I'm messing around with the php mail function and I noticed that when you look at the properties of the message that was sent there are headers with a ton of information. Some of this information shows my cpanel login and server info. I use Hostgator hosting.
Should I be concerned with this or is this pretty normal? I've been doing some research on using something else to send e-mails but I don't yet understand these of if they are neccessary.
I've tried messing around with changing the headers previously but the information is still there - mostly in the 'Received' portions of the message. Maybe i'm missing something but here's what i've been playing with so far...
No matter what you use - depending on the server - different kinds of information are added by default, and you can't change those values. "Received by...", ip address, etc. Most hosts will also add a patch to PHP to where it includes the script that sends the email.
I'm not following the last part of this. A host can add a patch to PHP to where it will include the script that sent the e-mail. Does this mean that the script code is somewhere that people can see? I must be overlooking something as this doesn't make sense.
I assume you mean you don't get this >>
What SV is saying is that to help host know where your PHP file is if you are sending out spam (ie: by reading this line, if someone forwards email to host reporting it as spam), they set it to include the following header for example:
*** Above is domain...some server admins set it up to show path instead:
/home/username/yourfolder/emailer.php
That would tell them that the script that sent the email was at www.yourdomain.com/yourfolder/emailer.php and that it was sent using a browser with IP# 209.255.255.255 , for example. That way host knows what script to go investigate. THIS is good on the server-end, as helps catch spammers. The BAD part is that it tells anyone who gets the email what URL they can go to abuse the script themselves - SO, password protect scripts or directories that send email, or make them part of coding whereby just visiting the URL itself with known variables attached doesn't just send-out emails!
__________________
The smartest and best among men say very little, make sure that what they say is important, then they sit down and shut up.
Be very very careful if you are allowing any user input (GET, POST, COOKIE etc) to affect the arguments to your mail function call. Obviously allow a user to set the "to:" field would be bad. A common spammer trick is to put "\r\n" into a "subject:" or "from:" field. The mailer then takes the part after the "\r\n" as a new header (which could be a "to:" , "cc:" or "bcc:" header) and can be used to abuse the form. Many (most?) hosts will protect against this type of attack now, but there is a chance that yours (or someone elses if you give the script to them) will not.
