Jump to content


Photo

php based outgoing email and security issues? (source info insecure)


  • Please log in to reply
2 replies to this topic

#1 mmosel

mmosel
  • Members
  • PipPipPip
  • Advanced Member
  • 66 posts

Posted 08 July 2006 - 03:15 AM

Hi all, I'm hoping that maybe some expert in here has had some experience with this or might have some ideas. I have my php scripts that handle my back-end ecommerce processing (notification scripts) send out emails to my customers. I'm hosting on a shared server. While inspecting the emails that my customers receive, I've noticed that there is some very sensitive data that gets included with each email. Such as what machine I'm on at what host. What my username is at this host. And now they have X-AntiAbuse header data that actually shows the name of my script and it's directory! This just seems so lame. Why can't they wrap it in an alias or something?

Anyway, I need to find a way to secure this information. They aren't being very helpful. So, is there a way that I can use php to perhaps forward this email to a service or something that would cleanse this info and then send the email to my customer? Or, are there any other ways that I might be able to get around this?

Thanks for any tips or ideas that you may have.

#2 Travis Estill

Travis Estill
  • Members
  • PipPip
  • Member
  • 13 posts

Posted 08 July 2006 - 03:39 AM

Hi there,

I've noticed this as well. I'm guessing the mail function appends those headers? Perhaps if you connect directly to the SMTP server you can have more control of the headers and get around that. There are some classes to do this at phpclasses.org.

Travis
Freelance Web Developer with a focus on PHP/MySQL

Angel-Stones.com
ClanQ3.com

#3 mmosel

mmosel
  • Members
  • PipPipPip
  • Advanced Member
  • 66 posts

Posted 08 July 2006 - 04:57 AM

Thanks for the tip. I am using PHPMailer, which works wonderfully, but I was using the IsMail and IsSendmail functions. These functions were making the headers much worse than they needed to be. I switched to using the SMTP feature in my script, and it has eliminated some of my concerns from the source info. It still shows my server and host, but it doesn't show my username and the X-AntiAbuse doesn't show the script name that generated the email! Not perfect, but better!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users