Page 1 of 1

Hide email in PHP script...

Posted: Mon Nov 02, 2009 4:52 pm
by Onemorerun
Hi, I am definitly not a PHP developer, although I am slowly learning CMS platforms such as Joomla.

I recently did an online tutorial to help me create a form on my static site that did the submission through a PHP script. I did this to help me fight the spam I was receiving. However, since implementing the form my SPAM went from 25 a day to 100 that I received last night.

Anyways, I like the form and I was hoping that someone could help me to manipulate or point me in the right direction to a place I could learn to tweak the PHP script so that it hides my email and is secure from spammer robots.

The script I used that is connected to the tutorial I took is here http://mark.host56.com/script.html .

Can someone take a look and tell me how I might make this spammer robot proof. Thanks.

Re: Hide email in PHP script...

Posted: Mon Nov 02, 2009 5:15 pm
by cpetercarter
Google "obfuscate email address". You'll find plenty of ideas and advice.

Re: Hide email in PHP script...

Posted: Mon Nov 02, 2009 7:33 pm
by John Cartwright
cpetercarter wrote:Google "obfuscate email address". You'll find plenty of ideas and advice.
I don't think this is relevant because the email is only stored in the PHP script itself, and at no point is visible to the end user. Obfucating emails is usually done on the client side.

You might consider implementing a captcha verificationin your form.

Re: Hide email in PHP script...

Posted: Mon Nov 02, 2009 9:26 pm
by Onemorerun
Thanks for your response. As I said, I am no PHP expert. However, in my effort to research my topic as best as I could I read in a couple places that if your scripting is too weak or if you left your email address in it some of the advanced spiders could still extract it. Maybe this is impossible.

Below is the template for the scripting I used. Can you take a look to make sure there isn't anything weird in it. It would be a relief to me.

<?php

/* Email Variables */

$emailSubject = 'contactformprocess!';
$webMaster = 'YOUR EMAIL ADDRESS WILL GO HERE';


/* Data Variables */

$email = $_POST['email'];
$name = $_POST['name'];
$comments = $_POST['comments'];



$body = <<<EOD
<br><hr><br>
Name: $name <br>
Email: $email <br>

Comments: $comments <br>
EOD;


$headers = "From: $email\r\n";
$headers .= "Content-type: text/html\r\n";
$success = mail($webMaster, $emailSubject, $body,
$headers);


/* Results rendered as HTML */

$theResults = <<<EOD
<html>
<head>
<title>sent message</title>
<meta http-equiv="refresh" content="3;URL=http://YOUR WEBSITE ADDRESS/contact.html">
<style type="text/css">
<!--
body {
background-color: #444;
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 20px;
font-style: normal;
line-height: normal;
font-weight: normal;
color: #fec001;
text-decoration: none;
padding-top: 200px;
margin-left: 150px;
width: 800px;
}

-->
</style>
</head>
<div align="center">Your email will be answered soon as possible!
You will return to Classic Bikes in a few seconds !</div>
</div>
</body>
</html>
EOD;
echo "$theResults";
?>

Re: Hide email in PHP script...

Posted: Mon Nov 02, 2009 10:11 pm
by Eric!
I recommend you take that form off your site immediately. If you are receiving that many spam messages the odds are very good they have also figured out that your script is completely open to hijacking your mail server. In fact they could be sending out 1,000's of messages to other people from your server making it look like you sent them. This will get your domain black listed and often blocked.

Your key problem is you are directly passing raw user data to your mail server. Never trust user data!

Please take your form offline and take a look at the php and form script I wrote for newbies.
viewtopic.php?f=50&t=104240

PS in my script, I suggest you set $protect=4 and this will reject messages containing links and that stops the spambots cold but the downside is users can't send you links.
PPS Also google "header injection" for more info.

Re: Hide email in PHP script...

Posted: Tue Nov 03, 2009 1:15 pm
by Onemorerun
Man, you just scared the heck out of me. I just took it offline and will look at your thread.

