PHP mail function - Header security?

[pchip]

Hey everyone,

I'm messing around with the php mail function and I noticed that when you look at the properties of the message that was sent there are headers with a ton of information. Some of this information shows my cpanel login and server info. I use Hostgator hosting.

Should I be concerned with this or is this pretty normal? I've been doing some research on using something else to send e-mails but I don't yet understand these of if they are neccessary.

As always, thanks for the help!

pc

 

[user-7256]

You can set your own headers: http://us3.php.net/manual/en/function.mail.php

 

[pchip]

I've tried messing around with changing the headers previously but the information is still there - mostly in the 'Received' portions of the message. Maybe i'm missing something but here's what i've been playing with so far...

$to = 'whoever@xyznet';
$subject = 'the subject';
$message = 'test';
$headers = 'From: contact@xyznet' .
'Received: contact@xyznet' .
'Reply-To: contact@xyznet' . "\r\n";

mail($to, $subject, $message, $headers, "-fcontact@xyznet");

What do you think?

Thanks!

pc

 

[Eric]

No matter what you use - depending on the server - different kinds of information are added by default, and you can't change those values. "Received by...", ip address, etc. Most hosts will also add a patch to PHP to where it includes the script that sends the email.

 

[pchip]

No matter what you use - depending on the server - different kinds of information are added by default, and you can't change those values. "Received by...", ip address, etc. Most hosts will also add a patch to PHP to where it includes the script that sends the email.

I'm not following the last part of this. A host can add a patch to PHP to where it will include the script that sent the e-mail. Does this mean that the script code is somewhere that people can see? I must be overlooking something as this doesn't make sense.

Thanks again for the help!

pc

 

[maximum]

I'm not following the last part of this. A host can add a patch to PHP to where it will include the script that sent the e-mail. Does this mean that the script code is somewhere that people can see? I must be overlooking something as this doesn't make sense.
pc

I assume you mean you don't get this >>

Most hosts will also add a patch to PHP to where it includes the script that sends the email.

What SV is saying is that to help host know where your PHP file is if you are sending out spam (ie: by reading this line, if someone forwards email to host reporting it as spam), they set it to include the following header for example:

X-PHP-Script: www.yourdomain.com/yourfolder/emailer.php for 209.255.255.255

*** Above is domain...some server admins set it up to show path instead:

/home/username/yourfolder/emailer.php

That would tell them that the script that sent the email was at www.yourdomain.com/yourfolder/emailer.php and that it was sent using a browser with IP# 209.255.255.255 , for example. That way host knows what script to go investigate. THIS is good on the server-end, as helps catch spammers. The BAD part is that it tells anyone who gets the email what URL they can go to abuse the script themselves - SO, password protect scripts or directories that send email, or make them part of coding whereby just visiting the URL itself with known variables attached doesn't just send-out emails!

 

[pchip]

Thanks for the explanation Maximum, I figured that's what SecondVision was saying but just wanted to make sure!

Thanks again for the help, both of you repd!

pc

 

[labrocca]

Your above script is open to mail header injection which can be used for spamming.

Make sure to sanitize the variables BEFORE they hit the mail() function.

 

[qbert220]

$headers = 'From: contact@xyznet' .
'Received: contact@xyznet' .
'Reply-To: contact@xyznet' . "\r\n";

You need "\r\n" after each header line, so it should look like:

$headers = 'From: contact@xyznet' . "\r\n" .
    'Received: contact@xyznet' . "\r\n" .
    'Reply-To: contact@xyznet' . "\r\n";

Be very very careful if you are allowing any user input (GET, POST, COOKIE etc) to affect the arguments to your mail function call. Obviously allow a user to set the "to:" field would be bad. A common spammer trick is to put "\r\n" into a "subject:" or "from:" field. The mailer then takes the part after the "\r\n" as a new header (which could be a "to:" , "cc:" or "bcc:" header) and can be used to abuse the form. Many (most?) hosts will protect against this type of attack now, but there is a chance that yours (or someone elses if you give the script to them) will not.