0

Recently we found that someone has sent out unsolicited emails from our server. This has resulted in the server being blacklisted. I assume this is hackers using forms that have not escaped data correctly, or could it be something else as well?

We have a number of sites with their own 'contact us' type forms. I am going through all the forms and making sure the post data is being escaped. I found one form adding POST data to message without validating it first. I have just added a check before sending the email. Do you think the following will suffice, or is it better practice to escape the email post value before running it through the filter_var?

    if(filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
    {
        $message = $email." says hello";
        $headers = "From: me@example.com";
        mail('to@example.com', 'Subject', $message, $headers);          
    }

Should I be checking the transfer logs for header injection attacks/other attacks, if so what would I be looking for?

xylar
  • 7,433
  • 17
  • 55
  • 100
  • 2
    I don't quite understand your problem, so do you have a free form where anyone can send any message to any recipient from any sender? Or you have a 'contact us' form? or you're worried that someone has access to your server? – Adi Jun 25 '12 at 09:19
  • 1
    There can be a possibility that your SMTP server is an open relay, if you have it. [Check](http://www.mxtoolbox.com/diagnostic.aspx) – Alvin Wong Jun 25 '12 at 09:19
  • @AdnanShammout sorry for not being clear. no we don't have a free form, we have a number of sites with their own 'contact us' type forms. – xylar Jun 25 '12 at 09:24
  • @AlvinWong thanks for the link, it says mail server is not an open relay – xylar Jun 25 '12 at 09:28
  • What ever blacklisted you? [Check here](http://www.mxtoolbox.com/blacklists.aspx) – Alvin Wong Jun 25 '12 at 09:32
  • Also see [this](http://www.spamhaus.org/lookup/) – Alvin Wong Jun 25 '12 at 10:00
  • @AlvinWong thanks for the links. I want to make sure I have updated the forms before trying to remove from the blacklist. – xylar Jun 25 '12 at 10:11
  • @xylar, can you please explain the logic behind updating this form you keep talking about? According to you, any user can user the SMTP server to send emails, I don't see how updating a form can solve your problem. Please help me understand. – Adi Jun 25 '12 at 11:52
  • 1
    Actually I don't think it must be PHP which cause the problem. You can check the [CBL]( http://cbl.abuseat.org/lookup.cgi) and it will tell you what the problem is if you are listed there. – Alvin Wong Jun 25 '12 at 12:36
  • @AlvinWong it's on 3 blacklists. one of them says "received spamtrap mail" – xylar Jun 25 '12 at 13:03

1 Answers1

0

The best thing you can do is to check your logs to see who's sending those emails, as you probably aren't gonna check all your users' scripts. Also, it doesn't make any sense to filter/escape/encode your own forms input (although you should definitely do it) as any of your users can user your smtp server.

Here's how you can trail your mail logs: 

tail -f /var/mail/exim_mainlog
tail -f /var/log/exim_mainlog
tail -f /var/log/exim_paniclog
tail -f /var/log/exim_rejectlog
Adi
  • 5,089
  • 6
  • 33
  • 47