NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP script needs some filter help

John Campbell jcampbell1 at gmail.com
Sat Sep 15 22:30:05 EDT 2007


> The situation:  Our company's website host server only processes scripts in
> php, python, cld fusion [not in asp - go figure].  Our website has three
> seperate user information request forms on it; all were posted using a php
> mail script.  One day, all of a sudden, we get 20-30 bogus forms mail to us
> per day.  Annoying and alarming.  So i went searching for some way to
> control it.  I managed to insert a php script with captcha into each.  but,
> we are still getting bogus forms sent to us.  Not as many, but still
> annoying and no fun...email header injections i take it?
>
> So, i tried to follow along and use some php includes that i found posted on
> nyphp.org.  After addiing some of the code and quite a few iterations, I'd
> keep getting these parsing errors, and could never get it to work.

Here is what I think is really happening, and a captcha isn't going to
do a damn thing.

Your script has a vulnerability that allows a spammer to use your
company's webserver to send out mass emailings.  You should fix the
header injection, and the spammer will quit within a week or so.
Technically, you are responsible for the spam, as it is being sent by
your server and your company's email will get blacklisted soon.

Don't allow user input into the header parameter of the mail()
function.  If you do, make sure and validate it (no newlines). Check
your mail logs as well.

Regards,
John Campbell



More information about the talk mailing list