Php Form Mail Script

[natimage]

I have the php form mail script on my site, and have had for a while. Suddenly today, my email has 29 messages...all errors generated from this form. Mail delivery system errors say that the message couldn't be delivered because their was no recipient address.

 

The message that I should get, with info. filled out on the form, has only the environment variables in it. And in those, it only gives the IP: 80.58.55.237 on all of them.

 

Anybody have any ideas what is going on here? I'm still investigating, and am going to disable the form right now. But, this sort of problem is probably way over my head!!!

 

Thanks!

[natimage]

I renamed the files, so they are currently disabled! I did verify that my form has required fields defined, and I do have email as a required field. So...if anyone has any ideas and needs more info...I'll be glad to provide it. I'm going to take a look at error logs!

[chuckmalani]

post your php code here.

 

maybe someone was trying to use your form and put in an invalid email address as their own. do you have an autoresponder on there? if so, an invalid email address would come back to you as undeliverable.

 

chuck

[natimage]

I guess the IPs weren't all the same, but they seem to have originated from the same place. Here is a copy of my raw log file with the offending entries. Don't know if it would help anyone...but thought I'd provide it:

 

80.58.55.237 - - [04/Dec/2003:15:15:08 -0500]"POST /mailscript/mailit.php HTTP/1.0" 302 0 "http://www.monarchmountaindesigns.com/"'>http://www.monarchmountaindesigns.com/"'>http://www.monarchmountaindesigns.com/"'>http://www.monarchmountaindesigns.com/"'>http://www.monarchmountaindesigns.com/"'>http://www.monarchmountaindesigns.com/"'>http://www.monarchmountaindesigns.com/"'>http://www.monarchmountaindesigns.com/"'>http://www.monarchmountaindesigns.com/" "-"

80.58.55.172 - - [04/Dec/2003:15:15:13 -0500] "POST /mailscript/mailit.php HTTP/1.0" 302 0 "http://www.monarchmountaindesigns.com/" "-"

80.58.54.170 - - [04/Dec/2003:15:15:46 -0500] "POST /mailscript/mailit.php HTTP/1.0" 302 0 "http://www.monarchmountaindesigns.com/" "-"

80.58.55.170 - - [04/Dec/2003:15:15:57 -0500] "POST /mailscript/mailit.php HTTP/1.0" 302 0 "http://www.monarchmountaindesigns.com/" "-"

80.58.55.237 - - [04/Dec/2003:15:16:07 -0500] "POST /mailscript/mailit.php HTTP/1.0" 302 0 "http://www.monarchmountaindesigns.com/" "-"

80.58.55.172 - - [04/Dec/2003:15:16:13 -0500] "POST /mailscript/mailit.php HTTP/1.0" 302 0 "http://www.monarchmountaindesigns.com/" "-"

80.58.55.170 - - [04/Dec/2003:15:16:30 -0500] "POST /mailscript/mailit.php HTTP/1.0" 302 0 "http://www.monarchmountaindesigns.com/" "-"

80.58.55.237 - - [04/Dec/2003:15:16:42 -0500] "POST /mailscript/mailit.php HTTP/1.0" 302 0 "http://www.monarchmountaindesigns.com/" "-"

80.58.55.172 - - [04/Dec/2003:15:17:00 -0500] "POST /mailscript/mailit.php HTTP/1.0" 302 0 "http://www.monarchmountaindesigns.com/" "-"

[surefire]

Natimage,

 

Since I wrote the code... I thought it would be nice to give you a hand.

 

I don't have any hard and fast answers since I haven't heard of this before. There are several questions that would have to be answered in order for me to diagnose it properly.

 

Before I get into your specific situation, I want to let you know that there is a total rewrite of the code. I started over from scratch and really overhauled the script in a big way. If you haven't downloaded version 2.0 Beta, I would really recommend it. The layout is quite a bit different from the other one, but that's due to the increased power and extra bells and whistles. For example, the messages sent to you and your visitors are sent through smtp... the preferred method of email generation via programming code.

 

Now, what you might be seeing is a failed attempt to use the code to spam. There is a referrer check in the code but some folks turn it off. The way the code is written, even with this off, your code can't be used to send spam, but you might get spammers posting messages to you in an effort to send spam. The reason it doesn't work is that the recipient (YOUR EMAIL) is hard coded into the script.

