Form spam problem

[mibut]

I use a php form script which has worked brilliantly for the last couple of years. Now getting a problem with spam through the form.
From looking on the net I think they do this by "header injection".
The code I use is below.
Can anyone suggest how to protect from "header injection"
Thanks

// Recipient of message (This can be changed via the form itself)
$recipient = 'you@yourdomain.com';

// Subject of message (This can be changed via the form itself)
$subject = 'WWW Form Submission';

// This is a list of domains that can run EZ . Do not include
// www, just the actual domain/ip address!
$referers = array('domain1.com', 'domain2.com', 'domain3.com');

// This is the page that users will be redirected to after the form is
// processed successfully.
$success_url = 'http://www.yourdomain.com/thanks.html';

// Your site URL
$siteurl = 'http://www.yourdomain.com';

################################################## #########
# DO NOT EDIT BELOW THIS LINE #
################################################## #########

function Print_Footer() {
echo '<p><center>Powered by EZ . Get it <b>free</b> from <a href="http://www.sensationdesigns.com">http://www.sensationdesigns.com</a>!</center>';
}

function Check_Referer() {
global $referers;
$temp = explode('/', $_SERVER['HTTP_REFERER']);
$referer = $temp[2];
$found = false;
foreach ($referers as $domain) {
if (stristr($referer, $domain)) { $found = true; }
}
return $found;
}

if ($_POST) {
if (Check_Referer() == false) {
echo '<font size="+1" color="#FF0000">Error: Invalid Referer</font><BR>';
echo 'You are accessing this script from an unauthorized domain!';
Print_Footer();
die();
}
$ctr = 0;

$isrealname = 0;
$isemail = 0;

foreach ($_POST as $key => $val) {
if ($key == 'realname') { $isrealname = 1; }
if ($key == 'email') { $isemail = 1; }
if (substr($key, 0, 4) == 'req_' || $key == 'realname' || $key == 'email') {
if ($val == '') {
if ($ctr == 0) {
echo '<font size="+1" color="#FF0000">Error: Missing Field(s)</font><BR>';
echo 'The following <i>required</i> field(s) were not filled out:<BR>';
}
echo '<BR>- <b>'.substr($key, 4).'</b>';
$ctr++;
}
}
}
if ($ctr > 0) {
echo '<p>Click <a href="javascript:history.go(-1)">here</a> to go back';
Print_Footer();
die();
}
else {
if ($isrealname == 0) {
echo '<font size="+1" color="#FF0000">Error: Missing Field</font><BR>';
echo 'No "realname" field found.<p><a href="'.$siteurl.'">here</a> to return to the home page.';
Print_Footer();
die();
}
elseif ($isemail == 0) {
echo '<font size="+1" color="#FF0000">Error: Missing Field</font><BR>';
echo 'No "email" field found.<p><a href="'.$siteurl.'">here</a> to return to the home page.';
Print_Footer();
die();
}
}

if (!(preg_match("/^.{2,}?@.{2,}\./", $_POST['email']))) {
echo '<font size="+1" color="#FF0000">Error: Invalid E-mail</font><BR>';
echo 'The e-mail address you entered (<i>'.$_POST['email'].'</i>) is invalid.';
Print_Footer();
die();
}

$body = "Below is the result of your feedback form. It was submitted on:\n".date('l, F jS, Y').' at '.date('g:ia').".\n";

foreach ($_POST as $key => $val) {
if ($key == 'recipient') { $recipient = $val; }
elseif ($key == 'subject') { $subject = $val; }
else {
if ($key != 'realname' && $key != 'email') {
$body .= "\n".str_replace('req_', '', $key).": $val";
}
}
}
$body .= "\n\n-------- Submission Details --------\n";
$body .= "Remote Address: ".getenv('REMOTE_ADDR')."\n";
$body .= "HTTP User Agent: ".getenv('HTTP_USER_AGENT')."\n\n";
$body .= "--------------------------------------------------\n";
$body .= "Powered by EZ . Available at http://www.sensationdesigns.com!";

