Hide email in PHP script...
Moderator: General Moderators
-
Onemorerun
- Forum Newbie
- Posts: 4
- Joined: Mon Nov 02, 2009 4:39 pm
Hide email in PHP script...
Hi, I am definitly not a PHP developer, although I am slowly learning CMS platforms such as Joomla.
I recently did an online tutorial to help me create a form on my static site that did the submission through a PHP script. I did this to help me fight the spam I was receiving. However, since implementing the form my SPAM went from 25 a day to 100 that I received last night.
Anyways, I like the form and I was hoping that someone could help me to manipulate or point me in the right direction to a place I could learn to tweak the PHP script so that it hides my email and is secure from spammer robots.
The script I used that is connected to the tutorial I took is here http://mark.host56.com/script.html .
Can someone take a look and tell me how I might make this spammer robot proof. Thanks.
I recently did an online tutorial to help me create a form on my static site that did the submission through a PHP script. I did this to help me fight the spam I was receiving. However, since implementing the form my SPAM went from 25 a day to 100 that I received last night.
Anyways, I like the form and I was hoping that someone could help me to manipulate or point me in the right direction to a place I could learn to tweak the PHP script so that it hides my email and is secure from spammer robots.
The script I used that is connected to the tutorial I took is here http://mark.host56.com/script.html .
Can someone take a look and tell me how I might make this spammer robot proof. Thanks.
-
cpetercarter
- Forum Contributor
- Posts: 474
- Joined: Sat Jul 25, 2009 2:00 am
Re: Hide email in PHP script...
Google "obfuscate email address". You'll find plenty of ideas and advice.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: Hide email in PHP script...
I don't think this is relevant because the email is only stored in the PHP script itself, and at no point is visible to the end user. Obfucating emails is usually done on the client side.cpetercarter wrote:Google "obfuscate email address". You'll find plenty of ideas and advice.
You might consider implementing a captcha verificationin your form.
-
Onemorerun
- Forum Newbie
- Posts: 4
- Joined: Mon Nov 02, 2009 4:39 pm
Re: Hide email in PHP script...
Thanks for your response. As I said, I am no PHP expert. However, in my effort to research my topic as best as I could I read in a couple places that if your scripting is too weak or if you left your email address in it some of the advanced spiders could still extract it. Maybe this is impossible.
Below is the template for the scripting I used. Can you take a look to make sure there isn't anything weird in it. It would be a relief to me.
<?php
/* Email Variables */
$emailSubject = 'contactformprocess!';
$webMaster = 'YOUR EMAIL ADDRESS WILL GO HERE';
/* Data Variables */
$email = $_POST['email'];
$name = $_POST['name'];
$comments = $_POST['comments'];
$body = <<<EOD
<br><hr><br>
Name: $name <br>
Email: $email <br>
Comments: $comments <br>
EOD;
$headers = "From: $email\r\n";
$headers .= "Content-type: text/html\r\n";
$success = mail($webMaster, $emailSubject, $body,
$headers);
/* Results rendered as HTML */
$theResults = <<<EOD
<html>
<head>
<title>sent message</title>
<meta http-equiv="refresh" content="3;URL=http://YOUR WEBSITE ADDRESS/contact.html">
<style type="text/css">
<!--
body {
background-color: #444;
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 20px;
font-style: normal;
line-height: normal;
font-weight: normal;
color: #fec001;
text-decoration: none;
padding-top: 200px;
margin-left: 150px;
width: 800px;
}
-->
</style>
</head>
<div align="center">Your email will be answered soon as possible!
You will return to Classic Bikes in a few seconds !</div>
</div>
</body>
</html>
EOD;
echo "$theResults";
?>
Below is the template for the scripting I used. Can you take a look to make sure there isn't anything weird in it. It would be a relief to me.
