[RESOLVED] how can i stop mail() getting spammed ?

VisionsOfCody

I always thought that using mail() was a sure way of not getting spammed from my website - but last night i uploaded a new version of my contact page and this morning I've started getting automatic spams from that page - I know it's coming from that page because the subject line is the one i use in my $subject

how on earth can they be spamming me from that page? is it my code (see below) that has a hole in it ? or is it a server security problem ? what can i do to prevent this ?

here's my code :

<? 

if(isset($_POST['_SEND']) && ($_POST['name'] != "") && ($_POST['email'] != "") && ($_POST['message'] != "")){


$to      = 'info@hugoscott.com';
$subject = 'Un message du site';
$message = 'Un message envoyé par '.$_POST['name']."\n";
$message .= stripslashes(wordwrap($_POST['message'], 70));
$headers = 'From: ' . $_POST['email'] . "\n" .
'X-Mailer: PHP/' . phpversion();

$sm = mail($to, $subject, $message, $headers);

echo '<div>';

if (!$sm) {
	print "<div><span style=\"color:red\">Votre message n'a pas pu être envoyé</span></div>";
}else{
 	print "<div>Votre message est envoyé, merci</div>";
} 

echo '</div>';








}else{

if(isset($_POST['_SEND']) && ($_POST['name'] == "")){
	$nameError = '<span style="color:red">Vous ne m\'avez pas dit votre nom : </span><br />';
}else{
	$nameError = '';
}

if(isset($_POST['_SEND']) && ($_POST['email'] == "")){
	$emailError = '<span style="color:red">Vous ne m\'avez pas dit votre e-mail : </span><br />';
}else{
	$emailError = '';
}

if(isset($_POST['_SEND']) && ($_POST['message'] == "")){
	$messageError = '<span style="color:red">Vous ne m\'avez pas laissé un message : </span><br />';
}else{
	$messageError = '';
}

echo '<div>
		<div id="mailholder"><form name="mailform" action="contact.php" method="post">

'.$nameError.'
<label for="name">Nom : </label>
<input type="text" name="name" value="'.$_POST['name'].'" /><br />
'.$emailError.'
<label for="email">Email :</label>
<input type="text" name="email" value="'.$_POST['email'].'" /><br />
'.$messageError.'
<label for="message">Message :</label>
<textarea name="message">'.$_POST['message'].'</textarea><br />

<input type="submit" name="_SEND" id="submitbutton" value="Submit" />

</form>
			</div>
		</div>';

}

?>

and this is what the e-mails look like :

Un message envoyé par 

Content-Type: multipart/alternative; 

          boundary=b535d413b7bde9f53bb9b606d741dbc5

Subject: 

cc: buletmann@aol.com



--b535d413b7bde9f53bb9b606d741dbc5

Content-Transfer-Encoding: 7bit

Content-Type: text/plain







--b535d413b7bde9f53bb9b606d741dbc5

Content-Transfer-Encoding: base64

Content-Type: text/plain







--b535d413b7bde9f53bb9b606d741dbc5--

Since I started typing this message I've received another 10 or so mails from the same spam thing

arg !

help !!

VisionsOfCody

aha!

I found what it was : header injection

I put this in the code just after the incoming $_POST variables :

$from = $_POST['email'];	
if (eregi("\r",$from) || eregi("\n",$from)){
	die("Why ?? :(");
}

and that seems to have done the trick

hope this helps someone else

cahva

I myself use these 2 functions:

function has_no_newlines($text)
{       

        return preg_match("/(%0A|%0D|\\n+|\\r+)/i", $text) == 0;
}

function has_no_emailheaders($text)
{       

        return preg_match("/(content-type:|to:|cc:|bcc:)/i", $text) == 0;
}

I go through $_POST and if input field is "text", I check for newlines and headers. If its a textarea, I check for headers.

VisionsOfCody

I like your solution - that's even better

however what i don't understand is how they managed to send a whole load of spams from the form on the page - how can you automate that ?

Then I thought maybe they have some kind of function that will analyse the form and send $_POST variables with the right name to the target file in the action of the form

I think that would probably work

but is it possible to put a thing in my code so that it will only accept $_POST vars from the file that has the url "http://www.mydomain.com/contact.php" ? is there some kind of referer thing i can do ? - I'm not sure how that stuff works

thanks

VisionsOfCody

I've just been trying to use your function and I can't work out the correct way to call them -

It's the "== 0;" at the end that i don't understand the syntax of ....

cahva

At simplest use it would be:

// Check incoming post
foreach($_POST as $k=>$v) {
	// $_POST['message'] is textarea type
	if ($k == 'message') {
		if (!has_no_emailheaders($v))
			die();
	} else {
		if (!has_no_newlines($v))
			die();
		if (!has_no_emailheaders($v))
			die();
	}
}

To answer your earlier question how they do that is simple. They dont send you the form through your page at all. They probably use CURL or something similar to send via post from their own script.

Usually their scripts arent even clever. They fill every input the form has(even the reset types).

One way of preventing the usage from outside is to use $_SERVER['HTTP_REFERER'] in the page that you parse and email the form. Ofcourse this can be anything if spammer sets in their script but its a bonus check bcos not every spammmer fake the http_referer.

VisionsOfCody

thank you very much - that's exactly what i wanted to know
cheers !

snowbrasil

Cahva,

Where do I put this function, on the from or on the php script that processes the form? And where does it go in the code?

Thanks a lot

VisionsOfCody

I put that bit of code into an 'if' condition

the 'if' condition checks that the required fields are not empty and that the $_SERVER['HTTP_REFERER'] is the contact form at my domain name

if all of the above conditions are met it runs the bit of code posted by Cahva and then, if it doesn't detect any incorrect input data, it moves on to formatting the variables for the mail() function

if(isset($_POST['_SEND']) && ($_POST['name'] != "") && ($_POST['email'] != "") && ($_POST['message'] != "") && ($_SERVER['HTTP_REFERER'] == "http://www.mydomain.com/contact.php")){

foreach($_POST as $k=>$v) {    
	if ($k == 'message') { // $_POST['message'] is textarea type
   		if (!has_no_emailheaders($v)){
			print "<div><span style=\"color:red\">Put failure message here</span></div>";
       		die();
		}
	 } else {
    	if (!has_no_newlines($v)){
			print "<div><span style=\"color:red\">Put failure message here</span></div>";
       		die();
		}
    	if (!has_no_emailheaders($v)){
			print "<div><span style=\"color:red\">Put failure message here</span></div>";
        	die();
		}
	}
} 


$to      = 'person@domain.com';
$subject = 'A message from my site';
$message = 'A message sent by '.$_POST['name']."\n\n";
$message .= stripslashes(wordwrap($_POST['message'], 70));
$headers = 'From: ' . $_POST['email'] . "\n" .
'X-Mailer: PHP/' . phpversion();

$sm = mail($to, $subject, $message, $headers);

echo '<div>';

if (!$sm) {
	print "<div><span style=\"color:red\">Put failure message here</span></div>";
}else{
 	print "<div>Your message has been sent, thanks</div>";
} 

echo '</div>';





}else{

// here is where I put my error message handling if the required fields are not completed

....

hope this helps

snowbrasil

Is there a way to test if it works?

That's what I have so far after adding the above code.

<?

function has_no_newlines($text)
{       

        return preg_match("/(%0A|%0D|\\n+|\\r+)/i", $text) == 0;
}

function has_no_emailheaders($text)
{       

        return preg_match("/(content-type:|to:|cc:|bcc:)/i", $text) == 0;
} 

  foreach($_POST as $k=>$v) {    

        if ($k == 'message') { // $_POST['message'] is textarea type
               if (!has_no_emailheaders($v)){
                print "<div><span style=\"color:red\">Put failure message here</span></div>";
                   die();
            }
            } else {
            if (!has_no_newlines($v)){
                print "<div><span style=\"color:red\">Put failure message here</span></div>";
                   die();
            }
            if (!has_no_emailheaders($v)){
                print "<div><span style=\"color:red\">Put failure message here</span></div>";
                die();
            }
           }
    } 

$subject = "SNOWBRASIL [Guestbook]";
$hora_errada=date("U");
$hora_certa=$hora_errada + 14400;
$data=date("d/m/y", $hora_certa);
$hora=date("h:i:s", $hora_certa);
$recipient= "yan@snowbrasil.com.br";
$message .= ( "IP = " . $REMOTE_ADDR . "\n");
$message .= ( "Data = " . $data . "\n");
$message .= ("nome = " . $_REQUEST['nome'] . "\n");
$message .= ("email = " . $_REQUEST['email'] . "\n");
$message .= ("cidade = " . $_REQUEST['cidade'] . "\n");
$message .= ("estado = " . $_REQUEST['estado'] . "\n");
$message .= ("país = " . $_REQUEST['pais'] . "\n");
$message .= ("homepage = " . $_REQUEST['homepage'] . "\n");
$message .= ("mensagem = " . $_REQUEST['msg'] . "\n");
$message .= ("origem = " . $_REQUEST['origem'] . "\n");
	$headers .= ("From: " . $_REQUEST['nome'] . " <" . $_REQUEST['email'] . ">\n");
	$headers .= ("X-Sender: " . $_REQUEST['email'] . "\n"); 
	$headers .= "X-Mailer: PHP\n";
	$headers .= "X-Priority: 1\n";
	$headers .= ("Return-Path: " . $_REQUEST['email'] . "\n");
	$para = ($to . " <" . $recipient . ">");



