When you are going to allow users to send data to your DB, or modify them, or to return them, it is natural to develop a security system, filters, etc ... but, I wonder if it will be necessary to do that for the sending emails with the MAIL method ... and that is, if the data goes from our website to a Microsoft or gmail email, it is expected that they have all safety precautions, and therefore, one should not worry . Is this correct?
The problem is the spammer.
There is a growing use of the method of sending mass e-mails through web forms that use PHP. In some cases the objective is to send spam, in others, the anonymity of the messages sent.
This mode takes advantage of the way PHP's mail () function works and is known as "Headers Mail Injection" . It consists of taking advantage of web forms that use the PHP () mail function to send the data entered by the visitor and, in addition, they do not validate the data correctly to avoid this type of abuse.
How does this mode work?
Simple example: suppose that our site has a field for the entry of the e-mail by the visitor, in the following way:
<input name="email" type="text" value="Ingrese su e-mail aqui" />
Then, the address entered in this field is sent to the server and it is taken by the PHP script to be used as FROM in the mail () function, and in this way the message that arrives to our mail will have as its sender the address entered by the visitor. Now, the mail () function of PHP ...
mail(recipiente, asunto, mensaje, cabeceras extras);
simply concatenates the parameters that are passed to it, so, if in the field mail of the form we enter the following:
[email protected]%0ACc:[email protected]
%0ABcc:[email protected],[email protected]
There the first address will be the FROM: (source address that will reach spam victims),% 0A is the hexadecimal value of the line break character "", Cc: (Copies) contains the address or addresses of The victims and Bcc: (Hidden copies) also contains addresses of spam victims.
Part of the e-mail header generated by our abused form will be:
To: [email protected]
Subject: Asunto del mensaje
From: [email protected]
Cc:[email protected]
Bcc:[email protected],[email protected]
With this, the spammer will have used our form to send mass mail.
This example is the most basic case of this modality, since through the injection of headers you can even modify the subject and even the message itself, to the point of being able to send messages with html content.
What are the consequences of this modality?
First, the form is being used to carry out an act with which the vast majority of us disagree; the bandwidth available for the server is also being used, affecting the rest of the sites hosted on it. Finally, before a spam complaint, the issuing account can be suspended for violating the terms and conditions of where it is hosted, etc.
A validation script as an example (simple script)
<?php
function ValidarDatos($campo){
//Array con las posibles cabeceras a utilizar por un spammer
$badHeads = array("Content-Type:",
"MIME-Version:",
"Content-Transfer-Encoding:",
"Return-path:",
"Subject:",
"From:",
"Envelope-to:",
"To:",
"bcc:",
"cc:");
//Comprobamos que entre los datos no se encuentre alguna de
//las cadenas del array. Si se encuentra alguna cadena se
//dirige a una página de Forbidden
foreach($badHeads as $valor){
if(strpos(strtolower($campo), strtolower($valor)) !== false){
header( "HTTP/1.0 403 Forbidden");
exit;
}
}
}
//Ejemplo de llamadas a la funcion
ValidarDatos($_POST['email']);
ValidarDatos($_POST['asunto']);
ValidarDatos($_POST['mensaje']);
?>
Here you have a post where they explain it with more examples and code: