How to relay all local mail through external SMTP relay?

Can you use mail() in PHP without creating an unsecure, open mail relay?

Can you use mail() in PHP without creating an unsecure, open mail relay boon to spammers everywhere? I keep trying to read http://securephp.damonkohler.com/index.php/Email_Injection, and I think I understand it, but I'm not sure. Like I said, I think I understand the problem, but I don't feel confident in my abilities to reasonably evaluate all the many solutions I've found. I've read through http://ask.metafilter.com/mefi/27356. Would somebody that really knows there stuff tell me if passing anything that will go into mail() through http://www.gerd-riesselmann.net/archives/2005/09/sending-spam-through-contact-forms would be enough to clean it? Most scripts I've seen are blocking \r and \n. I don't see anybody blocking "%0A" or other hexadecimal equivalents to line breaks. Is that because users can't use those to inject headers or because none of the forms I'm seeing are really secure?
Answer:

"%OA" is URL encoding. Email servers don't URLdecode. If %OA has made it to the PHP client, it's going to stay, and never turn into a linebreak

willnot at Ask.Metafilter.Com Visit the source

Was this solution helpful to you?

Other answers

In other words, if you see %OA, it means someone did %25OA.

delmoi

Good security practice is to disallow everything and explicitly allow the things you want. Do you really want your script to be generic? Surely you can restrict the sender? The recipient? The fewer options you give, the better. Don't overdesign. Perhaps all you want to allow is a subject line and message body? And if so, do a http://weblogtoolscollection.com/regex/regex.php check to verify that they only have valid ([\w\.\-]+ perhaps?) characters.

quiet

* Only accept what you expect, make it easy on yourself - plain text - nothing else. * Filter for common phrases, especially BCC:, CC: , To:, Content-Type:. * Hard code the destination address if at all possible. It's only an email form on a website, it shouldn't be mission critical; You're not aiming for 99.999% delivery, so it's better to be cautious and dump suspect mail than try to clean it up and send it.

oliyoung

Anyway, as long as you don't use anything from the form in the *headers*, and only put it in the body, you should be fine. Which would be the case if you have a hard-coded destination address ([email protected] or whatever).

littleme

I'm looking at password recovery and password verification which means I need to be putting a user supplied to address in there, so the user will definitely have access to the headers. I am validating the e-mail address which will probably cover me, but I'm looking for extra security just in case. Does http://www.gerd-riesselmann.net/archives/2005/09/sending-spam-through-contact-forms look like it would cover me, or is there something else that I should add to that to be extra safe?

willnot

You shouldn't be using mail() anyway. http://phpmailer.sourceforge.net/ is the way to go.

Sharcho

If you're doing password recovery and verification, the message body is being provided by your script, right? That would probably make it useless to a spammer, even if he could manage to inject other recipient addresses into the headers. (As opposed to a comment form, where the user provides the message body.)

staggernation

I should clarify: It is possible to inject a message body as well, but it's unlikely that any message a spammer would want to send would fit into the email address field (you can simply check the length and limit it to a reasonable number of characters).

staggernation

Related Q & A:

Can you use Microsoft outlook express with yahoo mail. if you can how do you do it?Best solution by Yahoo! Answers
How can I use my signature for my e-mail?Best solution by Yahoo! Answers
Can I use MS Outlook to check my Yahoo mail?Best solution by Yahoo! Answers
Can I use my Digibox without a card?Best solution by heyrick.co.uk
Can you change your yahoo email address without creating a new account?Best solution by Yahoo! Answers

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.