hi,

how can i protect my php mail() script from abuse like sending spam.
im using php mail() function to let users know that the form they field up is sent.

i know captcha is one, but i want a coding only with no user intervention/verification.

This is more towards coding in php then in php installation. If you need a way to track which php script is using mail() function for tracking abuse... I have a patch about it ;)

Whereby for coding to reduce the abuse for whichever php scripts that are using php mail() function, do not allow GET and POST via global register variable like $to, $sender... should be coded to verify each user/visitor *really* visit your site and fill in the contact you form such as tuning key which uses image for user to key in for verification purpose so that your script can check that there is a real user to fill in the form and send you email via your php script and not using those abuse script to abuse your php script to send SPAM... etc... Please take note that if you want security you will need to trade-off with user-friendly and features. The three: 1. User-Friendly, 2. Security and 3. Features will never be together... like you are in a triangle with each corner/edge on the three... the more you move to each you will be away from the other two. Hope this is helpful and logical :p

thanks for the new inputs choon,
another thing probably it will help is using referrer.
if referrer == to my domains valid url
then send it

i think this is more user friendly and simple and cannot be abuse :)

Referer variable can be abuse also :p

Referer variable can be abuse also :p

ouch that hurts.

with regards to register globals:
choon the $_POST['varmario'] can only be abused in php mail
only if they they know the "varmario" keyword right?

if they dont know that, they wont be able to inject to:
mail($_POST['varmario'], 'my subject is here', 'my body is here' , $mail_header);


am i correct?

ouch that hurts.

with regards to register globals:
choon the $_POST['varmario'] can only be abused in php mail
only if they they know the "varmario" keyword right?

if they dont know that, they wont be able to inject to:
mail($_POST['varmario'], 'my subject is here', 'my body is here' , $mail_header);


am i correct?
It is very easy to find out once they get to see your php script generated output form which if you have:
<form method="post">
<input name="var1" type="text">
etc...
Then your $_POST['var1'] is what is shown in your form :p

After following your cpanel/WHM guide for headers, none of the php scripts on the server work. All return a 500 error... any ideas?

What are the option/modules you enabled when using /scripts/easyapache to recompile apache and php? Did you take a look at your error log?

can this script be abused by spammers?


<?php
$msg .= "First Name: " . $_POST['firstame'] . "\n";
$msg .= "Last Name: " . $_POST['lastname'] . "\n";
$msg .= "Email address: " . $_POST['emailaddress'] . "\n";

//NOTE: the email where it will be sent is hardcoded
mail('myname@mydomain.com','comments', $msg , 'From: ' . $_POST['emailaddress']);

echo "Your feedback has been sent";

?>

Of course I can abuse it and so does others since anyone can code a script to POST those information to your server :p

hello choon,

what sort of abuse?
like is it possible to use that script to send email to somebody
other than the hardcoded email add "myname@mydomain.com" ?

hello choon,

what sort of abuse?
like is it possible to use that script to send email to somebody
other than the hardcoded email add "myname@mydomain.com" ?
Yes, from your example script... I am able to... why don't you try to upload to your server then tell me the URL of the script... then from there I will show you provided you don't complain me to abuse :p

Hi myway,

Your example code didn't check for user input which is why it is quite possible for people to abuse your script. A simple example for your $_POST['emailaddress'] which you expect email address right? But you never validate the data where user submitted nor trim the data... ;)

A very simple form of attacks will be included in as many email or words or even trying to execute commands to your $_POST['emailaddress']... then your server will enjoy many bounces and if the abuser(s) is/are so bad that can simply code a script and upload to an compromised account on other provider's server then started to launch attacks to your mail server through your php mail function... imagine a lot of:
$_POST['emailaddress'] = "me\nTo: you, are, 1, 2, otherpeople@otherpeopledomain, etc";
Then php will interpret it as me@yourdomain, you@yourdomain, are@yourdomain... and think of if the abuser doing such in a loop :evilb: :rant: :cry: