<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
I wrote my own class that seems to work fairly well. It may not catch
100% of the email injections but it does catch alot. When it does I get
an email with the Remote Addr. First with the
checkHackerResponse($exclude, $responses) You set which fields to
ignore (submit, email, etc...) Then take all other fields, check each
field for an email format (one of the tactics is to put some bogus
email address in each field) If the form exhibits this then the process
is stopped. If it passes then it goes on to the SendMail() function
which checks the Message, FromMail, FromName, ToMail, and Subject for a
Bcc or Cc. If it is detected they see this nice little message on the
screen, and I get an email with their IP.<br>
<br>
When we see a form that seems to be getting spammed. I change it over
to use this class file. Usually within a week they get the hint and
move on.<br>
<br>
<?php<br>
class Email{<br>
function SendMail(){<br>
$Message = stripslashes($this->Message);<br>
$headers .= "From: ".$this->FromMail."\n";<br>
$headers .= "X-Priority: 0\n";<br>
$headers .= "X-MSMail-Priority: Normal\n";<br>
$headers .= "X-Mailer: ". $_SERVER['SERVER_NAME'] ."
Mailer\n";<br>
$headers .= "Origin: ". $_SERVER['REMOTE_ADDR']."\n";<br>
$response = array($this->FromMail, $this->ToMail,
$this->Subject, $Message);<br>
foreach($response as $key=>$value){<br>
if (stristr($value,"cc:")) {<br>
$bad_ip = $_SERVER['REMOTE_ADDR'];<br>
$error_msg .= <<<EOD<br>
<h2><font color="red">Intrusion
detection!</font></h2><br>
<p>Possible intrusion script detected. The following IP
address was detected sending invalid responses to this email script<br>
on {$_SERVER['HTTP_HOST']}.
<strong>{$_SERVER['REMOTE_ADDR']}</strong> has been
recorded for tracking.</p><br>
EOD;<br>
print $error_msg;<br>
error_log("Intrusion detected on
{$_SERVER[SERVER_NAME]} IP Address:" . $bad_ip,1,"<font color="#ff0000"><b><a class="moz-txt-link-abbreviated" href="mailto:MY_EMAIL@DOMAIN.COM">MY_EMAIL@DOMAIN.COM</a></b></font>");<br>
exit();<br>
}<br>
}<br>
mail($this->ToMail, $this->Subject, $Message,
$headers) or die("Message could not be sent");<br>
}<br>
/**<br>
* This function checks the mailform responses. If the fields
all have been<br>
* filled with an email like response, it will return true.<br>
*<br>
* @param unknown_type $exclude<br>
* @param unknown_type $responses<br>
* @return unknown<br>
*/<br>
function checkHackerResponse($exclude, $responses){<br>
$intExc = 0;<br>
foreach ($exclude as $value) {<br>
$intExc++;<br>
}<br>
$intResp = 0;<br>
$i = 0;<br>
foreach ($responses as $key=>$value) {<br>
$intResp++;<br>
if (!in_array($key, $exclude)) {<br>
if ($this->checkForEmail($value) == true) {<br>
$i++;<br>
}<br>
}<br>
}<br>
if ($i >= ($intResp - $intExc)) {<br>
return true;<br>
} else {<br>
return false;<br>
}<br>
}<br>
/**<br>
* Checks for an email address format, and Reverse DNS<br>
*<br>
* @param unknown_type $address<br>
* @return unknown<br>
*/<br>
function checkForEmail($address){<br>
$exp =
<a class="moz-txt-link-rfc2396E" href="mailto:^[a-z\'0-9]+([._-][a-z\'0-9]+)*@([a-z0-9]+([._-][a-z0-9]+))+$">"^[a-z\'0-9]+([._-][a-z\'0-9]+)*@([a-z0-9]+([._-][a-z0-9]+))+$"</a>;<br>
if(eregi($exp,$address)){<br>
if(checkdnsrr(array_pop(explode("@",$address)),"MX")){<br>
return true;<br>
} else {<br>
return false;<br>
}<br>
} else {<br>
return false;<br>
}<br>
}<br>
}<br>
?><br>
<br>
<br>
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:ciapug-request@cialug.org">ciapug-request@cialug.org</a> wrote:
<blockquote cite="mid20070418170003.5933D8579@www.cialug.org"
type="cite">
<pre wrap="">Send ciapug mailing list submissions to
<a class="moz-txt-link-abbreviated" href="mailto:ciapug@cialug.org">ciapug@cialug.org</a>
To subscribe or unsubscribe via the World Wide Web, visit
<a class="moz-txt-link-freetext" href="http://cialug.org/mailman/listinfo/ciapug">http://cialug.org/mailman/listinfo/ciapug</a>
or, via email, send a message with subject or body 'help' to
<a class="moz-txt-link-abbreviated" href="mailto:ciapug-request@cialug.org">ciapug-request@cialug.org</a>
You can reach the person managing the list at
<a class="moz-txt-link-abbreviated" href="mailto:ciapug-owner@cialug.org">ciapug-owner@cialug.org</a>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ciapug digest..."