$mailheaders = "From: ".$_POST['realname']." <".$_POST['email'].">\n";
$mailheaders .= "Reply-To: ".$_POST['email'];

mail($recipient, $subject, $body, $mailheaders);
header("Location: $success_url");
}
else {
echo '<center>You have access this page from an invalid location. Please click <a href="'.$siteurl.'">here</a> to go to '.$siteurl.'.</center>';
}

Print_Footer();
?>

[Donk]

Try adding the line:

$val=strip_tags($val);

between the lines:

foreach ($_POST as $key => $val) {

if ($key == 'realname') { $isrealname = 1; }

so that section would read
foreach ($_POST as $key => $val) {
$val=strip_tags($val);
if ($key == 'realname') { $isrealname = 1; }

[mibut]

Thanks, will try and let you know if it works.

[Rich]

A common method is for them to set $_POST['email'] to something with multiple lines which causes extra headers to be to added to the email - including extra bodys (through content-type headers) and recipients.

try something like

PHP Code:

if((stripos($_POST['email']._POST['realname'],"-Type")===false) && (strpos($_POST['email'],"@")!==false) && (strpos($_POST['email'].$_POST['realname'],"\n")===false) && (strpos($_POST['email'].$_POST['realname'],"\r")===false)) {
  //probably ok
} else {
  //probably spammer
} 


[mibut]

Thanks Donk, but didnt work.
Rich, can I cut and paste your solution as is and where does it go?
Thanks

[HarveyC]

Aaaaargh I've got exactly the same problem!

And they don't even send anything that makes sense!

[Donk]

Sorry about that it is a bit more complicated than I first thought. My original mod only gets rid of malicious PHP.

I've G00gled for a solution but there doesn't appear to be an an easy answer

I think the simplest way would be to replace all the @s in the body of the message with "at" in that way there would only be two valid email addresses $_POST['email'] and $recipient.

So you would have to add the line:

if ($key!='email'){$val= str_replace('@',' at ', $val);}

So the section of the code would be:

PHP Code:

foreach ($_POST as $key => $val) {
$val=strip_tags($val);
if ($key!='email' AND $key!='recipient'){$val= str_replace('@',' at ', $val);}
if ($key == 'realname') { $isrealname = 1; } 


You will also need to check the recipient email address if you use it:

Code:

if (!(preg_match("/^.{2,}?@.{2,}\./", $_POST['recipient']))) {
echo '<font size="+1" color="#FF0000">Error: Invalid E-mail</font><BR>';
echo 'The e-mail address you entered (<i>'.$_POST['recipient'].'</i>) is invalid.';
Print_Footer();
die();
}

Put that section just after the similar code checking $_POST['email'].

But it would appear from the code spammers could still send emails if you have the recipient email address on the form but with the added code they could only send one at a time.

Another suggestion would be to alter the function Print_Footer():

If a spammer G00gles for some of the words in that section they can easily find the sites they can exploit. The same applies to the last section:
"You have access this page from an invalid location". It might be an idea to personalise this.

[mibut]

Hi Donk, thanks for trying.
Think the problem is they are sending html in the body, examples below.
If this could be stopped or a way of banning "*" "http" "www" "url" ".com" etc then problem would be solved.

Example 1 DO NOT CLICK ON ANY OF THESE
"Further_Comments/Requirements: http://sock.informtic.com/ed-the-sock.htm[BMARK] * http://sock.informtic.com/knitted-sensational-sock.htm * http://sock.informtic.com/sock-shoes.htm * http://sock.informtic.com/ankle-sock.htm * http://sock.informtic.com/red-sock.htm"

Example 2 DO NOT CLICK ON ANY OF THESE
"Further_Comments/Requirements: 755d40ae89b20721d47a25eb9bb0b542 <a href=\"http://7.ordineformati.com/trovatutto/\"> trovatutto </a> http://16.ordineformati.com/fiatabbigliamento/ <a href=\"http://16.chedivino.com/provinciadivenezia/\"> provinciadivenezia </a> <a href=\"http://17.altribeati.com/digitalfoto/\"> digitalfoto </a> http://18.ordineformati.com/venditadvdravenna/ <a href=\"http://17.dolcezzasenti.com/ricettabrioche/\"> ricettabrioche </a> <a href=\"http://2.ordineformati.com/piantinadigenova/\"> piantinadigenova </a> http://19.suacorte.com/amandaswisten/ <a href=\"http://14.chedivino.com/hotelfirenzealbergo/\"> hotelfirenzealbergo </a> <a href=\"http://5.chedivino.com/laterizi/\"> laterizi </a> http://8.ordineformati.com/cartucciastampantecanon/ <a href=\"http://20.altribeati.com/ufficiobasilea/\"> ufficiobasilea </a> <a href=\"http://10.ordineformati.com/sfondomarinarosa/\"> sfondomarinarosa </a> http://8.suacorte.com/cardmagicmagiccarta/ <a href=\"http://5.dolcezzasenti.com/trannyangel/\"> trannyangel </a> <a href=\"http://7.dolcezzasenti.com/plasmahdtv/\"> plasmahdtv </a> http://2.chedivino.com/atknaturalhairy/ <a href=\"http://5.altribeati.com/casacuracittamilano/\"> casacuracittamilano </a> <a href=\"http://19.dolcezzasenti.com/mountainbikeprofessionale/\"> mountainbikeprofessionale </a> http://19.ordineformati.com/armiariacompressa/ <a href=\"http://18.altribeati.com/volimilanomalpensa/\"> volimilanomalpensa </a> <a href=\"http://17.altribeati.com/hotelstellaroma/\"> hotelstellaroma </a> http://17.altribeati.com/lecodibergamo/ <a href=\"http://16.chedivino.com/villavacanzaaffitto/\"> villavacanzaaffitto </a> a9d78baa354a855d6269a5d22243d202"

[Ste]

What you need to do is to stop all of your form fields form accepting website urls, as this is all they want to do, send you a load of website addresses.

Just add this before your mail() send code:

if (preg_match("/http/", "$body")) {echo "Form Spam Detected"; exit();}

which will cut the script to an abrupt end if it finds the http in the body of the email, but you would need to remove your powered by as it contains the chars http which the preg_match is looking for.

There are 2 types of form attacks, email header injection (using your form to send out mass emails) and just the general spam email you receive with a load of website addresses. I think it just has happened that your PHP form URL has found itself on one of the mass submission sites which spammers use mainly to target guestbook’s and forums etc.

If you have been targeted for email form injection you would know about it as you would start receiving a load of mail returned undelivered emails!

[mibut]

Thanks STE, think you hit nail on head, but, could you highlight where this needs to go.
Thanks

[Ste]

Add it just before this line:

mail($recipient, $subject, $body, $mailheaders);

but just looking for the ‘http’ will not be 100% secure as you need to check the $recipient and $subject for bcc:, cc: etc as this is what they target for email injection.

A quick solution for this is to hard code the recipient and email subject.

[mibut]

Thanks
Ste works fine, thanks again for very quick response and answer

[mibut]

Advice given worked fine,but just started getting this type of email, see below.
Any ideas on how to stop?
Thanks

Below is the result of your feedback form. It was submitted on:
Tuesday, February 6th, 2007 at 9:44am.

Type: free ringtones
gifts for valentines day
free nokia ringtones
download free ringtones
free ringtones
Number: free ringtones
gifts for valentines day
free nokia ringtones
download free ringtones
free ringtones
Budget: free ringtones
gifts for valentines day
free nokia ringtones
download free ringtones
free ringtones
Name: free ringtones
email1: free@ringtones.com
Telephone: free ringtones
gifts for valentines day
free nokia ringtones
download free ringtones
free ringtones
House: free ringtones
gifts for valentines day
free nokia ringtones
download free ringtones
free ringtones
Town: free ringtones
gifts for valentines day
free nokia ringtones
download free ringtones
free ringtones
City: free ringtones
gifts for valentines day
free nokia ringtones
download free ringtones
free ringtones
County/State: free ringtones
gifts for valentines day
free nokia ringtones
download free ringtones
free ringtones
Country: free ringtones
gifts for valentines day
free nokia ringtones
download free ringtones
free ringtones
Post/Zipcode: free ringtones
gifts for valentines day
free nokia ringtones
download free ringtones
free ringtones
FormsButton2: Submit
Further: free ringtones
gifts for valentines day
free nokia ringtones
download free ringtones
free ringtones

-------- Submission Details --------
Remote Address: 200.88.223.98
HTTP User Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

[rogoff]

i posted a fix for this type of thing here:
http://www.webmasterworld.com/webmaster/3218242.htm

could be useful for you.

