Help, my php mail script keeps getting attacked and used for spam!

[SpockBert]

This is the 2nd time this has happened to me. The first time I was bit stupid in having the script named as a rather obvious "sendMail.php" in a folder called "forms". I renamed it something more cryptic like "itemAsk.php" and in a folder called "myAssets" and for months it was fine..

Yesterday I started getting hundreds of messages to my "[email protected]" all populated with giberish, tell-tale sign the script was being abused. I contacted my webhost support and told them there was a problem, their ever so helpful response was to tell me "your script itemAsk.php was sending spam and has now been disabled, please contact us should you have any other problems"!

Good eh?

The recipient var is hardcoded in the php script as "[email protected]" and to be honest I don't really know how I can stop the script being taken over, I still don't understand how it was done.

Anyone got any tips as to better protect it?

Thanks

[MyFriendIsATaco]

Check to make sure that the php file has been POSTed to would be the first step, and make sure to collece the vars from POST using $_POST[]. $_GET[] vars are easily exploited. The next step would be to look into a captcha. It's one of those funky letter/number things you see nowadays for signing up and submitting forms to places now to prevent bots. Just google "php captcha" and youll get tons of examples.

[SpockBert]

by "captcha" do you mean those pictures where you have to identify the word and/or numbers in order to submit?

Good idea that, might do that, cheers fella.

[MyFriendIsATaco]

yep. There are quite a few just simple plug-in examples out there. It's a fairly easy concept too. Basically, a php script is used to generate the image. At the same time, a session variable is set with that string that was used in the image. On the next page before it submits, it verifies what the user input with the session variable.

[Musicman]

Hi,

about the potential abuse:
a) make sure that data from the web does not get into headers without checking. If your form puts, e.g.,the submitter's email into a From field, the form could be supplied with an email address, a new line, Bcc: and a list of target addresses.
One possible action for your script is to do nothing if newlines are detected, the other one to remove unwanted stuff. I generallyprefer the first approach
b) using GET or POST does not make much difference w.r.t. spam. However, GET parameters may be recorded in the browser history and cause a privacy problem

Musicman

[SpockBert]

cheers Musicman

I think your right and its the From bit thats causing problems, the BCC would make sense as I get emails populated with just rubbish and I guess theres about 300 people on each one that get copies of it.

Theres only 2 vars passed from POST, "email" and "comments", I've got the headers set as below:

--------------------------

//email vars
$recipient = "[email protected]";
$subject = "Enquiry from Website - $tableSelect - $stockNumber";


// To send HTML mail, the Content-type header must be set
$mailheaders = 'MIME-Version: 1.0' . "\r\n";
$mailheaders .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";

//additional headers
$mailheaders .= "From: Website <[email protected]> \n";
$mailheaders .= "Reply-To: $_POST[email]";


//send it
mail($recipient,$subject,$msg,$mailheaders);

//redirect it if successfull
header("Location: http://www.mydomain.com/thankYou.php");

Do you reckon I should change the red line to this...

$mailheaders .= "Reply-To: [email protected]";



Does the rest of it look ok?

[Musicman]

Hi,

having reply-to pointing at a realaddress seems to be useful, so why change it.
You could, however, do something like

Code:

if(ereg("[\r\n]", $_POST['email'])) {
   header("Location: bastards.html");
   exit;
}

This traps the case where a newline was smuggled into the data; no single line field from either html or flash form would ever send that.
Another option is to partly verify the address, similar to

Code:

function valid_email($email)
{       if(!eregi('^[-_.0-9a-z]+@([-_0-9a-z]+\.[-_0-9a-z\.]+)$', $email, $matches))
                return false;
        $host = $matches[1];
        return(getmxrr($host, $mx) || (gethostbyname($host) != $host));
}
if(!valid_email($_POST['email']))
    // tell the visitor they probably mistyped the email

I am using this type of code quite often; it seems that many people have difficulty typing their complete email address and this will catch at least some of the errors

Musicman

[javiersaldana]

edit your .htaccess file to deny access from "outsiders" to that folder, add passwords or something to let your visitors/whatever send emails, and add their IP dynamically to your "allowed" list.

Code:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1 // or whatever IPs you want

[Musicman]

Hi,

having to register before one can submit a contact form seems to be a way to make visitors run away from a website ... and without registration everybody would be prohibited as an "outsider"

Musicman

[javiersaldana]

I didn't mean to make visitors register in order to send email, just add a password that changes dynamically or something.

Now that I think of it better, I meant something like one of those images with text and numbers (like in rapidshare) that you must enter into a text box.

I think someone already suggested that, so bleh.

[Musicman]

Hi,

I hope we dont have to protect contact forms with these things in the future .... I already had to add one to a guestbook

Musicman

[afofddy]

.hey, thanks, this post is very useful
--------------------------------
Software
http://www.artdownload.net

[DantePonz]

Captcha is great except you may end up losing a few people that otherwise would have contacted you. The less they need to do to get in touch with you, the better.

Make it a policy to use session_start(); on your php contact form and add the session_id(); to a hidden form field named "verifyVisitor" (or something).

On your itemAsk.php script, use session_start(); again, check $_POST['verifyVisitor'] against the session_id(); and only allow the mail script to send if the values match:

PHP Code:

if(!empty($_POST['verifyVisitor'])){
    $verifyVisitor=preg_replace("/[^A-Za-z0-9]/","",$_POST['verifyVisitor']);
    if($verifyVisitor==session_id()){
        (mail script)
    }
} 


Odds are that your itemAsk.php script is being spammed automatically by someone (or people) posting to your itemAsk.php from their own computer or server. By adding a required session and session id, their spam will be stopped. Then, for them to send you a message, they would have to physically go to your site and manually submit it. Way too much work for most spammers.

[Musicman]

Hi,

nice idea but no real solution - it would not takt too long to create a new spam sender that loads the form from the real server, extracts the hidden fields, and posts them back.
The only solution I see is making sure that no unchecked input can leak into mail headers; no spammer would want to make effort to just reach you. Unfortunately this approach only works for the common contact form (and possibly a thankyou mail to the submitter) - once you include the original message with the thankyou the form can potentially be abused.

Musicman

[DantePonz]

Great point Musicman. If you need real security, my solution is not the answer. But I think it would suffice for more than 99% of the personal and small-business web forms. In my experience, most spammers are crawling around for easily manipulated e-mail addresses. I don't think most would be willing to go through the trouble of creating a custom script for each site. Still, if you need the added security, go with Musicman's advice.