« Stumble
Is it a checkbox or a radio button? »

Pain Injection

I was expecting a nice quiet days work today on my Sunday job, with just one site to be uploaded that I’d already finished last week and two pages needing very minor edits. Of course nothing is ever that simple!

When I called Simon this afternoon, he told me that he’d received 350 spam e-mails today alone, with thousands more since Thursday. It didn’t seem like the strangest thing in the world what with the amount of spammers about these days, until he told me that all of the e-mails were coming from one of our servers. a quick check of one of the e-mail headers confirmed that the e-mails had indeed come from our server.

Had we been hacked? How many other people were now receiving spam that appeared to come from us?

I Googled for a while and found that we’d been the victim of a “Sendmail Injection Exploit.” Basically a spammer uses a site’s contact form URL and adds extra variables that enables them to use a server for sending anonymous spam. I couldn’t find a fix that worked for me so I put up a temporary holding page to keep the spammers at bay before going off to learn some new PHP to help me come up with a solution of my own.

The final result seems to work but I won’t be putting it into production until tomorrow night when I’ll know for sure. The following code is part research, part guess-work and just a smidgen of actual PHP knowledge.

$email = preg_replace("/\r/", "", $email);
$email = preg_replace("/\n/", "", $email);
if (eregi("cc", $email) || eregi("bcc", $email) || eregi("to", $email) || eregi("Content-Type", $email)) die("Sorry, there was a problem with your message being sent. Please click <a href=\"javascript:history.go(-1)\">here</a> to try again");

I would have used a more ‘choice’ message for the spammers when filtering them out but it’s always possible that a legitimate customer could receive the message by mistake. With this being a possibility there’s also the chance that we could block legitimate contacts but I think this is the lesser of two evils here.

If you find yourself a victim of such an attack please feel free to add the above code to your PHP mail() form. Just replace $email with whatever field you use to collect the senders e-mail address.

This entry was posted on Monday, February 6th, 2006 at 12:00 am and is filed under Coding, Work. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Pain Injection”

  1. Form Security - DesignersTalk Says:
    March 24th, 2008 at 12:35 pm

    […] Take a look at reCaptcha, useful service with minimal setup. (I had to use it on a server that wouldn’t support ImageGD so couldn’t install my own). Here’s what I had to say about php injection in the past: clicky __________________ [[proverbs and quotes]] [[blog]] [[work]] [[photowebby - some photo’s by me]] […]

Leave a Reply

You must be logged in to post a comment.