...

View Full Version : mail() from problem



pippin418
02-15-2010, 05:27 AM
So I have a script that allows you to send text messages from online, and it works perfectly... Except for the fact that the from address defaults to the default (set by the server). Here is the script:


<?php
date_default_timezone_set('EST');
$prov = stripslashes($_POST['prov']);
$to = stripslashes($_POST['num']);
$message = stripslashes($_POST['txt']);
$from = stripslashes($_POST['email']);
if ($from == "") {
$from = "anon@y.mous.com";
}
$headers = 'From: ' . $from . "\r\n"
. 'Reply-to: ' . $from;
$subject = stripslashes($_POST['name']);

if ($message == "") {
die("Please fill out the required forms.");
}
if ($to == "") {
die("Please fill out the required forms.");
}
if ($prov == "") {
die("Please fill out the required forms.");
}

switch ($prov) {
case "Verizon":
$to .= "@vtext.com";
break;
case "ATT":
$to .= "@txt.att.net";
break;
case "Alltel":
$to .= "@message.alltel.com";
break;
case "TMobile";
$to .= "@tmomail.net";
break;
case "VirginMobile";
$to .= "@vmobl.com";
break;
case "Cingular";
$to .= "@cingularme.com";
break;
case "Sprint";
$to .= "@messaging.sprintpcs.com";
break;
case "Nextel";
$to .= "@messaging.nextel.vom";
break;
case "USCellular";
$to .= "@email.uscc.net";
break;
case "Suncom";
$to .= "@tms.suncom.com";
break;
case "Powertel";
$to .= "@ptel.net";
break;
case "MetroPCS";
$to .= "@MyMetroPcs.com";
break;
default:
echo "Select a provider.";
break;
}
$file = "logs/index.php";
$fh = fopen($file, 'a') or die("can't open file");
$string = "\$to = $to<br>
\$prov = $prov<br>
\$message = $message<br>
\$from = $from<br>
\$headers = $headers<br>
Date = " . date("F j, Y, g:i a") . "<br>
IP Address = " . $_SERVER['REMOTE_ADDR'] . "<br>
<br>";
fwrite($fh, $string);
if (mail($to, $subject, $message, $headers))
{
$string2 = "Mail sent to $to!<br><br>";
fwrite($fh, $string2);
echo "Mail sent to " . $to . "!";
}
else
{
$string3 = "Sorry Server Error.<br><br>";
fwrite($fh, $string3);
echo "Sorry Server Error.";
}
fclose ($fh);
?>

I can't figure out why it won't work.

mlseim
02-15-2010, 01:50 PM
You didn't show us your form ...
Are you sure that the user's email variable name is "email" and NOT "from"?

$from = stripslashes($_POST['email']);

pippin418
02-15-2010, 08:11 PM
<html>
<head>
<link rel="shortcut icon" type="image/x-icon" href="favicon.ico">
<title>txtNow!</title>
<script language="javascript" type="text/javascript">
function limitText(limitField, limitCount, limitNum) {
if (limitField.value.length > limitNum) {
limitField.value = limitField.value.substring(0, limitNum);
} else {
limitCount.value = limitNum - limitField.value.length;
}
}
</script>
<style language="text/css">
input {font-family:"Lucida Sans Unicode", "Lucida Grande", sans-serif;}
textarea {font-family:"Lucida Sans Unicode", "Lucida Grande", sans-serif;}
body {font-family:"Lucida Sans Unicode", "Lucida Grande", sans-serif; background-image:url('back.png'); background-repeat: no-repeat; background-position: center center;}
#prov {width: 150px;}
#footer {position: fixed; width: 100%; top: auto; right: 0; bottom: 0; left: 0; font-size: 8px;}
</style>
</head>
<body>
<form method="post" action="txt.php">
<div id="prov" style="float: right";>
Select recipient service provider:*<br>
<input type="radio" name="prov" value="Verizon"> Verizon<br>

<input type="radio" name="prov" value="ATT"> AT&T<br>
<input type="radio" name="prov" value="Alltel"> Alltel<br>
<input type="radio" name="prov" value="TMobile"> T-Mobile<br>
<input type="radio" name="prov" value="VirginMobile"> Virgin Mobile<br>
<input type="radio" name="prov" value="Cingular"> Cingular<br>
<input type="radio" name="prov" value="Sprint"> Sprint<br>

<input type="radio" name="prov" value="Nextel"> Nextel<br>
<input type="radio" name="prov" value="USCellular"> US Cellular<br>
<input type="radio" name="prov" value="SunCom"> SunCom<br>
<input type="radio" name="prov" value="Powertel"> Powertel<br>
<input type="radio" name="prov" value="MetroPCS"> Metro PCS
</div>
Recipient number (10 digits):*<br><input type="text" name="num" size="10" maxlength="10"><br>

Your email (if you want to recieve replies, defaults to
anon@y.mous.com):<br><input type="text" size="30" name="email"><br>
Your name (will appear as subject):<br><input type="text" name="name"><br>
Message (100 characters max):*<br>
<textarea name="txt" onKeyDown="limitText(this.form.txt.form.countdown,100);"
onKeyUp="limitText(this.form.txt,this.form.countdown,100);">
</textarea><br>
<span style="font-size: 10px;">You have <input readonly type="text" name="countdown" size="3" value="100"> characters left.</span><br>
<input type="submit" value="txtNow!">
</form>
<div id="footer">
By clicking "txtNow!" you verify that you know all information you submit and your IP address will be logged for safety/security purposes, and that these can be used against you if you commit a crime using this service.
</div>

</body>
</html>


Positive. (The Your email part)

mlseim
02-15-2010, 08:16 PM
Try this ...

change these lines:
$from = stripslashes($_POST['email']);
if ($from == "") {
$from = "anon@y.mous.com";
}

To:
$from = "anon@y.mous.com";
if(isset($_POST['email'])){
$from = stripslashes($_POST['email']);
}

pippin418
02-15-2010, 11:30 PM
No go. Still sets the email as:

pippin@cp01.lond03.uk.ltt.net
(pippin is my cP name/hosting name so that makes sense)

mlseim
02-16-2010, 01:06 AM
The way I understand it ...

1) if they enter an email address, the $from shows their email address.
2) if they do not enter an email address (leave it blank), it makes $from the default.

Is that correct?

Try your form again, and enter johndoe@aol.com as your email.
See if $from shows up as "johndoe@aol.com".

pippin418
02-16-2010, 05:03 AM
Right and wrong. When they don't enter an email it defaults to anon@y.mous.com


$from = "anon@y.mous.com";
if(isset($_POST['email'])){
$from = stripslashes($_POST['email']);
}

$to = XXXXXXXXXX@vtext.com
$prov = Verizon
$message = Test
$from = johndoe@aol.com
$headers = From: johndoe@aol.com Reply-to: johndoe@aol.com
Date = February 16, 2010, 12:00 am
IP Address = XX.XX.XX.XX

Mail sent to XXXXXXXXXX@vtext.com!

I copied that directly from my log file. (I obviously edited out my number and IP)

So yup all checks out.

SKDevelopment
02-16-2010, 09:15 AM
Just in case: Please notice that your script is not really secure. It could be attacked with Mail Injection attacks. $_POST['num'] and $_POST['email'] could be used directly for it. They must be validated with regular expressions to make sure they contain only 1 e-mail address and nothing else. Also $_POST['name'] must be validated not to contain any new line and carriage return characters since it goes into subject which is part of the mail headers. Also you could need some good CAPTCHA at your mail form. Or the attacker could simply call your mail script in a loop for many times sending 1 message at a time no matter you have validation or not.

All this would lessen the possibility of the form abusing but would not exclude it at all. Still the attacker would be able to send an e-mail from any e-mail to any e-mail manually. Because both FROM: and TO: mail headers are formed by the POST variables.

There are could be more security problems I have not noticed at the first glance.

My point is: this script is better very seriously analyzed and secured before you use it at the production environment.

mlseim
02-16-2010, 01:04 PM
Pippin, so it's working correctly?

When you enter johndoe@aol.com it shows up?
If you leave it blank, it switches to default?

pippin418
02-17-2010, 02:19 AM
Nope, the from variable is johndoe@aol.com

But it still goes to the server default...

mlseim
02-17-2010, 02:31 AM
Here's a quote from post #1:
"Except for the fact that the from address defaults to the default "

But now you're talking about the to address .... ???

What the heck does this, $from = "anon@y.mous.com";
have to do with who the email is sent to?

pippin418
02-17-2010, 02:38 AM
Where did I say to? The from address is the problem

"Nope, the from variable is johndoe@aol.com"

mlseim
02-17-2010, 03:17 AM
So I'm referring to this line in your form ....
Your email (if you want to recieve replies, defaults to anon@y.mous.com):<br><input type="text" size="30" name="email"><br>

If a person types "billsmith@aol.com" into that text box, the $from variable will be "billsmith@aol.com".