<?php
/* Email Variables */
$emailSubject = 'contactformprocess!';
$webMaster = 'YOUR EMAIL ADDRESS WILL GO HERE';
/* Data Variables */
$email = $_POST['email'];
$name = $_POST['name'];
$comments = $_POST['comments'];
$body = <<<EOD
<br><hr><br>
Name: $name <br>
Email: $email <br>
Comments: $comments <br>
EOD;
$headers = "From: $email\r\n";
$headers .= "Content-type: text/html\r\n";
$success = mail($webMaster, $emailSubject, $body,
$headers);
/* Results rendered as HTML */
$theResults = <<<EOD
<html>
<head>
<title>sent message</title>
<meta http-equiv="refresh" content="3;URL=http://YOUR WEBSITE ADDRESS/contact.html">
<style type="text/css">
<!--
body {
background-color: #444;
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 20px;
font-style: normal;
line-height: normal;
font-weight: normal;
color: #fec001;
text-decoration: none;
padding-top: 200px;
margin-left: 150px;
width: 800px;
}
-->
</style>
</head>
<div align="center">Your email will be answered soon as possible!
You will return to Classic Bikes in a few seconds !</div>
</div>
</body>
</html>
EOD;
echo "$theResults";
?>
Re: Hide email in PHP script...
I recommend you take that form off your site immediately. If you are receiving that many spam messages the odds are very good they have also figured out that your script is completely open to hijacking your mail server. In fact they could be sending out 1,000's of messages to other people from your server making it look like you sent them. This will get your domain black listed and often blocked.
Your key problem is you are directly passing raw user data to your mail server. Never trust user data!
Please take your form offline and take a look at the php and form script I wrote for newbies.
viewtopic.php?f=50&t=104240
PS in my script, I suggest you set $protect=4 and this will reject messages containing links and that stops the spambots cold but the downside is users can't send you links.
PPS Also google "header injection" for more info.
Your key problem is you are directly passing raw user data to your mail server. Never trust user data!
Please take your form offline and take a look at the php and form script I wrote for newbies.
viewtopic.php?f=50&t=104240
PS in my script, I suggest you set $protect=4 and this will reject messages containing links and that stops the spambots cold but the downside is users can't send you links.
PPS Also google "header injection" for more info.
Last edited by Eric! on Tue Nov 03, 2009 1:17 pm, edited 1 time in total.
-
Onemorerun
- Forum Newbie
- Posts: 4
- Joined: Mon Nov 02, 2009 4:39 pm
Re: Hide email in PHP script...
Man, you just scared the heck out of me. I just took it offline and will look at your thread.
BTW, I have 3 small sites. This is the only site I get SPAM in conjunction with the website. The only difference is that in this one I use my first name in the email address and the other two I use a generic "info@xxxx.com". Do you think this makes a difference to spiders as they target email addresses with an actual name?
Thanks
BTW, I have 3 small sites. This is the only site I get SPAM in conjunction with the website. The only difference is that in this one I use my first name in the email address and the other two I use a generic "info@xxxx.com". Do you think this makes a difference to spiders as they target email addresses with an actual name?
Thanks
Re: Hide email in PHP script...
You probably caught it in time, don't panic. 
If you are referring to the value of $webMaster, then no it doesn't make a difference what you set it to. No one can see your source code values (normally). The spammers just haven't found your pages or haven't tested it yet.
However with your script as it is written, someone can easily inject a header (via your $_POST['email'] field) create an entire new email message and send it through your form without you even knowing what is going on. Random people then receive spam messages directly from your domain...not good. Here is a good description http://www.phpsecure.info/v2/article/Ma ... ect.en.php
At a minimum you have to filter anything going into your header fields to prevent injection attacks. The second level is to clean up all the other user fields.
If you are referring to the value of $webMaster, then no it doesn't make a difference what you set it to. No one can see your source code values (normally). The spammers just haven't found your pages or haven't tested it yet.
However with your script as it is written, someone can easily inject a header (via your $_POST['email'] field) create an entire new email message and send it through your form without you even knowing what is going on. Random people then receive spam messages directly from your domain...not good. Here is a good description http://www.phpsecure.info/v2/article/Ma ... ect.en.php
At a minimum you have to filter anything going into your header fields to prevent injection attacks. The second level is to clean up all the other user fields.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Hide email in PHP script...
