LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 06-07-2015, 08:06 AM   #1
pittendrigh
LQ Newbie
 
Registered: Jun 2014
Posts: 26

Rep: Reputation: Disabled
securing a php mail form


I have a "Contact us" email form that seems to prevent successful spam attempts. Sort of. My code has an exitOnSuspicious() function that looks for newlines in the subject and mailTo and other such things. My form hard-codes the mailTo header to me and demands a return address as a form element that gets pre-pended to the email message body, so clicking replyTo doesn't work, which is slightly inconvenient to me but safer. If I want to reply I have to cut and paste the replyTo email address from the email message body.


function exitOnSuspicious() {
if ($_SESSION['spam'] != 'didUseForm')
exit;
if (strstr($_POST['toName'], '\n') || strstr($_POST['toName'], '\r'))
exit;
// exit if the message contains attempts at BB codes
if (strstr($_POST['message'], 'url=') || strstr($_POST['message'], 'link='))
exit;
// do not allow more than one link in the message
if (@preg_match_all('@', $_POST['message']) > 1)
exit;
}

Still I occassionally get email like the following where parts of the message are well formed and parts are gibberish. What is going on here? My codes lookfor BBCode url= and link= and exit if there. And yet I get mail like this 2-3 times a month.

xuTRAtsDsWzgOh
UZsBo4 <a href="http://ofjrkxuowydl.com/">ofjrkxuowydl</a>,
bhhiobusvsvu,
[link=http://vjxrqscnhodv.com/]vjxrqscnhodv[/link],
http://jpkncxgiounz.com/

Last edited by pittendrigh; 06-07-2015 at 09:13 AM.
 
Old 06-07-2015, 08:33 AM   #2
pittendrigh
LQ Newbie
 
Registered: Jun 2014
Posts: 26

Original Poster
Rep: Reputation: Disabled
Now that I think about it, if my form gets posted and if the posted form elements pass my exitOnSuspicious() function my codes pre-pend certain hard-coded things to hte beginning of the message (the mailTo address from the form).

That hard-coded stuff never appears in the partially gibberish email I sometimes get (as posted above). Which makes me think the spammers are somehow invoking my server's php mail function WITHOUT using my form. How would that be possible?
 
Old 06-07-2015, 05:52 PM   #3
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
If this is going to be on a live production server I might instead suggest FormMail Matt's Scripts. The thinking behind this being that it has been tested for security flaws and has become a defacto industry standard.

Matt's Script Archive: FormMail
http://www.scriptarchive.com/formmail.html
 
Old 06-08-2015, 09:56 AM   #4
pittendrigh
LQ Newbie
 
Registered: Jun 2014
Posts: 26

Original Poster
Rep: Reputation: Disabled
I used Matt's Script Archive stuff back in the late '90s when it was a CGI script. Email forms are not rocket science.

This is a live production server. They are attempting to use my form for spam but failing. The form is hard-coded to put null into CC and BCC and to send the mail to me and only me. No matter what. So there is little to worry about.

I'm just trying to figure out how they get past my exitOnSuscpicious() function. Or, even more interesting, how they invoke PHP Mail at all. The hackers typically put a few newlines in strategic places (like the from address in a form) in order to push a long list of addresses down into what they hope will become the CC and/or BCC part of a subsequently generated email header. Because I hard code all of that I have little to fear. They have been attempting to hack me for years and have not yet succeeded.

As mentioned above my code puts the from or replyTo address into the body of the message. I hard code the mailTo and replyTo and CC and BCC fields in the header.

The interesting part is that I do get 3-4 emails a month that DO NOT have my hard-coded "replyTo: " . $_POST['fromAddress'] . "\n" string in the message, which suggests to me they are somehow invoking PHP mail outside the context of my form. How do they do that?

The mail they do send goes to me only, which is not what they want. It does not go to a loooooooooong list of spamees. But still. How do they get as far as they do?


Further, why is what they do send partially gibberish and partially well-formed??????

The following example is typical of what I do get, 2 - 3 times a month. But sometimes in spurts, where they try a dozen times and then give up. When I do get mail like this it is addressed to me and only me, with no CC or BCC fields, which happens that way because they failed to do what they wanted.

xuTRAtsDsWzgOh
UZsBo4 <a href="http://ofjrkxuowydl.com/">ofjrkxuowydl</a>,
bhhiobusvsvu,
[link=http://vjxrqscnhodv.com/]vjxrqscnhodv[/link],
http://jpkncxgiounz.com/

Last edited by pittendrigh; 06-08-2015 at 10:03 AM.
 
Old 06-08-2015, 02:41 PM   #5
joec@home
Member
 
Registered: Sep 2009
Location: Galveston Tx
Posts: 291

Rep: Reputation: 70
It has been a long time since I tried to write a secure POST function but I found an article that talks a little about it. Basically even hard coded can be superseded and needs to be sanitized in one form or another. In your instance, since you are only trying to mail to yourself, I would entirely avoid passing the mail to variable in the POST function and only have it as an internal function.

Part 1: PHP Security: User Validation and Sanitization for Beginners
http://www.dreamhost.com/blog/2013/0...-the-beginner/

The gibberish is in two possibilities. They think you are using a known script and trying to exploit it but your script is slightly different. Or they are trying to use a corrupted multi part function of SMTP, a spammer ploy to cause the e-mail client to not delete the spam and download it over and over.
 
Old 06-08-2015, 03:46 PM   #6
pittendrigh
LQ Newbie
 
Registered: Jun 2014
Posts: 26

Original Poster
Rep: Reputation: Disabled
Thanks. I do most of what was in that article but not all of it. I will.

I'm going to add some debugging too. Write to a log file before I exitOnSuspicious();

I currently check for newlines and carriage returns in the input.

I should also use preg_replace to check for any non-ascii characters at all (and exit if they are there) and limit strlen for all inputs too.

He who invents the melt-the-hackers-fingers-and-gonads app should win a Nobel prize.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail from php form reaches spam box only programer Linux - Server 5 03-17-2012 01:29 PM
form mail (PHP) CC option / noob question hebeles Programming 7 04-12-2011 05:36 PM
form mail (PHP) CC option / noob question hebeles Linux - Software 5 04-12-2011 04:16 PM
Form not sending mail using includes... PHP cadkins Programming 3 04-27-2004 06:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration