Hide email in PHP script...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Onemorerun
Forum Newbie
Posts: 4
Joined: Mon Nov 02, 2009 4:39 pm

Hide email in PHP script...

Post by Onemorerun »

Hi, I am definitly not a PHP developer, although I am slowly learning CMS platforms such as Joomla.

I recently did an online tutorial to help me create a form on my static site that did the submission through a PHP script. I did this to help me fight the spam I was receiving. However, since implementing the form my SPAM went from 25 a day to 100 that I received last night.

Anyways, I like the form and I was hoping that someone could help me to manipulate or point me in the right direction to a place I could learn to tweak the PHP script so that it hides my email and is secure from spammer robots.

The script I used that is connected to the tutorial I took is here http://mark.host56.com/script.html .

Can someone take a look and tell me how I might make this spammer robot proof. Thanks.
cpetercarter
Forum Contributor
Posts: 474
Joined: Sat Jul 25, 2009 2:00 am

Re: Hide email in PHP script...

Post by cpetercarter »

Google "obfuscate email address". You'll find plenty of ideas and advice.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Hide email in PHP script...

Post by John Cartwright »

cpetercarter wrote:Google "obfuscate email address". You'll find plenty of ideas and advice.
I don't think this is relevant because the email is only stored in the PHP script itself, and at no point is visible to the end user. Obfucating emails is usually done on the client side.

You might consider implementing a captcha verificationin your form.
Onemorerun
Forum Newbie
Posts: 4
Joined: Mon Nov 02, 2009 4:39 pm

Re: Hide email in PHP script...

Post by Onemorerun »

Thanks for your response. As I said, I am no PHP expert. However, in my effort to research my topic as best as I could I read in a couple places that if your scripting is too weak or if you left your email address in it some of the advanced spiders could still extract it. Maybe this is impossible.

Below is the template for the scripting I used. Can you take a look to make sure there isn't anything weird in it. It would be a relief to me.

<?php

/* Email Variables */

$emailSubject = 'contactformprocess!';
$webMaster = 'YOUR EMAIL ADDRESS WILL GO HERE';


/* Data Variables */

$email = $_POST['email'];
$name = $_POST['name'];
$comments = $_POST['comments'];



$body = <<<EOD
<br><hr><br>
Name: $name <br>
Email: $email <br>

Comments: $comments <br>
EOD;


$headers = "From: $email\r\n";
$headers .= "Content-type: text/html\r\n";
$success = mail($webMaster, $emailSubject, $body,
$headers);


/* Results rendered as HTML */

$theResults = <<<EOD
<html>
<head>
<title>sent message</title>
<meta http-equiv="refresh" content="3;URL=http://YOUR WEBSITE ADDRESS/contact.html">
<style type="text/css">
<!--
body {
background-color: #444;
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 20px;
font-style: normal;
line-height: normal;
font-weight: normal;
color: #fec001;
text-decoration: none;
padding-top: 200px;
margin-left: 150px;
width: 800px;
}

-->
</style>
</head>
<div align="center">Your email will be answered soon as possible!
You will return to Classic Bikes in a few seconds !</div>
</div>
</body>
</html>
EOD;
echo "$theResults";
?>
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Hide email in PHP script...

Post by Eric! »

I recommend you take that form off your site immediately. If you are receiving that many spam messages the odds are very good they have also figured out that your script is completely open to hijacking your mail server. In fact they could be sending out 1,000's of messages to other people from your server making it look like you sent them. This will get your domain black listed and often blocked.

Your key problem is you are directly passing raw user data to your mail server. Never trust user data!

Please take your form offline and take a look at the php and form script I wrote for newbies.
viewtopic.php?f=50&t=104240

PS in my script, I suggest you set $protect=4 and this will reject messages containing links and that stops the spambots cold but the downside is users can't send you links.
PPS Also google "header injection" for more info.
Last edited by Eric! on Tue Nov 03, 2009 1:17 pm, edited 1 time in total.
Onemorerun
Forum Newbie
Posts: 4
Joined: Mon Nov 02, 2009 4:39 pm

Re: Hide email in PHP script...

