[nycphp-talk] Preventing spam with php mail function
1j0lkq002 at sneakemail.com
Thu Feb 23 17:46:35 EST 2006
Hans Zaunere lists-at-zaunere.com |nyphp dev/internal group use| wrote:
> If I understand correctly, we have a PHundamentals article available for
Hans beat me to it. IMHO that article is one of the best on the web for
addressing multi-part MIME exploits using contact forms. It is an
advanced topic, though, but as with every "exploit" if the coder
suffered through the advanced topics early, the learning process would
be much less painful.
Basically it shows how even if you build a "safer" contact form, it may
be used to insert spam because Internet mail systems permit mail
messages to be inserted into other mail messages. The bottom line is
that you have to filter every field of the mail your form will create
and send, even if you don't collect those fields on your form (default
fields and the like). Most people are filtering every field their form
collects (which is not enough... you have to filter/control the defaults
as well). That article also highlights the need to filter out newlines
that might indictate an inserted message-within-a-message. It's a good
Chris' reply is excellent for the way it suggests you review the bigger
picture of your security (not just the technology of the contact form).
I completely agree, and would like to add more. Consider these ideas as
Can your form be used to spoof an email so that it appears to come from
someone within your company even though it really originated on your
website, created by an outsider?
Could I use your form to send an email to the person who handles
user-submitted requests, perhaps looking like an email from your web
hosting company directing an update of shell account username/passwords etc?
Can your "change my password" form be used to change another user's
password withoit prior permission/approval?
Does your contact-us form CC others in your organization prior to any
adminsitrative review? You don't want obscene or harassing statements
circulated within the company, or you could open up the company to civil
liabilities. Similarly, if your organization is regulated (HIPAA,
banking and finance, securities, etc) un-reviewed user submissions
should not be circulated (copied to multiple places onclient machines etc).
Hope this helps.
More information about the talk