 

So if the spammer tries to post info to your script with recipient variables, it will only end up sending you the email.

 

If the referrer check is on, then nothing will happen at all.

 

This may not be the issue at all, it's just a guess. But I would do a WHOIS on the IP and see where it points.

 

The other question I'd ask is if the script works when you go to your site and submit information. If it does, then there's no reason to disable it.

 

And finally, I'd remind everyone that I have my own forum where I will answer any and all questions about the code.

 

http://www.surefirewebdesign.com/ufm/

 

I'm more than happy to answer your questions here... it's just that I get notified immediately when someone asks a question about the script in my forum. Here at TCH, I have to stumble across the question.

 

Upgrade to 2.0 Beta if you haven't already.

[natimage]

Thanks, Jack. I thought about your forum, but it was only a vague memory in my mind, and being at work, I did what I know best. I will look up the whois info.

 

The script does work...I only disabled it because I was unsure of what was going on. Figured that would be the best way to stop whatever it might be until I could figure it out.

 

Also...I did not turn the referrer check off that I know of.

 

Thanks again!

[natimage]

ok...here's the WHOIS info on the domains...I checked two and got the same results:

 

OrgName:    RIPE Network Coordination Centre

OrgID:      RIPE

Address:    Singel 258

Address:    1016 AB

City:      Amsterdam

StateProv:

PostalCode:

Country:    NL

 

ReferralServer: whois://whois.ripe.net

 

NetRange:  80.0.0.0 - 80.255.255.255

CIDR:      80.0.0.0/8

NetName:    80-RIPE

NetHandle:  NET-80-0-0-0-1

Parent:

NetType:    Allocated to RIPE NCC

NameServer: NS.RIPE.NET

NameServer: NS3.NIC.FR

NameServer: SUNIC.SUNET.SE

NameServer: AUTH62.NS.UU.NET

NameServer: SEC1.APNIC.NET

NameServer: SEC3.APNIC.NET

NameServer: TINNIE.ARIN.NET

Comment:    These addresses have been further assigned to users in

Comment:    the RIPE NCC region. Contact information can be found in

Comment:    the RIPE database at http://www.ripe.net/whois

RegDate:

Updated:    2003-09-19

 

OrgTechHandle: RIPE-NCC-ARIN

OrgTechName:  RIPE NCC Hostmaster

OrgTechPhone:  +31 20 535 4444

OrgTechEmail:  search-ripe-ncc-not-arin@ripe.net

 

# ARIN WHOIS database, last updated 2003-12-03 19:15

# Enter ? for additional hints on searching ARIN's WHOIS database.

 

Once again...interpreting this is well over my head!

 

Thanks...

[surefire]

Curious...

 

Mail delivery system errors say that the message couldn't be delivered because their was no recipient address.

 

Since the recipient email address is hardcoded into the script, I don't possibly see how someone could post data to your site that would try to send out mail to a blank email address.

 

The big vulnerability of Matt's FormMail.pl is the fact that you put your recipient information into the html code of your form and it's passed as a posted variable to your script.

 

If you turned off the referrer check, you might possibly get a bunch of email from folks trying to use your site to spam others... but all the emails would come to you. The referrer check is there to give an error message and kill the code if you're sending the data from another site.

 

If someone could point out a vulnerability to the script, I'd be happy to fix it. But if the code, when you boil it down, is basically

 

>mail ("predetermined@yoursite.com", "Subject", $message, "From: yoursite.com");

 

And I don't see how that could be hijacked.

 

Forward one of those emails to me if you would... I'd like to see if I can figure it out.

[natimage]

Jack...I'm probably just being really stupid tonight...but I don't know your email address to forward it to. If you want to send me a PM...I'll email it to you sometime tomorrow. Probably in the evening as I'll be travelling all day tomorrow.

 

I'm sure there is a way I could figure out your email...it's just past my bedtime!!!!

[TCH-Rob]

Tracy,

 

Dont forget there is always that little email icon below the posts that you can send to.

[natimage]

Thanks, Rob, but I don't think I can attach a file using that email icon, and it doesn't offer the email address. I figure I know what it is, but just want to make sure.

[surefire]

I just sent you my email address through the TCH forum.