do you use php's mail() command in any of your scripts?

[cd34]

Do you have a comment form that you use to send yourself messages from your websites -- possibly to avoid spam? Did you get the code from the web or write it yourself?

There is a recent trend of spamming through comment forms. Your machine can be used to send spam if one is able to mangle data that is being sent to your comment form.

PHP isn't really the only language having this problem, but, so many people use PHP because it is 'quick and easy.' When they get it to work, they forget to validate the data that can be stuffed into the different fields in the comment form.

To use the mail command in PHP, its pretty easy:

Code:

mail("user@destination.com","subject of message","message body","From: ".$_REQUEST['sender']);

What most people writing PHP code don't realize is that the 4th parameter isn't just to set the address that the message came from. Most scripts set it to make it easy to reply to the email, but, you are actually setting a header. As a result, that header can be exploited to include Bcc:, Content-Type, etc.

So, if you have scripts on your sites using the mail() command, take a few minutes to check and see if the data that is used in that 4th parameter is validated prior to it being sent to the command. If that data isn't validated, a spammer can use your comment form against you.

In the above case, one might consider a construct such as:

Code:

$sender = $_REQUEST['sender'];
if (!(preg_match('/^(([a-z0-9&.-_+])|(\*))+@[a-z0-9\-]+\.([a-z0-9\-]+\.)*?[a-z]+$/is',$_REQUEST['email']))) {
    $sender = "sender email forged, possible spam attempt";
// or whatever error trapping you want to do here
}
mail("user@destination.com","subject of message","message body","From: $sender");

In any case, these vulnerabilities occur in dozens of scripts out there and recently have been used to send spam. Many of these scripts come from what most people would consider trusted sources.

Do yourself a favor and do a quick check on your comment forms to see if they might be subject to this exploit.

If you are using a perl cgi for your comment form and it calls '/usr/lib/sendmail -t' somewhere within, if certain fields are not validated, it can also be exploited.

Some of the tell-tale signs of this are getting dozens of emails in a night from a comment form which contain spammy messages.

[Beaver Bob]

in PHP, you can use checkdnsrr($mailDomain, "MX") to make sure the email address has a valid domain, where $mailDomain is the domain of the email address. I usually do that before using mail()

[cd34]

Another very good suggestion. Remember though that DNS lookups in PHP are serialized and not multi-threaded. Get hit with a bunch of form submits at the wrong time and you've got a small Denial of Service problem on your machine.

Also, if you are putting other headers in that 4th argument, you will want to validate them to ensure good values as well.

Simple checks to check for \r, \n might give you a head start. I prefer to validate a field to make sure it contains what I want, rather than to try and figure out what I don't want.

[Cleo]

I have an email link question,
Is there a way to capture a url when clicking a link to send mail? I thinking this would be a way to create bad link notification link.

[Mr. Stiff]

Ehhm, I have a normal function running to check e-mail format, as do most mailforms.
'email@domain.com\r\nbbc: x@x.x' would never make the check..

[RawAlex]

I have found that if you need to make a form like this, the "TO" should always be hardcoded to your email (IE: Don't pass your email from the submit form). That means that the only person getting the spam is you.

You can also use hidden values on the form to assure that the message in fact comes from your form and not as a direct access. You can also track the last IP address to access the form, and limit the next use to be a different IP, or similar.

Alex