BTW, I have 3 small sites. This is the only site I get SPAM in conjunction with the website. The only difference is that in this one I use my first name in the email address and the other two I use a generic "info@xxxx.com". Do you think this makes a difference to spiders as they target email addresses with an actual name?

Thanks

Re: Hide email in PHP script...

Posted: Tue Nov 03, 2009 1:46 pm
by Eric!
You probably caught it in time, don't panic. 8O

If you are referring to the value of $webMaster, then no it doesn't make a difference what you set it to. No one can see your source code values (normally). The spammers just haven't found your pages or haven't tested it yet.

However with your script as it is written, someone can easily inject a header (via your $_POST['email'] field) create an entire new email message and send it through your form without you even knowing what is going on. Random people then receive spam messages directly from your domain...not good. Here is a good description http://www.phpsecure.info/v2/article/Ma ... ect.en.php

At a minimum you have to filter anything going into your header fields to prevent injection attacks. The second level is to clean up all the other user fields.

Re: Hide email in PHP script...

Posted: Sat Nov 07, 2009 5:03 am
by kaisellgren
Getting spammed may not be the only problem with email header injections. I once met a case where there was a customer support form, which was vulnerable to CSRF. I made a transparent cross-site request forgery, with injected email headers, to send an email to the user who was logged in. He later answered to the email he got and the response email came to me thanks to the Reply-To -like phishing attack. The user, of course, did not notice the Reply-To and the email was encrypted and confirmed to be "safe" by PGP because the email was sent from the site. I could get some very sensitive details (but in this scenario, it was not a real attack, but rather a vulnerability test) and the overall difficulty of this attack scenario was not hard. It just gets funnier when you send legitimate emails from the site with attached virii.

PS. It was a paid-to-crack job, nothing too serious. ;)

Re: Hide email in PHP script...

Posted: Sat Nov 07, 2009 7:39 am
by Eric!
kaisellgren wrote:I once met a case where there was a customer support form, which was vulnerable to CSRF. I made a transparent cross-site request forgery, with injected email headers, to send an email to the user who was logged in.
(BTW Good to see you back here.) I guess that would be the ultimate phishing trick. And why the encryption...make it look more authentic?

Re: Hide email in PHP script...

Posted: Sun Nov 08, 2009 3:33 am
by kaisellgren
Eric! wrote: And why the encryption...make it look more authentic?
Well, people usually think PGP increases the security of email communications (which it does), so, they tend to believe the email along with its contents are always safe.

Re: Hide email in PHP script...

Posted: Thu Dec 03, 2009 4:35 pm
by Onemorerun
Hi Guys,

I have been trying to implement some sort of Email Injection protection into my .php script for my email form that I posted previously. The link suggested by Eric: viewtopic.php?f=50&t=104240 is way beyond my user level. As I said, I am far from a php developer and i'm simply trying to make my form email secure on my site.

I found the below (pasted) as a way to filter and validate user data. Will this work ok? Do I just place it at the top of my .php document.

The first rule (the golden rule) is to always filter and validate user data. One possibility is to use regular expressions or string functions:

<?php
$from = $_POST["sender"];
if (eregi("(\r|\n)", $from)) {
die("Why ?? :(");
}
?>

Similar to the above, I found this:

<?php
function heal($str) {
$injections = array('/(\n+)/i',
'/(\r+)/i',
'/(\t+)/i',
'/(%0A+)/i',
'/(%0D+)/i',
'/(%08+)/i',
'/(%09+)/i'
);
$str= preg_replace($injections,'',$str);
return $str;
}
?>

I also found this site that suggest that I create a seperate php file that filters the incoming data: http://www.mailinjection.com/solutions

Basically, there is so much information out there I am having trouble focusing on what I should do and learn. I am just confusing myself.

Any direction would be helpful.

Re: Hide email in PHP script...

Posted: Sat Dec 05, 2009 12:38 pm
by kaisellgren
The quickest way to secure your mailto is to use that black listing heal() function. It's ok, but I would use white listing and build a regular expression that filters the values. Actually, I would never allow 0x00-0x1F to be in the headers as they could cause something unexpected on some mail servers.