[mibut]

Looks like it will work but where in my formscript do i put the php bit?

function Print_Footer() {
echo '<p><center>Powered by EZ </a>!</center>';
}

function Check_Referer() {
global $referers;
$temp = explode('/', $_SERVER['HTTP_REFERER']);
$referer = $temp[2];
$found = false;
foreach ($referers as $domain) {
if (stristr($referer, $domain)) { $found = true; }
}
return $found;
}

if ($_POST) {
if (Check_Referer() == false) {
echo '<font size="+1" color="#FF0000">Error: Invalid Referer</font><BR>';
echo 'You are accessing this script from an unauthorized domain!';
Print_Footer();
die();
}
$ctr = 0;

$isrealname = 0;
$isemail = 0;

foreach ($_POST as $key => $val) {
if ($key == 'realname') { $isrealname = 1; }
if ($key == 'email') { $isemail = 1; }
if (substr($key, 0, 4) == 'req_' || $key == 'realname' || $key == 'email') {
if ($val == '') {
if ($ctr == 0) {
echo '<font size="+1" color="#FF0000">Error: Missing Field(s)</font><BR>';
echo 'The following <i>required</i> field(s) were not filled out:<BR>';
}
echo '<BR>- <b>'.substr($key, 4).'</b>';
$ctr++;
}
}
}
if ($ctr > 0) {
echo '<p>Click <a href="javascript:history.go(-1)">here</a> to go back';
Print_Footer();
die();
}
else {
if ($isrealname == 0) {
echo '<font size="+1" color="#FF0000">Error: Missing Field</font><BR>';
echo 'No "realname" field found.<p><a href="'.$siteurl.'">here</a> to return to the home page.';
Print_Footer();
die();
}
elseif ($isemail == 0) {
echo '<font size="+1" color="#FF0000">Error: Missing Field</font><BR>';
echo 'No "email" field found.<p><a href="'.$siteurl.'">here</a> to return to the home page.';
Print_Footer();
die();
}
}

if (!(preg_match("/^.{2,}?@.{2,}\./", $_POST['email']))) {
echo '<font size="+1" color="#FF0000">Error: Invalid E-mail</font><BR>';
echo 'The e-mail address you entered (<i>'.$_POST['email'].'</i>) is invalid.';
Print_Footer();
die();
}

$body = "Below is the result of your feedback form. It was submitted on:\n".date('l, F jS, Y').' at '.date('g:ia').".\n";

foreach ($_POST as $key => $val) {
$val=strip_tags($val);
if ($key == 'realname') { $isrealname = 1; }
elseif ($key == 'subject') { $subject = $val; }
else {
if ($key != 'realname' && $key != 'email') {
$body .= "\n".str_replace('req_', '', $key).": $val";
}
}
}
$body .= "\n\n-------- Submission Details --------\n";
$body .= "Remote Address: ".getenv('REMOTE_ADDR')."\n";
$body .= "HTTP User Agent: ".getenv('HTTP_USER_AGENT')."\n\n";
$body .= "--------------------------------------------------\n";
$body .= "Powered by EZ . ";

$mailheaders = "From: ".$_POST['realname']." <".$_POST['email'].">\n";
$mailheaders .= "X-Priority: 1\n";
$mailheaders .= "Reply-To: ".$_POST['email'];
if (preg_match("/http/", "$body")) {echo "Form Spam Detected"; exit();}
mail($recipient, $subject, $body, $mailheaders);
header("Location: $success_url");
}
else {
echo '<center>You have access this page from an invalid location. Please click <a href="'.$siteurl.'">here</a> to go to '.$siteurl.'.</center>';
}

Print_Footer();
?>