If a person leaves the text box BLANK, the $from variable will be "anon@y.mous.com".

Post #7 ... quote: "So yup all checks out."
Post #10 .... quote" "Nope, the from variable is johndoe@aol.com ... But it still goes to the server default... "

Is it a "yup" or a "nope"?


.

DaiWelsh
02-17-2010, 11:28 AM
Depending on the server set-up you may not be able to set the from address or you may be able to but only by using a command line parameter. Check the php manual for mail and you will see:


The additional_parameters parameter can be used to pass additional flags as command line options to the program configured to be used when sending mail, as defined by the sendmail_path configuration setting. For example, this can be used to set the envelope sender address when using sendmail with the -f sendmail option.

so try adding an extra fifth parameter to the mail call with '-f '.$from.

Note however that:

The server may (should?) not be happy sending emails claiming to be from a domain it does not control so it may refuse
Allowing the client to specify the from address, to address and message content is an invitation to spammers, basically you have just created a method for them to send thousands of their spams all around the world using your server (or your host's servers). This will get the server blacklisted and more than likely get you thrown off your hosting.
Even if you only allow to address to come from the client you need to sanitise it very carefully to avoid email header injection (especially be careful of CRLF), otherwise again you have created a lovely spam tool
.

Sorry to be a doom and gloom merchant, but email forms are a prime attack vector and spammers are just waiting for a script like this to make their day.

pippin418
02-17-2010, 06:51 PM
So I'm referring to this line in your form ....
Your email (if you want to recieve replies, defaults to anon@y.mous.com):<br><input type="text" size="30" name="email"><br>

If a person types "billsmith@aol.com" into that text box, the $from variable will be "billsmith@aol.com".

If a person leaves the text box BLANK, the $from variable will be "anon@y.mous.com".

Post #7 ... quote: "So yup all checks out."
Post #10 .... quote" "Nope, the from variable is johndoe@aol.com ... But it still goes to the server default... "

Is it a "yup" or a "nope"?


.

I was talking about the from variable is what you entered in the email form for "yup".

You're right about:
If a person types "billsmith@aol.com" into that text box, the $from variable will be "billsmith@aol.com".

If a person leaves the text box BLANK, the $from variable will be "anon@y.mous.com".

pippin418
02-17-2010, 06:52 PM
Depending on the server set-up you may not be able to set the from address or you may be able to but only by using a command line parameter. Check the php manual for mail and you will see:



so try adding an extra fifth parameter to the mail call with '-f '.$from.

Note however that:

The server may (should?) not be happy sending emails claiming to be from a domain it does not control so it may refuse
Allowing the client to specify the from address, to address and message content is an invitation to spammers, basically you have just created a method for them to send thousands of their spams all around the world using your server (or your host's servers). This will get the server blacklisted and more than likely get you thrown off your hosting.
Even if you only allow to address to come from the client you need to sanitise it very carefully to avoid email header injection (especially be careful of CRLF), otherwise again you have created a lovely spam tool
.

Sorry to be a doom and gloom merchant, but email forms are a prime attack vector and spammers are just waiting for a script like this to make their day.

My anonymous mail script sends them fine, it's not that the server won't send it as a different server. It must be the script...

DaiWelsh
02-17-2010, 09:29 PM
My anonymous mail script sends them fine, it's not that the server won't send it as a different server. It must be the script...

:confused: what anonymous mail script? Are you saying you have another php script using mail() on the same server that sets the from address ok, but this script doesn't? If so, perhaps a review of the code of the one that works would help?

If not then what do you mean? Does it ever set the from address correctly and if so when? Have you checked the headers of the message you receive directly to see what headers are actually set, or are you just looking at the from address in your mail client?

I have had problems before with servers wanting to over-ride from and/or reply-to headers, but I think it was solved by the -f parameter as mentioned above hence why I mentioned it.

I would create a simple test script that hard codes values and calls mail() direclty and tets that. If that works then it must be that the wrong values are being passed to your mail() call in which case dump them just prior to the mail() call and work backwards from there.

pippin418
02-18-2010, 12:43 AM
Yeah, I have a script for anonymous mail (sent from any address), and it sends the message with the from variable fine.

DaiWelsh
02-18-2010, 12:21 PM
Ok, so compare the code for that (can you post it here?) with your current script and you may see a difference that explains the problem. If I have time later I will try to put your script on my server but I may not and it may not shed any light anyway if the problem is one of server config (though it now seems it shouldn't be).



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum