My email script got hijacked!

BroCaptRace

My website was shutdown when some jerk put a spambot in my email script. Is there anyway to fix it so that this won't happen again?

Here's the code I was using:

<?php
if (($_POST[sender_email]== "") ||($_POST[message] == "")){
header("Location: http://www.myWebsite.net/contact.html");
exit;
}

$msg = "Sender's Name:\t$_POST[sender_name]\n";
$msg .= "Sender's E-mail:$_POST[sender_email]\n";
$msg .= "Message Topic:\t$_POST[topic]\n";
$msg .= "Message:\t$_POST[message]\n\n";

$mailheaders = "From: MY WEBSITE <me@myWebsite.net>\n";
$mailheaders .= "Reply-To: $sender_email\n\n";

mail("myEmail@juno.com", "MY WEBSITE: $_POST[topic]", $msg, $mailheaders);

echo "<h1 align=center>Thank You, $_POST[sender_name]</h1>";
echo "<p align=center>I appreciate your visit, and hope to reply soon!</p>";
?>

It is simple and, unfortunately, vulnerable. Any advice?

MarkR

It's not clear where $sender_email is coming from, but if it's the form, then you definitely need to santise it.

Idea 1:

Do not put ANYTHING the user could have supplied anywhere in any header.

Idea 2:

If you absolutely have to put some user-supplied data in the header, make absolutely certain it contains no newlines, tabs, colons, nulls or other weird characters. Your best bet would be matching it against an expression which contains the set of characters it's allowed.

Idea 1 is by far the most preferable.

Mark

crazychris

for lots of good advice and background, have a look at this:
http://securephp.damonkohler.com/index.php/Email_Injection

BroCaptRace

Thanks for the help, I really appreciate it.