There is a growing use of the method of sending mass e-mails through web forms that use PHP to send emails with the aim of sending spam, in some cases, and the anonymity of the messages sent in other cases. This takes advantage of the way PHP's mail() function works and is known as "Headers Mail Injection". It consists of taking advantage of website forms that use the PHP mail() function to send the data entered by the visitor and that also do not validate the data correctly to avoid this type of abuse.
How does this modality work?
To explain it we are going to base it on a simple example, suppose that our site has a field for the visitor to enter the email in the following way:
<input name="email" type="text" value="Enter your email here" />
Then, the address entered in this field is sent to the server and is taken by the PHP script to be used as FROM in the mail() function and in this way the message that reaches our email will have as sender the address entered by the visitor. Now, the PHP mail() function
mail(recipient, subject, message, extra headers);
It simply concatenates the parameters that are passed to it, so if we enter the following in the email field of the form:
"[email protected]%0ACc:[email protected]%0ABcc:[email protected],[email protected]"
where the first address will be the FROM: (source address that will reach the spam victims), %0A is the hexadecimal value of the line feed character <LF>, Cc: (Copies) contains the address or addresses of the victims and Bcc: (Blind Copies) also contains addresses of spam victims.
Part of the header of the email generated by our abused form will be:
To: [email protected]
Subject: Subject of the message
From: [email protected]
Cc:[email protected]
Bcc:[email protected],[email protected]
With this, the spammer will have used our form to send mass mail through our form.
The example seen is the most basic case of this modality since through the injection of headers you can even modify the subject and even the message itself to the point of being able to send messages with html content.
What consequences does this modality have?
Firstly, our form is being used to carry out an act with which the vast majority of us disagree, it is also using the bandwidth available to the server, affecting the rest of the sites hosted on it. , therefore, the site in question will be suspended until the problem is resolved; finally, in the event of a spam complaint, said account must be suspended in accordance with the provisions of the legal provisions of our site. It is the responsibility of each user to use sufficiently secure code on their website and to correct this if necessary.
How to avoid using our form?
First of all, it is worth clarifying that this modality occurs only in forms that use PHP's mail() function to process and send the data entered by the visitor.
If you use a PHP script not created by you, such as formailphp, please update it with the most recent version, ensuring that it provides a solution to this type of activity.
If you use a PHP script created by you or have the knowledge to edit it, here we have incorporated a function that you can use to validate the data entered efficiently.
<?php
function ValidateData($field){
//Array with the possible headers to be used by a spammer
$badHeads = array("Content-Type:",
"MIME-Version:",
"Content-Transfer-Encoding:",
"return-path:",
"Subject:",
"Desde:",
"Envelope-to:",
"To:",
"bcc:",
"DC:");
//We check that the data does not include any of
//the array strings. If any string is found
//directs to a Forbidden page
foreach($badHeads as $value){
if(strpos(strtolower($field), strtolower($value)) !== false){
header("HTTP/1.0 403 Forbidden");
exit;
}
}
}
//Example of function calls
ValidateData($_POST['email']);
ValidateData($_POST['subject']);
ValidateData($_POST['message']);
?>
This function is basic and can be modified according to the script you use to process the form and even incorporate error control.
Don't forget to include hidden form fields if this data is going to be passed through the mail() function.
We hope that this information
n be useful and helpful so that together we can minimize the impact caused by these types of acts and make efficient use of the service.
For any additional questions, please contact the support desk.