Getting spammed may not be the only problem with email header injections. I once met a case where there was a customer support form, which was vulnerable to CSRF. I made a transparent cross-site request forgery, with injected email headers, to send an email to the user who was logged in. He later answered to the email he got and the response email came to me thanks to the Reply-To -like phishing attack. The user, of course, did not notice the Reply-To and the email was encrypted and confirmed to be "safe" by PGP because the email was sent from the site. I could get some very sensitive details (but in this scenario, it was not a real attack, but rather a vulnerability test) and the overall difficulty of this attack scenario was not hard. It just gets funnier when you send legitimate emails from the site with attached virii.
PS. It was a paid-to-crack job, nothing too serious.
PS. It was a paid-to-crack job, nothing too serious.
Re: Hide email in PHP script...
(BTW Good to see you back here.) I guess that would be the ultimate phishing trick. And why the encryption...make it look more authentic?kaisellgren wrote:I once met a case where there was a customer support form, which was vulnerable to CSRF. I made a transparent cross-site request forgery, with injected email headers, to send an email to the user who was logged in.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Hide email in PHP script...
Well, people usually think PGP increases the security of email communications (which it does), so, they tend to believe the email along with its contents are always safe.Eric! wrote: And why the encryption...make it look more authentic?
-
Onemorerun
- Forum Newbie
- Posts: 4
- Joined: Mon Nov 02, 2009 4:39 pm
Re: Hide email in PHP script...
Hi Guys,
I have been trying to implement some sort of Email Injection protection into my .php script for my email form that I posted previously. The link suggested by Eric: viewtopic.php?f=50&t=104240 is way beyond my user level. As I said, I am far from a php developer and i'm simply trying to make my form email secure on my site.
I found the below (pasted) as a way to filter and validate user data. Will this work ok? Do I just place it at the top of my .php document.
The first rule (the golden rule) is to always filter and validate user data. One possibility is to use regular expressions or string functions:
<?php
$from = $_POST["sender"];
if (eregi("(\r|\n)", $from)) {
die("Why ??
");
}
?>
Similar to the above, I found this:
<?php
function heal($str) {
$injections = array('/(\n+)/i',
'/(\r+)/i',
'/(\t+)/i',
'/(%0A+)/i',
'/(%0D+)/i',
'/(%08+)/i',
'/(%09+)/i'
);
$str= preg_replace($injections,'',$str);
return $str;
}
?>
I also found this site that suggest that I create a seperate php file that filters the incoming data: http://www.mailinjection.com/solutions
Basically, there is so much information out there I am having trouble focusing on what I should do and learn. I am just confusing myself.
Any direction would be helpful.
I have been trying to implement some sort of Email Injection protection into my .php script for my email form that I posted previously. The link suggested by Eric: viewtopic.php?f=50&t=104240 is way beyond my user level. As I said, I am far from a php developer and i'm simply trying to make my form email secure on my site.
I found the below (pasted) as a way to filter and validate user data. Will this work ok? Do I just place it at the top of my .php document.
The first rule (the golden rule) is to always filter and validate user data. One possibility is to use regular expressions or string functions:
<?php
$from = $_POST["sender"];
if (eregi("(\r|\n)", $from)) {
die("Why ??
}
?>
Similar to the above, I found this:
<?php
function heal($str) {
$injections = array('/(\n+)/i',
'/(\r+)/i',
'/(\t+)/i',
'/(%0A+)/i',
'/(%0D+)/i',
'/(%08+)/i',
'/(%09+)/i'
);
$str= preg_replace($injections,'',$str);
return $str;
}
?>
I also found this site that suggest that I create a seperate php file that filters the incoming data: http://www.mailinjection.com/solutions
Basically, there is so much information out there I am having trouble focusing on what I should do and learn. I am just confusing myself.
Any direction would be helpful.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Hide email in PHP script...
The quickest way to secure your mailto is to use that black listing heal() function. It's ok, but I would use white listing and build a regular expression that filters the values. Actually, I would never allow 0x00-0x1F to be in the headers as they could cause something unexpected on some mail servers.