homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

Another mail question (security)
mail security

10+ Year Member

Msg#: 3828877 posted 1:48 pm on Jan 18, 2009 (gmt 0)


I have a php mail script (FormToEmail.php) which seems to be working great, but I'm getting what I think are probes to test the scripts security.

Example of forms sent to me:-
Firstname: jobzbogx
Surname: jobzbogx
Email address: dkyjqc@example.com
Phone number: bZDSAUdwsGqbCrv
Details: wwrc27 <a href="http://example.com/">tusqtxplosxy</a>, [url=http://example.com/]mhsjksyfwmmh[/url], [link=http://example.com/]mjprvddkdlul[/link], http://example.com/

Is there any way to test that the form cannot be used to send spam via either the cc or bcc headers, or any other way.

Thanx for your help.

[edited by: eelixduppy at 4:26 pm (utc) on Jan. 18, 2009]
[edit reason] switched to example.com [/edit]



5+ Year Member

Msg#: 3828877 posted 6:16 pm on Jan 18, 2009 (gmt 0)

You can add a CAPTCHA field for human verification, and validate the email address to make sure there's no additional headers sent with it.

This is a regular expression that will make sure you have a valid email:
'/^[_a-z0-9-]+((\.¦\+)[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$/i' using preg_match.


10+ Year Member

Msg#: 3828877 posted 10:11 pm on Jan 18, 2009 (gmt 0)

Note to eelixduppy the reason I left the original domain addresses in the OP was to show that they were not real sites, but just random letters followed by .com

Thanx but a CAPTCHA is not something I want.

The message in the form comment box always contains links to garbage domains E.G. xyjjxyxyjjxy .com this is what make me think that someone is probing the script possibly by trying to add headers so they could use it to spam.

So is their a way I can test it for security

Baruch Menachem

5+ Year Member

Msg#: 3828877 posted 4:58 pm on Jan 19, 2009 (gmt 0)

Since you seem to be using a phone number as a single field, you might try multiplying that number by 1, and then dumping the post if the result is zero. Multiplying by one should convert the result to a number, and if he is including letters, like this, it is a sure sign someone is up to no good.
You might also restrict your fields to a maximum size in the form.

Anyway, never accept any data direct. Always validate it every way you can before it gets past the first step.


5+ Year Member

Msg#: 3828877 posted 6:39 pm on Jan 19, 2009 (gmt 0)

I would do a regexp check for the phone number as opposed to multiplying by 1, because people often use -'s or spaces between the numbers. I do think that it is a good idea to check the phone number, though, because that is the one field that you have a strong idea of what it should look like.

^(?:\([2-9]\d{2}\)\ ?¦[2-9]\d{2}(?:\-?¦\ ?))[2-9]\d{2}[- ]?\d{4}$

should do a relatively reliable check. The following formats will work: 5305551212, (530) 555-1212, 530-555-1212

Source: [regexlib.com...]

Baruch Menachem

5+ Year Member

Msg#: 3828877 posted 2:18 am on Jan 20, 2009 (gmt 0)

Anyway, I do think the the major lesson learned here is never take anything from a user that you don't run through some sort of check.

I think it was talked of in another topic here, but all your form fields should have a max length value, and that is as small as you can make it. Folks in India and Thailand have long names sometime, but even there I think anything 25 characters is the absolute outer limit. If you don't specify a length, the default is 255 characters. And you can sneak a lot of damaging java code in 255 characters. the <javascript></javascript> tags take up 27 characters just by themselves. The kind of people haunting the web these days, paranoia is just the key to good health.


WebmasterWorld Senior Member 5+ Year Member

Msg#: 3828877 posted 1:15 pm on Jan 20, 2009 (gmt 0)

Captchas are a bad thing to use unless you want to turn visitors away and html limits for the input elements won't do much since the form is likely posted by a bot. Jscripts will bring the same results as html.

Instead, deploy some css with one or more hidden and visible html elements to verify human presence. During form processing on the server end, that includes regular fields validation, you could also check the "details" field, especially if you do not expect links with the form. That's one of the things the spammer hopes for. To somehow propagate a link to the dbase or to send it via email.

As of the other headers (cc, bcc) you should check the input form fields for line breaks like \r \n, they are used by spammers to deploy additional headers. How the form is processed is critical, but once you get rid of the bot factor things are much simpler.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved