Jump to content

Secure Email Script?


Gio

Recommended Posts

There have been problems with my usage of the php mail function.

 

Technical support wrote me this:

"If you use email scripts you will need to ensure that they are secure and not

capable of being email injected / Exploited."

 

This was the code in my php file:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$subject='somthing';

$message='Your username is: abc;

 

$headers = "MIME-Version: 1.0\n";

$headers .= "Content-type: text/plain; charset=iso-8859-1\n";

$headers .= "X-Priority: 3\n";

$headers .= "X-MSMail-Priority: Normal\n";

$headers .= "X-Mailer: PHP/"."MIME-Version: 1.0\n";

$headers .= "From: me\n";

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

What should I change to comply with TC guidelines?

 

Thanks,

 

Gio

Link to comment
Share on other sites

  • 2 months later...

Hello All,

 

I am bothered by the same issue here, All my sites email functions are shut down and I was asked to use

PHPMailer class instead of PHP mail() function

 

However, I installed the class which was not a problem for one function on one script and tested it and got the same result it doesn't work and the mail get's bounced back to me.

 

My issue is this, I don't see how total choice could possible expect each webmaster on their server to use one phpmail program or another when most of the time we purchase these scripts i.e. wowbb, Vbulliten, Linking Scripts and on and on from other sources. To say that we have edit the code to install some other php script just doesn't seem realistic to me. Since what will happen is the script you've decided to promote as secure suddenly get's HACKed by some 8 year old with nothing better todo...LOL and we are back in the same boat again. Not only that but we've spent hundreds of dollors modifing scripts and hundreds of man hours.

 

I'm all for security, hands down but maybe something that gets the job done and would be easier to manage would be best.

 

If your up for an idea then here is my two cents on this whole mail problem

 

Another way of offering the protection I think you guys are going for would be to give each website an MD5 encryption or hash if you like that must appear

in the body of the message. It would be some cyptic word or number that only total choice hosting knows and all we webmasters have to do is

add this in the body of all out going mails from scripts using php mail classes or functions....I believe this would be very easy to control....All you guys would need to do is scan outbound mail from the scripts for this MD5 code if you find it then the mail is released if not it's bounced....very simple I think

 

You could even do something like

Total choice hosting secret string

H7drriLdzmek1

you give the above code to the webmasters on a server lets say that code above is = "sever336" and of course you guys know this since you made it up.

 

So you tell me that any script I load on your server that sends mail that this code above must appear somewhere in the body of the message, visible or invisible you don't care.

 

We also must add our domain to your encryption of "server336" which = H7drriLdzmek1

 

So we do something like the following

$messagebody . = "what ever our outbound message is: Hello World";

$messagebody . = base64_encode( intimateassociates.com )."_".H7drriLdzmek1;

$sent = mail( $recipient, $subject, $message, $headers );

 

Now on where ever the mail function sends the message to after that,( I don't know ), but it's on

Total Choice hostings side you guys get the mail and parse the body of the mail i.e.

 

list( $domain, $server ) = explode("_",$messagebody); #this may actual need to be in a while loop in case someone actually uses an _ in the body of the message...LOL

 

You guys set up a couple of arrays one for all your server names that are MD5 hashed and all the domain

names on each server then do a little compare thing like this

 

foreach ( server_array_domain_list on server as $var) {

if ( base64_decode($domain) == $var AND $server336 == "H7drriLdzmek1" )

$sendmail = TRUE;

else $sendmail = FALSE;

}

 

if sendmail true then send the mail else bounce it.

 

Keep in mind how most of this scripts are used, generally speaking we have textarea boxes with a template email that we can edit quickly and easily so all we would need is a base64 encode of our domain name and your secret code and stuff something like this in to our emails that use scripts to send mails

 

ALKJDLlksajfsyw**(a;AJKD==_H7drriLdzmek1

you guys explode on _ so now you have a decodeable domain name and a none decodeable secret code to do your comparision.

 

The great thing is if we use HTML mails then this code i.e. ALKJDLlksajfsyw**(a;AJKD==_H7drriLdzmek1

can be hidden in the message body between html tags.

 

 

Anyway just a thought, so whe do we think we'll have mails back up an running??

Link to comment
Share on other sites

Hello rr1024, Welcome to the forums!

 

All that we ask is that the mail script you use is secure and that your authenticating sending.

 

Also since many people do not use HTML email, you can not hide a MD5 string in the email, also processing this in an email would take up valuable server resources.

 

Thanks

 

JimE

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...