mail($para, $subject, $message, $headers);

?>

Does it look right?

Thanks so much

cahva

Unfortunately it does not look right 🙁

Change those $REQUEST:s to $POST. Now you check $POST array but use $REQUEST later.Whats up with that? 🙂 So spammers could possibly use your script via url($GET) or even cookie variables. I have never used $REQUEST in my life and theres not really a need to use that IMHO.

snowbrasil

I thought I had to use $request if register_globals is off. Can I use $post even if register_globas is off?

Thanks

snowbrasil

Does it look right now?

<?

function has_no_newlines($text)
{

return preg_match("/(%0A|%0D|\n+|\r+)/i", $text) == 0;
}

function has_no_emailheaders($text)
{

return preg_match("/(content-type😐to😐cc😐bcc🙂/i", $text) == 0;
}

foreach($POST as $k=>$v) {

if ($k == 'message') { // $POST['message'] is textarea type
if (!has_no_emailheaders($v)){
print "<div><span style=\"color:red\">Put failure message here</span></div>";
die();
}
} else {
if (!has_no_newlines($v)){
print "<div><span style=\"color:red\">Put failure message here</span></div>";
die();
}
if (!has_no_emailheaders($v)){
print "<div><span style=\"color:red\">Put failure message here</span></div>";
die();
}
}
}

$subject = "SNOWBRASIL [Guestbook]";
$hora_errada=date("U");
$hora_certa=$hora_errada + 14400;
$data=date("d/m/y", $hora_certa);
$hora=date("h:i:s", $hora_certa);
$recipient= "yan@snowbrasil.com.br";
$message .= ( "IP = " . $REMOTE_ADDR . "\n");
$message .= ( "Data = " . $data . "\n");
$message .= ("nome = " . $POST['nome'] . "\n");
$message .= ("email = " . $POST['email'] . "\n");
$message .= ("cidade = " . $POST['cidade'] . "\n");
$message .= ("estado = " . $POST['estado'] . "\n");
$message .= ("país = " . $POST['pais'] . "\n");
$message .= ("homepage = " . $POST['homepage'] . "\n");
$message .= ("mensagem = " . $POST['msg'] . "\n");
$message .= ("origem = " . $POST['origem'] . "\n");
$headers .= ("From: " . $POST['nome'] . " <" . $POST['email'] . ">\n");
$headers .= ("X-Sender: " . $POST['email'] . "\n");
$headers .= "X-Mailer: PHP\n";
$headers .= "X-Priority: 1\n";
$headers .= ("Return-Path: " . $POST['email'] . "\n");
$para = ($to . " <" . $recipient . ">");
mail($para, $subject, $message, $headers);
?>

cahva

Yep, now its good. Check out manual and section predefined variables. It'll tell you everything about $GET, $POST and other superglobals.

snowbrasil

I am still getting spammed. I would really appreciate if someone could try to help me out.

Thanks

cahva

Well what does the spam-mail look like? It cant be like the first example you gave because the checks WILL stop if the spammers have cc: or
Content-Type: in there..

There was one mistake with the code that spammers could use. You didnt initialize $headers or $message variables. These could be used by spammers if they quess what have you named your variables because you have register_globals set to on

So for the first line with $message, take the dot(.) off:

$message = ( "IP = " . $REMOTE_ADDR . "\n");
$message .= ( "Data = " . $data . "\n");
...

And same for the $headers:

$headers = ("From: " . $_POST['nome'] . " <" . $_POST['email'] . ">\n");
$headers .= ("X-Sender: " . $_POST['email'] . "\n");
..

EDIT:
Ok. Now I see the problem. Your form has the texarea named msg but you look in the checks:

if ($k == 'message') { // $_POST['message'] is textarea type

replace with:

if ($k == 'msg') { // $_POST['msg'] is textarea type