Every day I get mails into my inbox informing me a spammer has just attempted to hijack one of our website forms that uses the php mail function. This attack is well documented, and is known as an email injection attack.
Problem: Spammers use the extra headers argument of the mail function to hijack your mail script to send out what they want to who they want. The use the Cc: and Bcc: headers to send out to email addresses they have already harvested. The problem is explained in great detail here.
A former colleague of mine is responsible for the functions, that I have used with great success to deny the spammers a free ride.
Solution: Here is the foilspam function and suspiciousInput functions. The first returns a http 403 forbidden header, when a suspected spam attempt occurs. It also alerts an admin of the attempt and the ip of the atacker. The second scans for suspicious input often used in injection attacks!
function foilSpam($check, $message){
if(empty($message)) {
$message = "Spam attempt denied";
}
if(empty($check))
{
$check = "Extra check"; }
mail("admin@admin.com", "Site spam attempt", "$check: $message from IP {$_SERVER['REMOTE_ADDR']}", "From: me@localhost.com\r\n\r\n");
header("HTTP/1.0 403 Forbidden");
die($message);
}
function suspiciousInput($value)
{
return eregi("MIME-Version:|Content-Type:|bcc:|cc:", $value);
}
1)Firstly check the referrering source was from our site.
if (!stristr($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])) {
foilSpam("Referrer check", null);
}
2)Check each posted variable one by one for suspicious input often used by spammers:
foreach($_POST as $key => $val) {
if(suspiciousInput($val))
{
foilSpam("Suspicious input check", null);
}
}
Write a comment
Required fields are marked with *.
Posts: 2
Reply #1 on : Tue December 05, 2006, 04:56:35
Posts: 2
Reply #2 on : Fri December 08, 2006, 15:08:37