Sending mails fr – PHP

  php

Q(Question):

I’m writing small script for sending mail from my web pages. I have heard
about security hole in FormMail.pl script which can be used by spammers. I
would like to prevent that in my script. Can you give me some suggestions
regarding that.
Thanx!


Relaxen und watch das blinkenlights…

A(Answer):

"Cpt. Zeep" <ze**@nemame.com> wrote in message
news:bt**********@bagan.srce.hr…

I’m writing small script for sending mail from my web pages. I have heard
about security hole in FormMail.pl script which can be used by spammers. I
would like to prevent that in my script. Can you give me some suggestions
regarding that.
Thanx!


Relaxen und watch das blinkenlights…

number one thing, DONT PUT THE RECIPIENT ADDRESS IN THE FORM!
sorry, didn’t mean to yell, I have hated marks script since day 1, to big,
to insecure, to complicated.
(and mark, if your reading this, why not put the recipient in the
formmail.pl script with the other freaking things you made everyone
configure?)

sending mail via a script is so freakin easy, but everyone tries to make it
look hard, then they try to wrap it up in some class file, and thats even
harder to use than writing one yourself.

Ok, I know I am venting, I havent vented in a while.

I have two snippets for sending mail if you need them (see my site below)

to keep spammers or others from using your form, hard code the recipient
email address in the script, not the form that the user fills out.

thats about it, thanx for letting me vent, it felt good.

Mike Bradley
http://www.gzentools.com — free online php tools

A(Answer):

"Cpt. Zeep" <ze**@nemame.com> wrote in news:bt**********@bagan.srce.hr:

I’m writing small script for sending mail from my web pages. I have
heard about security hole in FormMail.pl script which can be used by
spammers. I would like to prevent that in my script. Can you give me
some suggestions regarding that.

You need to make sure that the script can send mail *only* to specific
addresses which are defined either in the script or in a database/file
which is *not* writeable by the outside world. The problem with the
original FormMail.pl script was that it took the destination address from a
form field (not a problem in itself) and then would *blindly* (the problem)
send mail to it. Thus spammers would simply write scripts that would
submit their own spam via the form, specifying a different address from
their list each time, and the spam would actually be mailed through your
system.

Thus if the form HTML itself contains the actual address to send to as a
hidden field, your script *must* check to see that the address it’s getting
from that field is on the list of "OK to send to" addresses. Or you might
make the hidden field specify a code, which your script would translate to
determine the destination address (this makes it harder for spammers to
harvest your address from the forms).

It would also be a good idea for the script to set a limit on the amount of
data it will mail per invocation, in order to prevent its being used for
DOS attacks on you. This limitation *cannot* be enforced by anything
client side (since an attacker won’t be using your client-side form and any
scripting in it); it *must* be enforced by the form handler itself.

A(Answer):

CountScubula wrote:

<snip>

to keep spammers or others from using your form, hard code the
recipient email address in the script, not the form that the user
fills out.

thats about it, thanx for letting me vent, it felt good.

Your ventings are quite usefull and informative 🙂 Stay stressed 🙂
Thanx! (and to Eric, too!)

BTW, it seems that you live on Usenet lately? 🙂


Relaxen und watch das blinkenlights…

A(Answer):

"Cpt. Zeep" <ze**@nemame.com> wrote in message
news:bt**********@bagan.srce.hr…

BTW, it seems that you live on Usenet lately? 🙂

It keeps my mind stimulated, and one never stops learning. As one learns a
new language, one tends to keep using waht works, and doesnt realize there
are better,faster,easier ways to do it.

example: I am a long time perl programmer, I use to write shell scripts, and
sites with it, and I use backticks “ a lot. so, I tend to go there instead
of php functions that do the same.

Besides the Usenet, keeps my kind of hours 🙂


Mike Bradley
http://www.gzentools.com — free online php tools

A(Answer):

I noticed that Message-ID:
<Xn*******************************@130.133.1.4> from Eric Bohlman
contained the following:

I’m writing small script for sending mail from my web pages. I have
heard about security hole in FormMail.pl script which can be used by
spammers. I would like to prevent that in my script. Can you give me
some suggestions regarding that.

You need to make sure that the script can send mail *only* to specific
addresses which are defined either in the script or in a database/file
which is *not* writeable by the outside world.

What if the script has to send a password or order confirmation?


Geoff Berrow (put thecat out to email)
It’s only Usenet, no one dies.
My opinions, not the committee’s, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

A(Answer):

Geoff Berrow <bl******@ckdog.co.uk> wrote in
news:ei********************************@4ax.com:

You need to make sure that the script can send mail *only* to specific
addresses which are defined either in the script or in a database/file
which is *not* writeable by the outside world.

What if the script has to send a password or order confirmation?

Presumably such a script generates its own content rather than merely
passing along the content sent to it, so it would be useless to spammers.

LEAVE A COMMENT