[ciapug] RE: securing Mail()
Mike Parks
mparks at captainjack.com
Wed Apr 18 13:13:12 CDT 2007
I wrote my own class that seems to work fairly well. It may not catch
100% of the email injections but it does catch alot. When it does I get
an email with the Remote Addr. First with the
checkHackerResponse($exclude, $responses) You set which fields to ignore
(submit, email, etc...) Then take all other fields, check each field for
an email format (one of the tactics is to put some bogus email address
in each field) If the form exhibits this then the process is stopped. If
it passes then it goes on to the SendMail() function which checks the
Message, FromMail, FromName, ToMail, and Subject for a Bcc or Cc. If it
is detected they see this nice little message on the screen, and I get
an email with their IP.
When we see a form that seems to be getting spammed. I change it over to
use this class file. Usually within a week they get the hint and move on.
<?php
class Email{
function SendMail(){
$Message = stripslashes($this->Message);
$headers .= "From: ".$this->FromMail."\n";
$headers .= "X-Priority: 0\n";
$headers .= "X-MSMail-Priority: Normal\n";
$headers .= "X-Mailer: ". $_SERVER['SERVER_NAME'] ." Mailer\n";
$headers .= "Origin: ". $_SERVER['REMOTE_ADDR']."\n";
$response = array($this->FromMail, $this->ToMail,
$this->Subject, $Message);
foreach($response as $key=>$value){
if (stristr($value,"cc:")) {
$bad_ip = $_SERVER['REMOTE_ADDR'];
$error_msg .= <<<EOD
<h2><font color="red">Intrusion detection!</font></h2>
<p>Possible intrusion script detected. The following IP address was
detected sending invalid responses to this email script
on {$_SERVER['HTTP_HOST']}.
<strong>{$_SERVER['REMOTE_ADDR']}</strong> has been recorded for
tracking.</p>
EOD;
print $error_msg;
error_log("Intrusion detected on
{$_SERVER[SERVER_NAME]} IP Address:" . $bad_ip,1,"*MY_EMAIL at DOMAIN.COM*");
exit();
}
}
mail($this->ToMail, $this->Subject, $Message, $headers) or
die("Message could not be sent");
}
/**
* This function checks the mailform responses. If the fields
all have been
* filled with an email like response, it will return true.
*
* @param unknown_type $exclude
* @param unknown_type $responses
* @return unknown
*/
function checkHackerResponse($exclude, $responses){
$intExc = 0;
foreach ($exclude as $value) {
$intExc++;
}
$intResp = 0;
$i = 0;
foreach ($responses as $key=>$value) {
$intResp++;
if (!in_array($key, $exclude)) {
if ($this->checkForEmail($value) == true) {
$i++;
}
}
}
if ($i >= ($intResp - $intExc)) {
return true;
} else {
return false;
}
}
/**
* Checks for an email address format, and Reverse DNS
*
* @param unknown_type $address
* @return unknown
*/
function checkForEmail($address){
$exp =
"^[a-z\'0-9]+([._-][a-z\'0-9]+)*@([a-z0-9]+([._-][a-z0-9]+))+$";
if(eregi($exp,$address)){
if(checkdnsrr(array_pop(explode("@",$address)),"MX")){
return true;
} else {
return false;
}
} else {
return false;
}
}
}
?>
ciapug-request at cialug.org wrote:
> Send ciapug mailing list submissions to
> ciapug at cialug.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://cialug.org/mailman/listinfo/ciapug
> or, via email, send a message with subject or body 'help' to
> ciapug-request at cialug.org
>
> You can reach the person managing the list at
> ciapug-owner at cialug.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of ciapug digest..."
>
>
> Today's Topics:
>
> 1. securing Mail() (Wade Arnold)
> 2. RE: securing Mail() (Carl Olsen)
> 3. Re: securing Mail() (Barry Von Ahsen)
> 4. RE: securing Mail() (Wade Arnold)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 17 Apr 2007 17:14:03 -0500
> From: "Wade Arnold" <Wade.Arnold at t8design.com>
> Subject: [ciapug] securing Mail()
> To: <ciapug at cialug.org>
> Message-ID:
> <9A53DDE1FE082F4D952FDF20AC87E21F0405D1 at exchange2.t8design.com>
> Content-Type: text/plain; charset="us-ascii"
>
> I am trying to figure out a best practice solution for securing form
> scripts that send out emails with the mail() command. To date I have
> been just posting information from a form into a script that sends the
> email. I have had a couple hosting vendors asking me what I am doing to
> secure my email forms. Frankly I did not know that I needed to secure
> them. Can anyone point me towards some documentation? As you can image
> "secure email php" finds a lot of results on a search engine.
>
>
>
> Wade
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://cialug.org/pipermail/ciapug/attachments/20070417/724592cd/attachment.html
>
> ------------------------------
>
> Message: 2
> Date: Tue, 17 Apr 2007 17:38:32 -0500
> From: "Carl Olsen" <carl-olsen at mchsi.com>
> Subject: RE: [ciapug] securing Mail()
> To: <ciapug at cialug.org>
> Message-ID: <000e01c78141$212aaa10$1c00a8c0 at workstation8>
> Content-Type: text/plain; charset="us-ascii"
>
> I'm only guessing, but I think they are talking about something similar to
> an SQL injection attack. It all depends on how you feed to input fields
> into the mail function. I use something called Swift for email (it's a free
> PHP function library that uses SMTP). It has a function for each part of
> the email so that the email is not just being built from a bunch of strings
> concatenated together in the header part of the PHP mail function. I know
> some other folks on this list will answer your question in more detail.
>
>
>
> Some PHP mail scripts are written in such a way that spammers can hijack
> them. I've heard of the same thing with PERL scripts. I would highly
> recommend the Swift mailer if you have a chance to look at it.
>
>
>
> Carl
>
>
>
> _____
>
> From: ciapug-bounces at cialug.org [mailto:ciapug-bounces at cialug.org] On Behalf
> Of Wade Arnold
> Sent: Tuesday, April 17, 2007 5:14 PM
> To: ciapug at cialug.org
> Subject: [ciapug] securing Mail()
>
>
>
> I am trying to figure out a best practice solution for securing form scripts
> that send out emails with the mail() command. To date I have been just
> posting information from a form into a script that sends the email. I have
> had a couple hosting vendors asking me what I am doing to secure my email
> forms. Frankly I did not know that I needed to secure them. Can anyone point
> me towards some documentation? As you can image "secure email php" finds a
> lot of results on a search engine.
>
>
>
> Wade
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://cialug.org/pipermail/ciapug/attachments/20070417/2f69897d/attachment.htm
>
> ------------------------------
>
> Message: 3
> Date: Tue, 17 Apr 2007 19:05:33 -0500
> From: Barry Von Ahsen <barry at vonahsen.com>
> Subject: Re: [ciapug] securing Mail()
> To: ciapug at cialug.org
> Message-ID: <462560CD.5000706 at vonahsen.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Wade Arnold wrote:
>
>> I am trying to figure out a best practice solution for securing form
>> scripts that send out emails with the mail() command. To date I have
>> been just posting information from a form into a script that sends the
>> email. I have had a couple hosting vendors asking me what I am doing to
>> secure my email forms. Frankly I did not know that I needed to secure
>> them. Can anyone point me towards some documentation? As you can image
>> "secure email php" finds a lot of results on a search engine.
>>
>>
>
> it's called email injection
>
> http://www.securephpwiki.com/index.php/Email_Injection
>
> -barry
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 17 Apr 2007 19:10:01 -0500
> From: "Wade Arnold" <Wade.Arnold at t8design.com>
> Subject: RE: [ciapug] securing Mail()
> To: <barry at vonahsen.com>, <ciapug at cialug.org>
> Message-ID:
> <9A53DDE1FE082F4D952FDF20AC87E21F0405DF at exchange2.t8design.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Barry
>
> I have never seen this site. Thanks so much for the link!
>
> Wade
>
>
> -----Original Message-----
> From: ciapug-bounces at cialug.org [mailto:ciapug-bounces at cialug.org] On
> Behalf Of Barry Von Ahsen
> Sent: Tuesday, April 17, 2007 7:06 PM
> To: ciapug at cialug.org
> Subject: Re: [ciapug] securing Mail()
>
> Wade Arnold wrote:
>
>> I am trying to figure out a best practice solution for securing form
>> scripts that send out emails with the mail() command. To date I have
>> been just posting information from a form into a script that sends the
>> email. I have had a couple hosting vendors asking me what I am doing
>>
> to
>
>> secure my email forms. Frankly I did not know that I needed to secure
>> them. Can anyone point me towards some documentation? As you can image
>> "secure email php" finds a lot of results on a search engine.
>>
>>
>
> it's called email injection
>
> http://www.securephpwiki.com/index.php/Email_Injection
>
> -barry
>
> _______________________________________________
> ciapug mailing list
> ciapug at cialug.org
> http://cialug.org/mailman/listinfo/ciapug
>
>
> ------------------------------
>
> _______________________________________________
> ciapug mailing list
> ciapug at cialug.org
> http://cialug.org/mailman/listinfo/ciapug
>
>
> End of ciapug Digest, Vol 23, Issue 8
> *************************************
>
>
--
<><><><><><><><><><><><><><><><><>
Mike Parks
Captain Jack Communications
WebSite Development and Hosting
www.captainjack.com
Phone: 515-964-8500
Fax: 515-964-4685
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/ciapug/attachments/20070418/1abc86a8/attachment.htm
More information about the ciapug
mailing list