PHP Mail Script Security - Stop SPAM Vulnerabilities
Have you written any PHP scripts to handle email sending? The mail() function is one of the simplest and most useful of PHP’s in-built functions, but poorly written code can expose a huge vulnerability that allows your simple mail script to be hijacked by spammers.
Here is the basic rule: do not allow any user entered data (i.e. $_POST or $_GET vars) into the headers of the email message.
Here’s why:
Email headers can occur in any order, and can occur more than once, and spammers can use this vulnerability to their advantage. Let’s take a common example where we have a form that collects the user’s name and email address. The temptation may then be to use this data as the From address in the email header. Big mistake.
A spammer will paste text into your web form with hidden line breaks (\n), after which they can specify an alternate message and a whole bunch of BCC recipients.
You can generally tell if this is happening on your script, as you (or your client) will be receiving emails containing garbage (often in the form of 12345@yourdomain.com). In most cases the user filling out the form is not going to have an email address on the same domain where the form is hosted, therefore we have an opportunity to kill off the SPAM. Even if you modify your script so that it has no vulnerabilities, the spammers don’t know whether their attempt is successful or not, and so will often keep trying, which results in unnecessary consumption of bandwidth. So you could simply run a check on the POST vars for the domain of the website or SPAM-specific strings such as “bcc:”, and if any occurences are found you kill the script with a SPAM warning. I’ve noticed that doing that does reduce the number of attempts on each form.
I did also create an additional script which would log the IP addresses of the spammers, with the intention of pursuing prosecution, but this really is a waste of time. RIPE, the governing body for IP addresses, couldn’t care less about spammers and therefore will not provide any contact information for the IP address owners. Still, if everyone addressed this vulnerability, it would make life considerably more difficult for the scum that SPAM.