FreeBSD Server Administration

« No. 1 Keyword Referrer "phpBB Hack" | Main | Security Discussion »

November 16, 2005

Contact Form Abused Through BCC Field

A simple contact form on my website was abused to send spams. I received weird messages sent from the contact form in the past two weeks, I thought it was just from some boring persons, and didn't pay attention to it until I got some messages bounced back from other servers. After checked the mail queue, I was shocked that there were still a few emails with a very long recipient list.

Here is my original code:

$name = trim($name); $email = trim($email); $message = trim($message);

if(!$name)
print ("Please input your name!");

else if($email)
print ("Please fill in your e-mail address!");

else if(!$message)
print ("Please input your message!");

else
{
$recipient = "my email address";
$extra = "From: \"" . $name;
$extra .= "\" <";
$extra .= $email;
$ip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
$message .="\r\n\r\nSender IP: ".$ip;

mail($recipient, $subject, $message, $extra);
}


The above code didn't check the input "name" and "email", a spammer can easily make a BCC field containing many email addresses by constructing the fields "name and "email".

The problem was fixed by adding some checking code:

// removes anything after a line ending (including that line ending) function b4nl($string) { return preg_replace("!(\r|\n).+$!sU", '', $string); }

// this function is copied from vBulletin.
function is_valid_email($email)
{
return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si', $email);
}

$name = trim($name);
$email = trim($email);

// Make sure $name and $email don't include a long email list.
if((strpos($name, '@')!==false) || strlen($email)>50 || strlen($name)>30 )
die();

$message = trim($message);

if(!$name)
print("Please input your name!");

else if(!is_valid_email($email))
print ("Please fill in your e-mail address!");

else if(!$message)
print ("Please input your message!");

else
{
$extra = "From: \"" . b4nl($name);
$extra .= "\" <";
$extra .= b4nl($email);
$ip = $HTTP_SERVER_VARS['REMOTE_ADDR'];
$message .="\r\n\r\nSender IP: ".$ip;

mail($recipient, $subject, $message, $extra);
}


Category : Security

Posted by FreeBSD Newbie at November 16, 2005 11:08 AM

Comments

Thanks for this, your post stirred something in my memory, and I tracked down a vulnerable form on my server :)

Posted by Ian at November 23, 2005 10:31 AM

Post a comment



(Optional, will not be shown to the public)

Remember Me?