I've had my website contact form sending through remarkably strange stuff recently, which after doing some searching, I've discovered is happening to a few people.
Apparently it's called Email Injection, and it's allowing hackers to use the email forms to send spam mail.
I'm trying to set up a function to check and block any attempts, from what I've read carrage returns and new lines plus Bcc and the email address it's getting bcc'ed to are things I could use, but I'd like to make a nice function that I can apply to all fields (apart from email) to stop any nasties - this means I need to allow for customers typing in things like @ unfortunatly.
so far I have this
based on stuff I've found on the web)
This is checking the $name field.
This is the kind of stuff that's coming through on the hacked emails (my domain name has been REMOVED, but all were using my domain name)
The Bcc email addy seems to be consistant for all who have had this happen to their forms, so either the hacker is a little stupid, or some poor bastard is getting alot of spam.
Any suggestions, on both turning the above example into a good function, which will check all possible combinations of upper and lowercase etc, or any ideas on how else to combat this.
Plus I guess this is a heads up to anyone else who uses form to email on their website.
----------------------------------------
Sometimes, when my code just won't behave, I take it outside and make it listen to britney spears music, and when it comes back it's really well behaved. I wonder if it's suffering from post tramatic stress syndrome now..
Apparently it's called Email Injection, and it's allowing hackers to use the email forms to send spam mail.
I'm trying to set up a function to check and block any attempts, from what I've read carrage returns and new lines plus Bcc and the email address it's getting bcc'ed to are things I could use, but I'd like to make a nice function that I can apply to all fields (apart from email) to stop any nasties - this means I need to allow for customers typing in things like @ unfortunatly.
so far I have this
based on stuff I've found on the web)This is checking the $name field.
Code:
if (eregi("\r",$name) || eregi("\n",$name) || eregi("%0A",$name) || eregi("%oa",$name)
|| eregi("%0D",$name)|| eregi("%od",$name) || eregi("mhkoch321@aol.com",$name) || eregi("Bcc",$name)){
$fn2 = FALSE;
} else { $fn2 = TRUE;}
$valid = $valid && $fn2;This is the kind of stuff that's coming through on the hacked emails (my domain name has been REMOVED, but all were using my domain name)
Code:
Customers Name:
Customers Email: hjek@REMOVED.com
Customers Phone:
Page Information requested: hjek@REMOVED.com
Content-Type: multipart/mixed; boundary="===============1615891411=="
MIME-Version: 1.0
Subject: 5327f41
To: hjek@REMOVED.com
bcc: mhkoch321@aol.com
From: hjek@REMOVED.com
This is a multi-part message in MIME format.
--===============1615891411==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
lzyklor
--===============1615891411==--
Information requested:
Customers Address:The Bcc email addy seems to be consistant for all who have had this happen to their forms, so either the hacker is a little stupid, or some poor bastard is getting alot of spam.
Any suggestions, on both turning the above example into a good function, which will check all possible combinations of upper and lowercase etc, or any ideas on how else to combat this.
Plus I guess this is a heads up to anyone else who uses form to email on their website.
----------------------------------------
Sometimes, when my code just won't behave, I take it outside and make it listen to britney spears music, and when it comes back it's really well behaved. I wonder if it's suffering from post tramatic stress syndrome now..