securing a php mail form
 

I have a "Contact us" email form that seems to prevent successful spam attempts. Sort of. My code has an exitOnSuspicious() function that looks for newlines in the subject and mailTo and other such things. My form hard-codes the mailTo header to me and demands a return address as a form element that gets pre-pended to the email message body, so clicking replyTo doesn't work, which is slightly inconvenient to me but safer. If I want to reply I have to cut and paste the replyTo email address from the email message body.


function exitOnSuspicious() {
if ($_SESSION['spam'] != 'didUseForm')
exit;
if (strstr($_POST['toName'], '\n') || strstr($_POST['toName'], '\r'))
exit;
// exit if the message contains attempts at BB codes
if (strstr($_POST['message'], 'url=') || strstr($_POST['message'], 'link='))
exit;
// do not allow more than one link in the message
if (@preg_match_all('@', $_POST['message']) > 1)
exit;
}

Still I occassionally get email like the following where parts of the message are well formed and parts are gibberish. What is going on here? My codes lookfor BBCode url= and link= and exit if there. And yet I get mail like this 2-3 times a month.

xuTRAtsDsWzgOh
UZsBo4 <a href="http://ofjrkxuowydl.com/">ofjrkxuowydl</a>,
bhhiobusvsvu,
[link=http://vjxrqscnhodv.com/]vjxrqscnhodv[/link],
http://jpkncxgiounz.com/

Now that I think about it, if my form gets posted and if the posted form elements pass my exitOnSuspicious() function my codes pre-pend certain hard-coded things to hte beginning of the message (the mailTo address from the form).

That hard-coded stuff never appears in the partially gibberish email I sometimes get (as posted above). Which makes me think the spammers are somehow invoking my server's php mail function WITHOUT using my form. How would that be possible?

If this is going to be on a live production server I might instead suggest FormMail Matt's Scripts. The thinking behind this being that it has been tested for security flaws and has become a defacto industry standard.

Matt's Script Archive: FormMail
http://www.scriptarchive.com/formmail.html

I used Matt's Script Archive stuff back in the late '90s when it was a CGI script. Email forms are not rocket science.

This is a live production server. They are attempting to use my form for spam but failing. The form is hard-coded to put null into CC and BCC and to send the mail to me and only me. No matter what. So there is little to worry about.

I'm just trying to figure out how they get past my exitOnSuscpicious() function. Or, even more interesting, how they invoke PHP Mail at all. The hackers typically put a few newlines in strategic places (like the from address in a form) in order to push a long list of addresses down into what they hope will become the CC and/or BCC part of a subsequently generated email header. Because I hard code all of that I have little to fear. They have been attempting to hack me for years and have not yet succeeded.

As mentioned above my code puts the from or replyTo address into the body of the message. I hard code the mailTo and replyTo and CC and BCC fields in the header.

The interesting part is that I do get 3-4 emails a month that DO NOT have my hard-coded "replyTo: " . $_POST['fromAddress'] . "\n" string in the message, which suggests to me they are somehow invoking PHP mail outside the context of my form. How do they do that?

The mail they do send goes to me only, which is not what they want. It does not go to a loooooooooong list of spamees. But still. How do they get as far as they do?


Further, why is what they do send partially gibberish and partially well-formed??????

The following example is typical of what I do get, 2 - 3 times a month. But sometimes in spurts, where they try a dozen times and then give up. When I do get mail like this it is addressed to me and only me, with no CC or BCC fields, which happens that way because they failed to do what they wanted.

xuTRAtsDsWzgOh
UZsBo4 <a href="http://ofjrkxuowydl.com/">ofjrkxuowydl</a>,
bhhiobusvsvu,
[link=http://vjxrqscnhodv.com/]vjxrqscnhodv[/link],
http://jpkncxgiounz.com/

It has been a long time since I tried to write a secure POST function but I found an article that talks a little about it. Basically even hard coded can be superseded and needs to be sanitized in one form or another. In your instance, since you are only trying to mail to yourself, I would entirely avoid passing the mail to variable in the POST function and only have it as an internal function.

Part 1: PHP Security: User Validation and Sanitization for Beginners
http://www.dreamhost.com/blog/2013/0...-the-beginner/

The gibberish is in two possibilities. They think you are using a known script and trying to exploit it but your script is slightly different. Or they are trying to use a corrupted multi part function of SMTP, a spammer ploy to cause the e-mail client to not delete the spam and download it over and over.

Thanks. I do most of what was in that article but not all of it. I will.

I'm going to add some debugging too. Write to a log file before I exitOnSuspicious();

I currently check for newlines and carriage returns in the input.

I should also use preg_replace to check for any non-ascii characters at all (and exit if they are there) and limit strlen for all inputs too.

He who invents the melt-the-hackers-fingers-and-gonads app should win a Nobel prize.