Posts Tagged ‘email’


Posted on September 9th, 2010

Setting Up Google Apps Email with cPanel

Google Apps is one of the best email services. While having your email hosted on the same server as your website is convenient, in reality, it’s not always the wise choice. The following are a few reasons to make the switch, and how to do it – if your host provides cPanel.

Google Apps Logo

Read the full post…


Posted on November 10th, 2007

PayPal Buttons; Hide Email Addresses from Spam Bots

PayPal

Lately I’ve been creating a lot of PayPal “Buy Now” and “Add to Cart” buttons for a few of my customer’s websites. The problem with creating these buttons is that they require an email address to be added to the HTML code, which in turn gets easily harvested by spam-bots.

A simple alternative to using an email address is to use a “referral code” instead. To get the referral code login to PayPal and click on “Referrals” located near the footer of the page. On that page you will find a link like: https://www.paypal.com/us/mrb/pal=VXDE78NC4F3K2. Copy the “VXDE78NC4F3K2” part of the code and replace the hidden input value of “business” with it in your button code.

Original Code:

Revised Code:

You may ask why I wouldn’t just use PayPal’s encrypted payment buttons. Well, By creating non-encrypted buttons you can easily edit them (e.g. change Price, Item Name, etc.), create new ones fast and dynamically input values via PHP.


Posted on September 13th, 2005

PHP Mail Form Email Injection Hijack

Spam is one thing, but hijacking form mail scripts and spoofing other people’s domains and email is downright wrong. We need tough(er) penalties against these guys.

Lately my customers and I had been receiving hundreds of email sent from the forms on our sites. All form fields were filled out with email addresses from the domain in which it was sent. After checking the headers it was found that most had a BCC address of jrubin3546@aol.com.

After a little research, and a heads up by a fellow website designer in my area, it looks like this automated hijack is going to become a very big and widespread problem.

Hijack Overview

The “attacker” sends an automated bot to exploit unchecked fields in contact forms. It works by assuming a field used in an email header (e.g.: “From:” or “Subject:”) is passed unchecked to the mail subsystem. Appending a newline characters and more header lines with a BCC list and a spam message body might trick the underlying mail system into relaying spam messages. Currently it seems to be just phishing for vulnerable scripts sending emails via Bcc.

Current List of Bcc Recipients (in alphabetical order):

angelrrsmr@aol.com
bergkoch8@aol.com
cameronmtc@aol.com
damnitmayn@aol.com
Homeiragtime@aol.com
Homeragtime@aol.com
jrubin3546@aol.com
jshmng@aol.com
killerhamster@punkass.com
kolyathekid1@aol.com
kshmng@aol.com
kshmng@aol.com
lshmng@aol.com
mhkoch321@aol.com
wnacyiplay@aol.com
wolfione@aol.com
wwjdkid14@aol.com

The Fix?

It seems that stripping fields for carriage return (r) and newline characters (n) used directly in email headers resolves the problem. Note all your Post-Data variables (var) must be protected:

if (eregi ("r", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}
if (eregi ("n", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}
if (eregi ("Content-Transfer-Encoding", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}

For even more protection add:

if (eregi ("MIME-Version", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}
if (eregi ("Content-Type", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}

More Information

Crack Attempt to Relay Spam