Today's Topics:
1. securing Mail() (Wade Arnold)
2. RE: securing Mail() (Carl Olsen)
3. Re: securing Mail() (Barry Von Ahsen)
4. RE: securing Mail() (Wade Arnold)
----------------------------------------------------------------------
Message: 1
Date: Tue, 17 Apr 2007 17:14:03 -0500
From: "Wade Arnold" <a class="moz-txt-link-rfc2396E" href="mailto:Wade.Arnold@t8design.com"><Wade.Arnold@t8design.com></a>
Subject: [ciapug] securing Mail()
To: <a class="moz-txt-link-rfc2396E" href="mailto:ciapug@cialug.org"><ciapug@cialug.org></a>
Message-ID:
<a class="moz-txt-link-rfc2396E" href="mailto:9A53DDE1FE082F4D952FDF20AC87E21F0405D1@exchange2.t8design.com"><9A53DDE1FE082F4D952FDF20AC87E21F0405D1@exchange2.t8design.com></a>
Content-Type: text/plain; charset="us-ascii"
I am trying to figure out a best practice solution for securing form
scripts that send out emails with the mail() command. To date I have
been just posting information from a form into a script that sends the
email. I have had a couple hosting vendors asking me what I am doing to
secure my email forms. Frankly I did not know that I needed to secure
them. Can anyone point me towards some documentation? As you can image
"secure email php" finds a lot of results on a search engine.
Wade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <a class="moz-txt-link-freetext" href="http://cialug.org/pipermail/ciapug/attachments/20070417/724592cd/attachment.html">http://cialug.org/pipermail/ciapug/attachments/20070417/724592cd/attachment.html</a>
------------------------------
Message: 2
Date: Tue, 17 Apr 2007 17:38:32 -0500
From: "Carl Olsen" <a class="moz-txt-link-rfc2396E" href="mailto:carl-olsen@mchsi.com"><carl-olsen@mchsi.com></a>
Subject: RE: [ciapug] securing Mail()
To: <a class="moz-txt-link-rfc2396E" href="mailto:ciapug@cialug.org"><ciapug@cialug.org></a>
Message-ID: <000e01c78141$212aaa10$1c00a8c0@workstation8>
Content-Type: text/plain; charset="us-ascii"
I'm only guessing, but I think they are talking about something similar to
an SQL injection attack. It all depends on how you feed to input fields
into the mail function. I use something called Swift for email (it's a free
PHP function library that uses SMTP). It has a function for each part of
the email so that the email is not just being built from a bunch of strings
concatenated together in the header part of the PHP mail function. I know
some other folks on this list will answer your question in more detail.
Some PHP mail scripts are written in such a way that spammers can hijack
them. I've heard of the same thing with PERL scripts. I would highly
recommend the Swift mailer if you have a chance to look at it.
Carl
_____
From: <a class="moz-txt-link-abbreviated" href="mailto:ciapug-bounces@cialug.org">ciapug-bounces@cialug.org</a> [<a class="moz-txt-link-freetext" href="mailto:ciapug-bounces@cialug.org">mailto:ciapug-bounces@cialug.org</a>] On Behalf
Of Wade Arnold
Sent: Tuesday, April 17, 2007 5:14 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:ciapug@cialug.org">ciapug@cialug.org</a>
Subject: [ciapug] securing Mail()
I am trying to figure out a best practice solution for securing form scripts
that send out emails with the mail() command. To date I have been just
posting information from a form into a script that sends the email. I have
had a couple hosting vendors asking me what I am doing to secure my email
forms. Frankly I did not know that I needed to secure them. Can anyone point
me towards some documentation? As you can image "secure email php" finds a
lot of results on a search engine.
