nevesgodnroc Posted October 4, 2008 Share Posted October 4, 2008 one of my clients has just recently started getting spam emails through his contact form that i put on his website. the attacker using very obviously bad domain for email address. and my checkdnsrr function always returns true. I have hosted this site for about two years now and this just started happening in the last few months. Quote Link to comment Share on other sites More sharing options...
R0bb0b Posted October 4, 2008 Share Posted October 4, 2008 What are you currently doing to prevent header injection? Do you know if this person is actually using form at all? Quote Link to comment Share on other sites More sharing options...
nevesgodnroc Posted October 4, 2008 Author Share Posted October 4, 2008 no i am not sure whether they are using the form but i will look into header injection right away. do you have any idea why the checkdnsrr function would always returrn true? if(eregi ("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,6}$", stripslashes(trim($email)))){ $test = 0; }else{ $test = 1; }// endif if ($test == 0){ list($userName, $mailDomain) = split("@", $email); if (!checkdnsrr($mailDomain, "MX")) { echo ("<br><h1>email address appears to be invalid!</h1><br>"); return false; }else { return true; } // end if }else{ //test must = 1 (contains bad character) echo ("<br><h1>email address appears to be invalid!</h1><br>"); return false; }//end if $test==0 clause hope you can see something. Thanks Quote Link to comment Share on other sites More sharing options...
R0bb0b Posted October 4, 2008 Share Posted October 4, 2008 I don't know about the checkdnsrr function but one thing that I would consider is putting a captcha on the form. Are you calling the function with the entire email address or are you doing something like this: <? list($user, $host) = explode("@", $_POST['email']); $hostvalid = checkdnsrr($host, "MX"); ?> Quote Link to comment Share on other sites More sharing options...
nevesgodnroc Posted October 4, 2008 Author Share Posted October 4, 2008 yes i am just calling the checkdnsrr function with the domain name only Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted October 4, 2008 Share Posted October 4, 2008 So check what your code is actually doing. See what is in $mailDomain and then check out that domain and see if there is an MX record. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.