Page 1 of 1

Help with verifying sender email domain in contact form

Posted: Thu Oct 09, 2008 10:19 pm
by luvspirates
Hello,
I'm creating a Tell-a-Friend script from a php contact form I've used in the past. An important element of the form is that it checks the validity of the sender's email domain to reduce SPAM. I've used this form with great success in the past as a simple contact form, but the alterations I've made to change it to a Tell-a-Friend form have somehow ceased the validation of the sender's domain. If I use the following code with a fake email, the form still sends the message.

Would anyone have any ideas as to why this isn't working and how I could alter the code to prevent the email from sending if the email's domain does not exist? Thank you for any assistance.

-Deanna

My form code:

Code: Select all

 
<form name="tellafriend" action="http://www.mysite.com/tellafriend" method="post"> 
    <table>
        <tr>
            <td>Your Name:</td>
            <td><input size="30" name="name" type="text" maxlength="45"/></td>
        </tr>
        <tr>
            <td>Your Email:</td>
            <td><input size="30" name="email" type="text" maxlength="45"/></td>
        </tr>
        <tr>
            <td>Friend's Email: </td>
            <td><input size="30" name="friendemail" type="text" /></td>
        </tr>
    </table>
<p><input type="submit" name="Submit" value="Send Tour Link" /></p>
</form>
My mail script:

Code: Select all

 
<?php 
 
function myCheckDNSRR($hostName, $recType = '') 
{ 
if(!empty($hostName)) { 
if( $recType == '' ) $recType = "MX"; 
exec("nslookup -type=$recType $hostName", $result); 
// check each line to find the one that starts with the host 
// name. If it exists then the function succeeded. 
foreach ($result as $line) { 
if(eregi("^$hostName",$line)) { 
return true; 
} 
} 
// otherwise there was no mail handler for the domain 
return false; 
} 
return false; 
}
/** 
* Check single-line inputs: 
* Returns false if text contains newline character 
*/ 
function has_no_newlines($text) 
{ 
return preg_match("/(%0A|%0D|\\n+|\\r+)/i", $text) == 0;
} 
 
/** 
* Check multi-line inputs:
* Returns false if text contains newline followed by 
* email-header specific string
*/ 
function has_no_emailheaders($text) 
{ 
return preg_match("/(%0A|%0D|\\n+|\\r+)(content-type:|to:|cc:|bcc:)/i", $text) == 0;
} 
 
 
//Required Fields: 
        if (!empty($_POST['name']) && !empty($_POST['email']) && !empty($_POST['friendemail'])) {
        
    //This mail.php is Email Injection Safe, and attacks Spam
            //$to = $_POST['to'];//
            $name = $_POST['name'];
            $email = $_POST['email'];
            $friendemail = $_POST['friendemail'];
            $agency = $_POST['agency'];
            $tourlink = $_POST['tourlink'];
            $returnlink = $_POST['returnlink'];
 
            //Intercept illegal usage of this mail.php
            //if (strcmp($to,$realTo) != 0) { die("Invalid To: Email Address"); }//
            
            //Intercept possible injections
            if (eregi("\r",$email) || eregi("\r",$email) || eregi(":",$email)) { die("Invalid From: Email Address (possible injection)"); }
            if (!( has_no_newlines($email) && has_no_emailheaders($email) )) { die("Invalid From: Email Address (possible injection)"); }
 
            //Block people using this Domain name as their email address
            if (eregi("mysite.com",$email)) { die("Invalid From: Email Address (try using your own domain)"); }
            
            //Block message containing http
            if (eregi('http:', $name)) { die ("Links are not allowed to reduce SPAM. Please remove any links from your message and try again.");
}
 
            //We can check if the domain is REAL
            list($username, $maildomain) = split("@",$email);
            if (PHP_OS == "WINNT") 
            { 
                if (!myCheckDNSRR($maildomain)) { die("<h2>Error: $maildomain is not a valid email.</h2>"); }
            } else {  
                if (!checkdnsrr($maildomain, "MX")) { die("<h2>Error: $maildomain is not a valid email.</h2>"); } 
            }
 
 
            $headers = "From: ".$email."\nReply-To: ".$email."\nReturn-Path: ".$email;
            $subject = $name;
            $message = $name;           
        
            $sent = mail($friendemail, $subject, $message, $headers);           
            if ($sent) {
                header("Location: http://mysite.com");
                exit;
            }
            else {
                echo "<h2>Error: Your message was not sent.</h2>";
            }
            
        }
        
        else {
            echo "<h2>Oops!</h2><p>You haven't filled out all of the required fields.</p>";
        }
        
        ?>
 
 
 

Re: Help with verifying sender email domain in contact form

Posted: Fri Oct 10, 2008 2:01 am
by jaoudestudios
You've used it before? :? Please tell me you had protection on your exec command to filter tainted data?

But it worked before - so who cares about protection, right!

There are better ways to check for a valid inbox without dropping into the shell. Plus to drop into the shell using exec function requires safe mode to be off, so I would only use this when absolutely necessary.

Take a look at this...
http://www.forum.jaoudestudios.com/view ... ?f=13&t=48