You can limit the amount of data by using substr [php.net]

For cleaning the fields you could do something like:

$find = array(
"\r",
"\n",
"%0a",
"%0d",
"content-type:",
"Content-Type:",
"BCC:",
"CC:",
"boundary=",
"TO:",
"bcc:",
"to:",
"cc:"
);

$replace = array();

$name = str_replace($find,$replace,$name);
$email = str_replace($find,$replace,$email);

dc

Yes, I know how to do it - I just want to know if I have to check for the capitalized versions of the strings.

According to your example, it appears that I do.

So I will just specify something like:

$find = array(
"\r",
"\n",
"%0a",
"%0d",
"Content-Type:",
"boundary=",
"to:",
"cc:"
);
and my test will be a variant of

if( $count = substr_count(strtoupper($_POST[ $field ]), strtoupper($badchr ) ){. . . do something . . .}

because this catches cc:, cC:, Cc: and CC:

(I don't bother with bcc: because cc: takes care of it.)

Thanks for responding
cheers
Jean

Good point about not needing bcc:.

A more elegant option, which should be slightly more resource efficient, would be to use PHP 5's str_ireplace. After all 6 is going to be out before too long, it's time to stop avoiding 5 :-)

Something else you might consider doing, in order to stop the spammer from consuming more resources, would be log all IPs which fail your header test and temporarily block them. If not in .htaccess then early in the script before it has outputted anything or executed any major code. Chances are he repeats his proxy list at some point.

Yes, I am trying to catch them early in the script.

I only use PHP 5 didn't learn PHP 4.

I would use str_ireplace but I'm not replacing. I don't particularly like if(stripos($x) !== false) but I suppose it would be nicer here than strtoupper !

While you can look for specific headers within the text to prevent from header injection and then throw up flags when they are found, there is another, simple method. What I like to do is to replace all newline (\n) and carriage return (\r) characters with spaces to eliminate the possibility that multiple headers will be injected. This should be done for ALL mail inputs, too, including the subject. So something as simple as a str_replace:

$bad = array("\r", "\n");
$subject = str_replace($bad, ' ', $subject);
# etc...

It would also be a good idea that someone recieves a copy of the emails sent out from your server just to keep tabs on it for awhile. You wouldn't want anything going on without your knowledge. This will also allow you to see attemps at cracking your emailing script.

My script is pretty thoroughly tested by now - I am just adding things to catch the folks trying to crack it so that I can ban them in my .htaccess file.

I use regex edits that are very effective. No '\r or \n or %0a etc. will get through the edits - ALL input fields (except the message) have these regex edits. I don't allow tags or links in the message either.

But even though I'm pretty confident, I don't want these folks hammering away at it, wasting my resources and perhaps finding a weakness I hadn't thought of.

So now, I'm adding specific detectors and depending on what I detect, I am immediately adding the ip address to a local ban list - and from there I will move the worst offenders to be denied in .htaccess.

For one of my sites, I have considered banning certain country blocks but according to spamhaus, a LOT of spam originates in the US, much of it likely from compromised machines, so the country blocking just reduces the volume but doesn't fix the problem.

Really appreciate the help and replies here.