spam.
| |
| Norman Peelman 2006-12-17, 6:58 pm |
| "J.O. Aho" <user@example.net> wrote in message
news:4ul2r5F187ua0U1@mid.individual.net...
> Norman Peelman wrote:
>
'pattern'[color=darkred]
with[color=darkred]
for me[color=darkred]
>
> From the manual page:
>
> Note: This function is not implemented on Windows platforms. Try the PEAR
> class Net_DNS.
>
> You could still check the domain with gethostbyaddr(), except you will
deny
> those addresses that don't have a valid ip, but a valid MX record.
>
> Sadly without getmxrr() you can't do a check directly against the
mailserver
> to validate the e-mail address, for me it would feel quite crippled to not
be
> able to use getmxrr().
>
>
> --
>
> //Aho
I took a look at that while I was responding the first time. I thought I
had looked before too. I just haven't had much luck getting those
workarounds to work. I should try alittle harder but I think i'll be
switching to linux soon anyway.
Norm
--
FREE Avatar hosting at www.easyavatar.com
| |
| J.O. Aho 2006-12-17, 6:58 pm |
| Norman Peelman wrote:
> "J.O. Aho" <user@example.net> wrote in message
[color=darkred]
> I took a look at that while I was responding the first time. I thought I
> had looked before too. I just haven't had much luck getting those
> workarounds to work. I should try alittle harder but I think i'll be
> switching to linux soon anyway.
*nods*
I think you won't be disappointed, just spend a bit time thinking of what you
want and then select which distro to use, www.distrowatch.com has a bit
information about most of them.
--
//Aho
| |
| Vince Morgan 2006-12-17, 6:58 pm |
| "Ric" <antispam@randometry.com> wrote in message
news:em38b0$1mp$1@online.de...
> If one allows header injection he should not develop any kind of software.
>
In principal I would have to agree. However, with the exception that I have
develloped a lot of software that is very safe from such attacks.
Not because I knew about them and accounted for them, but because the
software I've develloped previously had either nothing whatsoever to do with
email, or the internet. With the possible exception of a peeer to peer chat
program, that had no email or similar capabilities.
The issues involved are quite different in almost all cases.
However, in principal, I most certainly should have paid much more attention
to security prior to this.
Header injection is not a common programming consideration, but quite
specific to certain types of software, and certainly SMTP.
My foray into PHP has been too hasty, no doubt whatsoever.
Thanks,
Vince Morgan
|
|
|
|
|