Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

php e-mail

2 views
Skip to first unread message

bokke

unread,
Nov 1, 2005, 10:29:24 PM11/1/05
to
I have a simple form asking for name, e-mail and comment on page one.
Page two sends the form via e-mail to me and thanks the person for
filling in the form.
But I've started getting this in my inbox? I think I'm being used here
- any ideas."Their e-mail address is:" is hard coded

Their e-mail address is: an
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: take half
bcc: onemore...@hotpop.com

usually I would get,
Their e-mail address is: soa...@soanso.com

here is the e-mail code:

<?
$fname=$_POST['fname'];
$lname=$_POST['lname'];
$phone=$_POST['phone'];
$email=$_POST['email'];
$comment=$_POST['comment'];
$to="m...@ssoandso.com";

$message="First Name:$fname\n\nLast Name:$lname
\n\nPhone:$phone\n\nTheir e-mail address is: $email\n\n
comment::\n\n$comment";
if(mail($to,"E-mail from MySite",$message,"From:$email\n")){
echo "Thank you $fname. Your Information has been inserted into my
contact database and forwarded to my E-Mail address. I'll get back to
you shortly.";
}else{
echo"There was a problem sending the message.";
}
?>

Steve

unread,
Nov 2, 2005, 10:20:43 AM11/2/05
to

> But I've started getting this in my inbox? I think I'm being used here
> - any ideas."Their e-mail address is:" is hard coded

> here is the e-mail code:
...
> $email=$_POST['email'];
...


> if(mail($to,"E-mail from MySite",$message,"From:$email\n")){

Take it down, it is being abused - or is about to be abused - by
spammers.

The last argument to mail() is a list of extra headers and because of
the way your script is structured a custom form or script can submit
extra Bcc: email addresses tagged on to the 'email' form field.

At the very least get rid of any newlines inserted in the 'email'
field:

$email = preg_replace( '/[\r\n]/', '', $email );

---
Steve

feed_sheep

unread,
Nov 2, 2005, 10:31:04 AM11/2/05
to
>> $email=$_POST['email'];
> ...
>> if(mail($to,"E-mail from MySite",$message,"From:$email\n")){
>
> Take it down, it is being abused - or is about to be abused - by
> spammers.
>
> The last argument to mail() is a list of extra headers and because of
> the way your script is structured a custom form or script can submit
> extra Bcc: email addresses tagged on to the 'email' form field.
>

Can you expand on how this works and how to prevent spammers from using
this? I'm not sure I understand. Thanks!

David


juglesh

unread,
Nov 2, 2005, 12:52:54 PM11/2/05
to

do this first on the page:

$find =
array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i","/MIME\-Version\:/i");
$_POST = preg_replace($find,'BAD INPUT, NAUGHTY HACKER',$_POST);

http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
http://securephp.damonkohler.com/index.php/Email_Injection

--
juglesh

bokke

unread,
Nov 15, 2005, 12:18:36 AM11/15/05
to
So I tried this ..

<?
$fname=$_POST['fname'];
$lname=$_POST['lname'];
$phone=$_POST['phone'];
$email=$_POST['email'];

$email = preg_replace( '/[\r\n]/', '', $email );

$comment=$_POST['comment'];
$to="mic...@xxx.com";

$message="First Name:$fname\n\nLast Name:$lname
\n\nPhone:$phone\n\nTheir e-mail address is: $email\n\n
comment::\n\n$comment";

if(mail($to,"E-mail from MySite",$message,"From:$email\n")){

echo "Thank you $fname. Your Information has been inserted into my
contact database and forwarded to my E-Mail address. I'll get back to
you shortly.";
}else{
echo"There was a problem sending the message.";
}
?>

and today got this:

First Name:nachra...@xxx.com

Last Name:nachra...@xxx.com

Phone:nachra...@xxx.com

Their e-mail address is: nachra...@xxx.com

comment::

for


Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Subject: could not so easily have torn himself away. need hardly
bcc: onemore...@hotpop.com

fad1169020f931de3b2f524b3f0d3c9a
.

So I took it down again .. please help.

Steve

unread,
Nov 15, 2005, 4:15:19 AM11/15/05
to

> So I tried this ..
...
> $email=$_POST['email'];
...

> $email = preg_replace( '/[\r\n]/', '', $email );
> $comment=$_POST['comment'];
...
> and today got this:

> First Name:nachra...@xxx.com
> Last Name:nachra...@xxx.com
> Phone:nachra...@xxx.com
> Their e-mail address is: nachra...@xxx.com
> comment::
> for
> Content-Type: text/plain; charset=\"us-ascii\"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Subject: could not so easily have torn himself away. need hardly
> bcc: onemore...@hotpop.com

> So I took it down again .. please help.

The spammer doesn't know that your form is no longer abusable and
his/her script is still running somewhere - but it is now doing no harm
apart from being annoying.

The body of your email shows the headers the spammer is attempting to
add to the email, but is failing to do so.

---
Steve

bokke

unread,
Nov 21, 2005, 12:23:59 PM11/21/05
to
Thanks Steve

Feuergold

unread,
Dec 13, 2005, 3:28:19 PM12/13/05
to
First I take the Script that juglesh has postet (sorry about my bad
english please), but in the last few weeks every day I delete lot of
posts in my guestbook. That for I look for a alternativ to the replace,
and I found this:

if (preg_match( '/bcc\:|Content\-Type\:|cc\:|to\:|MIME\-Version\:/i' ,
$email)) {
die ("BAD INPUT, NAUGHTY HACKER");}
else{
....
}

Now the time to delete every day the posts is gone, and in my
mailformular I make the same, and I hope it is enough to stop the mails
the hacker have send through my formular.

Perhaps my little function is good enough to help other people with the
same problems.

0 new messages