Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ISP closes php form because of spam abuse

Posted on 2006-04-03
3
Medium Priority
?
296 Views
Last Modified: 2013-12-13
Hi experts, my ISP says that my simple php script that handles a simple contact form is abused by spammers. What may I do to redeem this?

The script recides in a separate file from the form:
<?
header("Location:../index.php");
if ($REQUEST_METHOD == "POST") {
 
 
$email = $HTTP_POST_VARS[email];
$mailto = "name@domain.com";
$mailsubj = "Response from $name";
$mailhead = "From: $email\n";
reset ($HTTP_POST_VARS);
$mailbody = "This is a message from $name:\n";
while (list ($key, $val) = each ($HTTP_POST_VARS)) { $mailbody .= "$key : $val\n"; }
if (!eregi("\n",$HTTP_POST_VARS[email])) { mail($mailto, $mailsubj, $mailbody, $mailhead); }

echo("Thanks.");

}  
?>

Thanks
0
Comment
Question by:Sparkle101
3 Comments
 
LVL 40

Expert Comment

by:Richard Quadling
ID: 16370444
A quick lesson.

EVERYTHING THAT A USER SUPPLIES IS BAD.

Here end'th the lesson.

Personally, I would take a look at

http://www.tectite.com/formmailpage.php

and

http://phpfmg.sourceforge.net/home.php
0
 
LVL 9

Accepted Solution

by:
waygood earned 750 total points
ID: 16486032
If I put a form on my website that posts to yours, your script will send out emails for me.
All I'd have to do is supply the 'email' variable and put extra header information in it too, like cc or bcc.

You should detect where your post is coming from and validate all entries, before sending anything out.

To ensure people use your form and not just submit from somewhere else, you could also set a session variable with a random value when creating the form, including it in a hidden value, and when its submitted match them up.

Although most of these can be faked, good validation should be enough to prevent spammers sending out emails via your site.
0
 
LVL 2

Author Comment

by:Sparkle101
ID: 16489336
Yes, I found out this too. I finally ended up with this script that detects cc and bcc and other and sends an error:

<?php

$error = "";

// get all the email form data

$ems = "";

// stop email server hacks
$ems .= $name;
$ems .= $email;
$ems .= $message;


if ( stristr( $ems, "content-type" ) || stristr( $ems, "multipart/mixed" ) || stristr( $ems, "boundary" ) || stristr( $ems, "cc:" ) || stristr( $ems, "multi-part message in mime format" ) || stristr( $ems, 'to:' ) || eregi( "(%[a-f0-9])", $ems ) || stristr( $ems, "0x" ))
// the last two are in case they try using hex or other non standard characters
{
$error .= "<p>Behave!!</p>";
}

if ( $error )
{
echo $error;
}
else
{


@extract($_POST);
$name = stripslashes($name);
$email = stripslashes($email);
$subject = stripslashes("Responce from my form");
$text = stripslashes($message);
mail('myname@somedomain.com',$subject,$text,"From: $name <$email>");
header("location:../thanks.php");
}
?>
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question