Hi,

I'm having a serious problem with the emails generated by php mail script on my sites.

All works perfectly well (or has done up to npow)
There is nothing wrong with the script.

Here is an example of the script:

<?


  $x_email = $_REQUEST['x_email'] ;
  $x_name = $_REQUEST['x_name'] ;
    $x_surname = $_REQUEST['x_surname'] ;
    $x_phone = $_REQUEST['x_phone'] ;
			$x_message = $_REQUEST['x_message'] ;
			$x_mate = $_REQUEST['x_mate'] ;

  mail( "example@example.com", "BIOFONA WEB ENQUIRY",
    "
NAME = $x_name

EMAIL = $x_email

PHONE = $x_phone

MESSAGE = $x_message


", "From: $x_email" )

?>

The sender's email address is specified and showing correctly on the emails (for instance $x_email is replaced by the email address of the person who has filled the form such as me@myaddress.com.

all perfect.

However, when the email is processed by the server the email is "processed" and "sent" using the server default address "anonymous@example.net"
This seems to be the address used by the server to process all emails sent via php mail.

This has recently caused all those emails to fail being sent and get stuck in the server mail queue for not being sent from a "genuine address"

I hope I'm explaining myself clearly...

basically the sender looks like me@myaddress.com (and when received would show as such) , but as me@myaddress.com is not hosted on that server the email is actually processed and sent by the server using "anonymous@example.net", the defauls email address of the server.

this now seem to be unacceptable by my webhost / spam settings.

Could I format anything differently to make this work?

Thanks for your help,

Vinny

    In you php.ini file the address needs to be set under the
    [mail function]
    sendmail_from = youremail@yourdomain.com

    You might need to get you ISP to change it on the Server.

    I'm sure there's other ways to set this in your PHP code, but I haven't manage to get it right.

      [man]ini_set/man should let you change the default sender address.

      You could also try adding -fyouremail@yourdomain.com as the 5th parameter of the mail() function. More info on this parameter can be found in the manual: [man]function.mail[/man].

        Thank you.

        Do you know how to make this kind of scripts more secure?

        They seem to be used a lot by spammers to send their crap.

        Is there a way to tighten up the security of the phh mal function?

        Thanks,

        Vinny

          Validate any user-supplied data you put into the headers (e.g. $x_email); make sure it is what you think it is (e.g. strip out any new lines).

            Thank you,

            but i don't understand the answer at all.

            $x_email would be the imputed email address from the form

            How do I "validate" it?

            Do you mean in my form?

            This is already in place, bt I'm not sure what you mean and what "extra lines" are.

            I am not even sure if the spammers use the form to spam or hack the mail.php file the form action is pointing to.

            Thanks for your help.

            Vinny

              vinny199 wrote:

              How do I "validate" it?

              Do you mean in my form?

              This is already in place

              Really? In the code you posted, there is absolutely no validation being done.

              vinny199 wrote:

              I'm not sure what you mean and what "extra lines" are.

              Well, e-mail headers are separated by line breaks. Since you're inputting user-supplied data into the headers section, if a malicious spammer were to insert line breaks, s/he could easily add headers and content to the message. That's why you should either a) validate the e-mail with a regexp, b) strip out any new lines (\r or \n) from the variable before inserting it into the e-mail headers.

                I'm sorry,

                i dont really understand what i need to do.

                When I meant "validation" , I ment I have a Javascript "validation code" on the FORM page, to check its a valid email address etc.

                But no, I do not have any code for that on the php mail page.

                Could you possibly point me towards a practicle example of what you describe, showing me how it should be formated?

                Thanks,

                Vinny

                  vinny199 wrote:

                  I meant I have a Javascript "validation code" on the FORM page, to check its a valid email address etc.

                  Client-side validation should never be trusted. What if they don't have Javascript enabled (e.g. the popular NoScript plugin for FireFox)? Or, if it's a spammer, they're certainly not going to use a browser, let alone anything that understands (or cares to parse) Javascript code.

                  To validate e-mail addresses, it's common to use [man]preg_match/man along wth a regular expression. As to which expression to use... well, that's up to you; there are TONS of them out there. Here is one site that discusses how to validate an e-mail address using regular expression.

                    Write a Reply...