Preventing Spam When Using Php's Mail Function

TavoxPeru

Mar 28 2008, 09:35 PM

First of all, if this is not the correct place for this topic please an Admin move it accordingly.

Recently i read at the PHPBuilder.com website this excelent article Preventing spam when using PHP's mail function that explains in a very easy way how to avoid spammers send their spam from your own server.

Generally speaking, almost all websites includes some kind of contact form which is used to send emails with the php mail() function, this contact form can be used for a lot of purposes like for example to send comments or sugestions, to report problems on your website, to register users, etc. and can be used and abused by spammers to send out their spam without your knowledge.

This article is very easy to understand and to implement, includes functions for checking valid emails and to prevent scripts to be exploited.

You can use it as a good starter point to prevent this issue to happen and I hope it helps somebody.

Best regards,

yordan

Mar 29 2008, 05:17 PM

QUOTE

if this is not the correct place for this topic please an Admin move it accordingly.

No problem, I accept this post here.
However, on the topic subject, I would like to understand something. Do you mean that you could send mails without this kind of contact form, and having your mail being received correctly ?

TavoxPeru

Mar 30 2008, 10:43 AM

QUOTE(yordan @ Mar 29 2008, 12:17 PM)

Thanks yordan to move it, and i don't completely understand your question but just in case, my answer is yes.

For example, you have a page -form.php- with a contact form and other data in it, that when it is submitted goes to another page -mail.php- which receives all of the submitted data and then sends an email with the mail() php function as usual. For the sake of the example, this is the same code from the article without any kind of validation. The code of the mail.php is:

CODE

<?php
$to = "bob@domain_example.com";
$subject = "Email from website";
$message = $_REQUEST["body"];
$email = $_REQUEST["email"];

$headers = "From: $email";
mail($to, $subject, $message, $headers);
echo "Thanks for submitting.";
?>

If you don't perform any kind of validation in any of these pages, then it is very easy for a spammer to send emails with your page in this case with your mail.php page.

How??? It is very simple, first you only need to view the source code of your form to get the variable names and to where it will be redirected. The first ones are all the elements of your form and the second one is the value of the ACTION property of the form.

So, it is very easy to send a request like this:

http://your-domain.com/mail.php?body=gotcha&email=barbie@fake-domain.com%0Abcc:spam-1@some-domain.com,spam2@some-domain.com

to abuse it and send my spam.

On the other hand, if you do some kind of validation, your pages will be a lot more secure and will help you to prevent this situation. This is my code with some validation:

CODE

<?php
function contains_newlines($str_to_test) {
 if(preg_match("/(%0A|%0D|\\n+|\\r+)/i", $str_to_test) != 0) {
 echo "newline found in $str_to_test. Suspected injection attempt - mail not being sent. ";
 echo "here you must use the exit or die php functions to finish the script. ";
 // exit;
 }
}

$to = "webmaster@gigasoft.astahost.com";
$subject = "Email from website";
$message = $_REQUEST["body"];
$email = $_REQUEST["email"];
$headers = "From: $email";

if($_SERVER['REQUEST_METHOD'] != "POST"){
 echo "Unauthorized attempt to access page. ";
 echo "here you must use the exit or die php functions to finish the script. ";
 //exit;
}

contains_newlines($email);

// mail($to, $subject, $message, $headers);
echo "to = $to subject = $subject body = " . $_REQUEST['body'] . " message = $message email = " . $_REQUEST['email'] . " headers = $headers ";
echo "mail ($to, $subject, $message, $headers) ";
echo "Thanks for submitting.";
exit;
?>

You can test both of this issues by going to:

BTW, both pages do not send any email really.

Best regards,

yordan

Mar 30 2008, 12:07 PM

OK, now I see, thanks a lot Tavox.

Quatrux

Mar 30 2008, 10:21 PM

Well, by doing a little validation and even programming in a "good" way, these kind of problems won't happen, of course, I know one thing: when you do something for yourself or you're still learning and quite well, you try to do different things, but when you're working and doing for somebody else, not always you have time to do it in a very "perfect" way, the main thing for most clients are that it would work, usually they don't care about the code, or what language it is or how it's possible and for that reason, I really can say that there are lots of "bad" scripts/programs written out there, to get money and to make it work..

I saw some really bad scripts, especially written in php, the main things as I said that they would work, and they do! When things like frameworks appeared, it's a little safer for people who write their applications in Zend framework or any other good framework, it is more secure, it saves time too and you have a better application, the bad thing about it in my opinion, that there are thousands of copies in some library directory of for example zend frameworks

they are there, even though only 4% of them are used..

To conclude, for example I remember I always wanted to write "the best way" in my sites or cms and I even do Today, but when I started doing something not for myself I understood that the main thing is to make it work, I still prefer to make a good application though, but time is money, but with experience I think still most of them are quite good, even written fast

I remember I thought to write for others, you need to comment and write it that other people who might try to edit them or something, that it would be as easier as possible for them, but in most cases, if you wrote the application, bigger chances are that they or he/she will ask support from you again and not from any other guy for support, so you can write it your style or by how you like it

TavoxPeru

Apr 1 2008, 12:48 AM

Yordan, no problem and i'm glad that now you see it better.

Quatrux, you are right, TIME IS MONEY, and when you work for someone else it is a thing that counts a lot, other thing that also counts a lot is that IT MUST WORK. Related to good and bad scripts, always both of them will exists and we can't do anything about them, but for ours, yes we can.

I know that nothing is perfect and never will be, but i'm the kind of person that always try to do my best effort in anything i do, and when it is about programming a bit more, because i know that i can improve my code. I think that it is better to first try in your personal projects and then with the experience that you gain with it apply to your professional work which pay the bills.

BTW, my code posted here is to much simple and i only make it for testing purposes, also, i know that it is not correctly coded, it is not complete and finally I must complete and improve it shortly.

So, please be honest with me and tell me what do you think about it???

Best regards,

iGuest

Sep 8 2008, 08:52 AM

Is there any way to block incoming spam mails using PHP script
Preventing Spam When Using Php\'s Mail Function

The script you provided is really good to block out going spam mails from the server on which your sript is running,, but how to block the in coming spams mails on your server. Is there any useful script for that also...
???

Regards muryam

-question by Muryam

ADD REPLY / Got an Opinion!	a humble request :-)	RAPID SEARCH!	Free Hosting	[X]
Express your Opinions, Thoughts or Contribute your information that might help someone here. Ask your Doubts & Queries to get answers.. "Together, We enlight each other!"	Register FREE for AD-FREE forum, Create your own topics, Ask Questions, track topics, setup subscriptions & notifications and Get a Free Website w/ Email and FTP.		500MB Space No Ads, CPanel, FTP, PHP, MySQL, EMails - 100% FREE