[thelist] Site getting spammed

Max Schwanekamp lists at neptunewebworks.com
Fri Nov 18 13:35:47 CST 2005


Liam Delahunty wrote:
>>From: Robert Vreeland
>>One of my client's web site is getting spammed, or something like it. It
>>appears as though someone is using a script to auto-fill their email
>>newsletter registration form; 
> That's the classic Email injection.

I've been seeing a bunch of these again as well.  They're even bypassing 
the CAPTCHA...sigh.  The simple solution is to remove all carriage 
returns, since mail headers are delimited with them.  But if you have a 
message box, you might want to allow users to format their text.  So 
I've started running a regex against *all* contact form/registration 
form inputs, checking for any of various mail headers.  I figure anyone 
attempting to inject mail headers into a contact form or newsletter 
registration form is probably a miscreant, be they bot or human.  In 
case anyone's interested, here's the PHP I'm using now:
<?php

if ( !empty($_POST) )
{
     include'inc/mail.php';

     //remove html and put post data in local var
     $form_data = array_map('strip_tags',$_POST);

     //iterate over the POST form data,
     //and check if any field has mail headers injected.
     //if so, just die quietly after a nice long delay.
     if(array_search(TRUE,array_map('is_mail_injection',$form_data)))
     {
         sleep(10);
         exit;
     }

     /* continue with code to send mail */
}

function is_mail_injection($txt)
{
     $pattern = 
"/(charset=|7bit|transfer-encoding|bcc:|mime-vesion|multipart-alternative|content-type)/i";
     return preg_match($pattern, $txt);
}

?>
-- 
Max Schwanekamp http://www.neptunewebworks.com/




More information about the thelist mailing list