Post by Onemorerun »

Man, you just scared the heck out of me. I just took it offline and will look at your thread.

BTW, I have 3 small sites. This is the only site I get SPAM in conjunction with the website. The only difference is that in this one I use my first name in the email address and the other two I use a generic "info@xxxx.com". Do you think this makes a difference to spiders as they target email addresses with an actual name?

Thanks
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Hide email in PHP script...

Post by Eric! »

You probably caught it in time, don't panic. 8O

If you are referring to the value of $webMaster, then no it doesn't make a difference what you set it to. No one can see your source code values (normally). The spammers just haven't found your pages or haven't tested it yet.

However with your script as it is written, someone can easily inject a header (via your $_POST['email'] field) create an entire new email message and send it through your form without you even knowing what is going on. Random people then receive spam messages directly from your domain...not good. Here is a good description http://www.phpsecure.info/v2/article/Ma ... ect.en.php

At a minimum you have to filter anything going into your header fields to prevent injection attacks. The second level is to clean up all the other user fields.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide email in PHP script...

Post by kaisellgren »

Getting spammed may not be the only problem with email header injections. I once met a case where there was a customer support form, which was vulnerable to CSRF. I made a transparent cross-site request forgery, with injected email headers, to send an email to the user who was logged in. He later answered to the email he got and the response email came to me thanks to the Reply-To -like phishing attack. The user, of course, did not notice the Reply-To and the email was encrypted and confirmed to be "safe" by PGP because the email was sent from the site. I could get some very sensitive details (but in this scenario, it was not a real attack, but rather a vulnerability test) and the overall difficulty of this attack scenario was not hard. It just gets funnier when you send legitimate emails from the site with attached virii.

PS. It was a paid-to-crack job, nothing too serious. ;)
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: Hide email in PHP script...

Post by Eric! »

kaisellgren wrote:I once met a case where there was a customer support form, which was vulnerable to CSRF. I made a transparent cross-site request forgery, with injected email headers, to send an email to the user who was logged in.
(BTW Good to see you back here.) I guess that would be the ultimate phishing trick. And why the encryption...make it look more authentic?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide email in PHP script...

Post by kaisellgren »

Eric! wrote: And why the encryption...make it look more authentic?
Well, people usually think PGP increases the security of email communications (which it does), so, they tend to believe the email along with its contents are always safe.
Onemorerun
Forum Newbie
Posts: 4
Joined: Mon Nov 02, 2009 4:39 pm

Re: Hide email in PHP script...

Post by Onemorerun »

Hi Guys,

I have been trying to implement some sort of Email Injection protection into my .php script for my email form that I posted previously. The link suggested by Eric: viewtopic.php?f=50&t=104240 is way beyond my user level. As I said, I am far from a php developer and i'm simply trying to make my form email secure on my site.

I found the below (pasted) as a way to filter and validate user data. Will this work ok? Do I just place it at the top of my .php document.

The first rule (the golden rule) is to always filter and validate user data. One possibility is to use regular expressions or string functions:

<?php
$from = $_POST["sender"];
if (eregi("(\r|\n)", $from)) {
die("Why ?? :(");
}
?>

Similar to the above, I found this:

<?php
function heal($str) {
$injections = array('/(\n+)/i',
'/(\r+)/i',
'/(\t+)/i',
'/(%0A+)/i',
'/(%0D+)/i',
'/(%08+)/i',
'/(%09+)/i'
);
$str= preg_replace($injections,'',$str);
return $str;
}
?>

I also found this site that suggest that I create a seperate php file that filters the incoming data: http://www.mailinjection.com/solutions

Basically, there is so much information out there I am having trouble focusing on what I should do and learn. I am just confusing myself.

Any direction would be helpful.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Hide email in PHP script...

Post by kaisellgren »

The quickest way to secure your mailto is to use that black listing heal() function. It's ok, but I would use white listing and build a regular expression that filters the values. Actually, I would never allow 0x00-0x1F to be in the headers as they could cause something unexpected on some mail servers.
Post Reply