Header injection in mail()

[Masca]

Hi!  Please help!

I am going round in circles trying to ensure that my web form is safe from spammers.  I have been researching the subject for some time, and am desperately searching for a simple solution which I suspect does not exist.  Currently I am using the following:

mail ("my_email_address", "Hardcoded subject", "$msg");

Therefore, I think that the only place where headers can be injected by spammers is within the $msg variable, which consists of the entries from several text fields within the form.  I am therefore considering stripping all colons ( : ) from $msg.  Will SMTP headers (e.g.: bcc:) work without the colon?  I have read about solutions using CATPCHAs and stripping line returns, but I would like to avoid using either of these solutions if possible (for accessibility and retaining email formatting respectively).

Any help will be gratefully accepted.  TIA.

[The Little Guy]

What kind of headers are you talking about?

this:
header("Something");
The above won't run when the email is opened.

or a header that gets exicuted before the mail is sent?

[.josh]

he's talking about email headers.  things like the to: and from: and subject are headers.

[hitman6003]

I think he is referring to someone forcing additional mail headers...for example using his mail line from above:

[code]mail ("my_email_address", "Hardcoded subject", "$msg");[/code]

if the value of $msg is:

[code]Hi from your friend!!!", "-f somemail@address.com[/code]

When the mail is sent by the mail function it would appear to be from somemail@address.com, not from the mail server.

[Masca]

Yes, I do mean headers in the sense hitman6003 has described.  Thank you.

[hitman6003]

If you use htmlentities withthe ENT_QUOTES option it should replace all quotes, single and double, with their html equivalent.  That should prevent them from being used to add additional headers.

[code]$msg = htmlentities($msg, ENT_QUOTES);[/code]

[The Little Guy]

preg_replace("~^bbc:|^cc:|^to:|^from:~",$replacement,$original);

preg_replace("~^\"-f(.*)@(.*).~",$replacement,$original);

Not sure what one your looking for, an I haven't tested either

[drifter]

from my understanding, the spammers often use the fact that two line breaks indicates the end of the header. So they will input things such as and email then \r\n \r\n and then their message and it will ignore everything else after. So as part of my thing, I have a function

[code]
function nospam($string){
$string=str_splace("\n","",$string);
$string=str_splace("\r","",$string);
  return $string;
}
//I wrap all input in this
$email=nospam($_POST['email']);
$subject=nospam($_POST['subject']);

[/code]

Now I am not that much of an expert in spamming, or email header formats, this is just what I have read

[.josh]

wouldn't that remove all occurrances of \n\r, not just 2 occurrances of it?

[The Little Guy]

http://www.jellyandcustard.com/2006/02/24/email-header-injection-in-php/
http://www.nyphp.org/phundamentals/email_header_injection.php
http://www.google.com/search?hl=en&lr=&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=PHP+prevent+email+header+injection&btnG=Search

[drifter]

[quote author=Crayon Violent link=topic=118333.msg483506#msg483506 date=1165951053]
wouldn't that remove all occurrances of \n\r, not just 2 occurrances of it?
[/quote]
Yes, but why would anyone ever need to submit any \r or \n in an email or subject field unless they are trying to cheat?

[Orio]

I personally use this function:

[code]<?php

function is_injection($text)
{
$regex = '(content\s*-\s*disposition)|(content\s*-\s*type)|(cc\:)|(content\s*-\s*transfer\s*-\s*encoding)|(mime\s*-\s*version)|(multipart\s*/\s*mixed)|(multipart\s*/\s*alternative)|(multipart\s*/\s*related)|(reply\s*-\s*to)|(x\s*-\s*mailer)|(x\s*-\s*sender)|(x\s*-\s*uidl)';

$text = strtolower($text);

if (eregi($regex,$text))
return true;
else
return false;
}

?>[/code]


Orio.