[thelist] Site getting spammed
Max Schwanekamp
lists at neptunewebworks.com
Fri Nov 18 13:35:47 CST 2005
Liam Delahunty wrote:
>>From: Robert Vreeland
>>One of my client's web site is getting spammed, or something like it. It
>>appears as though someone is using a script to auto-fill their email
>>newsletter registration form;
> That's the classic Email injection.
I've been seeing a bunch of these again as well. They're even bypassing
the CAPTCHA...sigh. The simple solution is to remove all carriage
returns, since mail headers are delimited with them. But if you have a
message box, you might want to allow users to format their text. So
I've started running a regex against *all* contact form/registration
form inputs, checking for any of various mail headers. I figure anyone
attempting to inject mail headers into a contact form or newsletter
registration form is probably a miscreant, be they bot or human. In
case anyone's interested, here's the PHP I'm using now:
<?php
if ( !empty($_POST) )
{
include'inc/mail.php';
//remove html and put post data in local var
$form_data = array_map('strip_tags',$_POST);
//iterate over the POST form data,
//and check if any field has mail headers injected.
//if so, just die quietly after a nice long delay.
if(array_search(TRUE,array_map('is_mail_injection',$form_data)))
{
sleep(10);
exit;
}
/* continue with code to send mail */
}
function is_mail_injection($txt)
{
$pattern =
"/(charset=|7bit|transfer-encoding|bcc:|mime-vesion|multipart-alternative|content-type)/i";
return preg_match($pattern, $txt);
}
?>
--
Max Schwanekamp http://www.neptunewebworks.com/
More information about the thelist
mailing list