We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

ISP closes php form because of spam abuse

Sparkle101
Sparkle101 asked
on
Medium Priority
317 Views
Last Modified: 2013-12-13
Hi experts, my ISP says that my simple php script that handles a simple contact form is abused by spammers. What may I do to redeem this?

The script recides in a separate file from the form:
<?
header("Location:../index.php");
if ($REQUEST_METHOD == "POST") {
 
 
$email = $HTTP_POST_VARS[email];
$mailto = "name@domain.com";
$mailsubj = "Response from $name";
$mailhead = "From: $email\n";
reset ($HTTP_POST_VARS);
$mailbody = "This is a message from $name:\n";
while (list ($key, $val) = each ($HTTP_POST_VARS)) { $mailbody .= "$key : $val\n"; }
if (!eregi("\n",$HTTP_POST_VARS[email])) { mail($mailto, $mailsubj, $mailbody, $mailhead); }

echo("Thanks.");

}  
?>

Thanks
Comment
Watch Question

Richard QuadlingSenior Software Developer

Commented:
A quick lesson.

EVERYTHING THAT A USER SUPPLIES IS BAD.

Here end'th the lesson.

Personally, I would take a look at

http://www.tectite.com/formmailpage.php

and

http://phpfmg.sourceforge.net/home.php
Commented:
If I put a form on my website that posts to yours, your script will send out emails for me.
All I'd have to do is supply the 'email' variable and put extra header information in it too, like cc or bcc.

You should detect where your post is coming from and validate all entries, before sending anything out.

To ensure people use your form and not just submit from somewhere else, you could also set a session variable with a random value when creating the form, including it in a hidden value, and when its submitted match them up.

Although most of these can be faked, good validation should be enough to prevent spammers sending out emails via your site.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Yes, I found out this too. I finally ended up with this script that detects cc and bcc and other and sends an error:

<?php

$error = "";

// get all the email form data

$ems = "";

// stop email server hacks
$ems .= $name;
$ems .= $email;
$ems .= $message;


if ( stristr( $ems, "content-type" ) || stristr( $ems, "multipart/mixed" ) || stristr( $ems, "boundary" ) || stristr( $ems, "cc:" ) || stristr( $ems, "multi-part message in mime format" ) || stristr( $ems, 'to:' ) || eregi( "(%[a-f0-9])", $ems ) || stristr( $ems, "0x" ))
// the last two are in case they try using hex or other non standard characters
{
$error .= "<p>Behave!!</p>";
}

if ( $error )
{
echo $error;
}
else
{


@extract($_POST);
$name = stripslashes($name);
$email = stripslashes($email);
$subject = stripslashes("Responce from my form");
$text = stripslashes($message);
mail('myname@somedomain.com',$subject,$text,"From: $name <$email>");
header("location:../thanks.php");
}
?>
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.