Wade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <a class="moz-txt-link-freetext" href="http://cialug.org/pipermail/ciapug/attachments/20070417/2f69897d/attachment.htm">http://cialug.org/pipermail/ciapug/attachments/20070417/2f69897d/attachment.htm</a>
------------------------------
Message: 3
Date: Tue, 17 Apr 2007 19:05:33 -0500
From: Barry Von Ahsen <a class="moz-txt-link-rfc2396E" href="mailto:barry@vonahsen.com"><barry@vonahsen.com></a>
Subject: Re: [ciapug] securing Mail()
To: <a class="moz-txt-link-abbreviated" href="mailto:ciapug@cialug.org">ciapug@cialug.org</a>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:462560CD.5000706@vonahsen.com"><462560CD.5000706@vonahsen.com></a>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Wade Arnold wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I am trying to figure out a best practice solution for securing form
scripts that send out emails with the mail() command. To date I have
been just posting information from a form into a script that sends the
email. I have had a couple hosting vendors asking me what I am doing to
secure my email forms. Frankly I did not know that I needed to secure
them. Can anyone point me towards some documentation? As you can image
"secure email php" finds a lot of results on a search engine.
</pre>
</blockquote>
<pre wrap=""><!---->
it's called email injection
<a class="moz-txt-link-freetext" href="http://www.securephpwiki.com/index.php/Email_Injection">http://www.securephpwiki.com/index.php/Email_Injection</a>
-barry
------------------------------
Message: 4
Date: Tue, 17 Apr 2007 19:10:01 -0500
From: "Wade Arnold" <a class="moz-txt-link-rfc2396E" href="mailto:Wade.Arnold@t8design.com"><Wade.Arnold@t8design.com></a>
Subject: RE: [ciapug] securing Mail()
To: <a class="moz-txt-link-rfc2396E" href="mailto:barry@vonahsen.com"><barry@vonahsen.com></a>, <a class="moz-txt-link-rfc2396E" href="mailto:ciapug@cialug.org"><ciapug@cialug.org></a>
Message-ID:
<a class="moz-txt-link-rfc2396E" href="mailto:9A53DDE1FE082F4D952FDF20AC87E21F0405DF@exchange2.t8design.com"><9A53DDE1FE082F4D952FDF20AC87E21F0405DF@exchange2.t8design.com></a>
Content-Type: text/plain; charset="us-ascii"
Barry
I have never seen this site. Thanks so much for the link!
Wade
-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:ciapug-bounces@cialug.org">ciapug-bounces@cialug.org</a> [<a class="moz-txt-link-freetext" href="mailto:ciapug-bounces@cialug.org">mailto:ciapug-bounces@cialug.org</a>] On
Behalf Of Barry Von Ahsen
Sent: Tuesday, April 17, 2007 7:06 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:ciapug@cialug.org">ciapug@cialug.org</a>
Subject: Re: [ciapug] securing Mail()
Wade Arnold wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I am trying to figure out a best practice solution for securing form
scripts that send out emails with the mail() command. To date I have
been just posting information from a form into a script that sends the
email. I have had a couple hosting vendors asking me what I am doing
</pre>
</blockquote>
<pre wrap=""><!---->to
</pre>
<blockquote type="cite">
<pre wrap="">secure my email forms. Frankly I did not know that I needed to secure
them. Can anyone point me towards some documentation? As you can image
"secure email php" finds a lot of results on a search engine.
</pre>
</blockquote>
<pre wrap=""><!---->
it's called email injection
<a class="moz-txt-link-freetext" href="http://www.securephpwiki.com/index.php/Email_Injection">http://www.securephpwiki.com/index.php/Email_Injection</a>
-barry
_______________________________________________
ciapug mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ciapug@cialug.org">ciapug@cialug.org</a>
<a class="moz-txt-link-freetext" href="http://cialug.org/mailman/listinfo/ciapug">http://cialug.org/mailman/listinfo/ciapug</a>
------------------------------
_______________________________________________
ciapug mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ciapug@cialug.org">ciapug@cialug.org</a>
<a class="moz-txt-link-freetext" href="http://cialug.org/mailman/listinfo/ciapug">http://cialug.org/mailman/listinfo/ciapug</a>
End of ciapug Digest, Vol 23, Issue 8
*************************************
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
<><><><><><><><><><><><><><><><><>
Mike Parks
Captain Jack Communications
WebSite Development and Hosting
<a class="moz-txt-link-abbreviated" href="http://www.captainjack.com">www.captainjack.com</a>
Phone: 515-964-8500
Fax: 515-964-4685</pre>
</body>
</html>