Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Another mail question (security)

mail security



1:48 pm on Jan 18, 2009 (gmt 0)

10+ Year Member


I have a php mail script (FormToEmail.php) which seems to be working great, but I'm getting what I think are probes to test the scripts security.

Example of forms sent to me:-
Firstname: jobzbogx
Surname: jobzbogx
Email address: dkyjqc@example.com
Phone number: bZDSAUdwsGqbCrv
Details: wwrc27 <a href="http://example.com/">tusqtxplosxy</a>, [url=http://example.com/]mhsjksyfwmmh[/url], [link=http://example.com/]mjprvddkdlul[/link], http://example.com/

Is there any way to test that the form cannot be used to send spam via either the cc or bcc headers, or any other way.

Thanx for your help.

[edited by: eelixduppy at 4:26 pm (utc) on Jan. 18, 2009]
[edit reason] switched to example.com [/edit]


6:16 pm on Jan 18, 2009 (gmt 0)

5+ Year Member

You can add a CAPTCHA field for human verification, and validate the email address to make sure there's no additional headers sent with it.

This is a regular expression that will make sure you have a valid email:
'/^[_a-z0-9-]+((\.¦\+)[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$/i' using preg_match.


10:11 pm on Jan 18, 2009 (gmt 0)

10+ Year Member

Note to eelixduppy the reason I left the original domain addresses in the OP was to show that they were not real sites, but just random letters followed by .com

Thanx but a CAPTCHA is not something I want.

The message in the form comment box always contains links to garbage domains E.G. xyjjxyxyjjxy .com this is what make me think that someone is probing the script possibly by trying to add headers so they could use it to spam.

So is their a way I can test it for security

Baruch Menachem

4:58 pm on Jan 19, 2009 (gmt 0)

5+ Year Member

Since you seem to be using a phone number as a single field, you might try multiplying that number by 1, and then dumping the post if the result is zero. Multiplying by one should convert the result to a number, and if he is including letters, like this, it is a sure sign someone is up to no good.
You might also restrict your fields to a maximum size in the form.

Anyway, never accept any data direct. Always validate it every way you can before it gets past the first step.


6:39 pm on Jan 19, 2009 (gmt 0)

5+ Year Member

I would do a regexp check for the phone number as opposed to multiplying by 1, because people often use -'s or spaces between the numbers. I do think that it is a good idea to check the phone number, though, because that is the one field that you have a strong idea of what it should look like.

^(?:\([2-9]\d{2}\)\ ?¦[2-9]\d{2}(?:\-?¦\ ?))[2-9]\d{2}[- ]?\d{4}$

should do a relatively reliable check. The following formats will work: 5305551212, (530) 555-1212, 530-555-1212

Source: [regexlib.com...]

Baruch Menachem

2:18 am on Jan 20, 2009 (gmt 0)

5+ Year Member

Anyway, I do think the the major lesson learned here is never take anything from a user that you don't run through some sort of check.

I think it was talked of in another topic here, but all your form fields should have a max length value, and that is as small as you can make it. Folks in India and Thailand have long names sometime, but even there I think anything 25 characters is the absolute outer limit. If you don't specify a length, the default is 255 characters. And you can sneak a lot of damaging java code in 255 characters. the <javascript></javascript> tags take up 27 characters just by themselves. The kind of people haunting the web these days, paranoia is just the key to good health.


1:15 pm on Jan 20, 2009 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

Captchas are a bad thing to use unless you want to turn visitors away and html limits for the input elements won't do much since the form is likely posted by a bot. Jscripts will bring the same results as html.

Instead, deploy some css with one or more hidden and visible html elements to verify human presence. During form processing on the server end, that includes regular fields validation, you could also check the "details" field, especially if you do not expect links with the form. That's one of the things the spammer hopes for. To somehow propagate a link to the dbase or to send it via email.

As of the other headers (cc, bcc) you should check the input form fields for line breaks like \r \n, they are used by spammers to deploy additional headers. How the form is processed is critical, but once you get rid of the bot factor things are much simpler.


Featured Threads

Hot Threads This Week

Hot Threads This Month