how do i make sure my mail() script will not get abused by others? 2

[DoubleV]

we have a contact form on our site and then a php page containing the mail() script that grabs form data and emails it.
what i want to know is how do i make sure spammers or other people would not be abkle to abuse it? it's just hard for me to imagine that it would be safe to just stick it the same directory as the rest of the site's content.
--------------------------------------------------
Goals are dreams with deadlines
-------------------------------------

http://www.nimlok.com

http://www.orbusinc.com

 

[sleipnir214]

Spammers using your website to send spam is unlikely. They're far more likely to try to use your SMTP server as a mail relay.


I am assuming you have all the security support in place: firewall, patched OS, chrooted users and no anonymous writing via FTP (if you have an FTP server installed), locked down SMTP server (if you have an SMTP server installed), patched web server, newer version of PHP, and tight permissions on script files.

From there, I would make sure that your mailing script uses a hard-coded TO: and FROM: address on all emails. If you base the recipient or sender on user-supplied input, someone sooner or later will figure out how to abuse it. Also, if the recipient address is hard-coded, you decide to whom the emails will be sent, not any potential spammer.

If you are sufficiently paranoid, you can make it harder for someone to view your emailing script source by placing it outside the document root of that virtual web server and access the code via an include() or require() statement. Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[farley99]

Actually its very easy for them to find and spam using formmail.

You shouldnt have a problem using the php mail() function.

 

[DoubleV]

the recepient of the email is hard-coded, I can also do it with the sender as well. i would imagine, though, that in many cases the sender would be a variable. seems like in those I'll have to go the include() route.
our server is pretty secure, so sounds like we should be ok.

THANKS! --------------------------------------------------
Goals are dreams with deadlines
-------------------------------------

http://www.nimlok.com

http://www.orbusinc.com

 

[sleipnir214]

Why would your sender be variable? Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[skiflyer]

I don't know about him, but I have a case where the sender is variable...

We let employees make requests via our page, and it does a whole bunch of processing and creating and whatnot, then it sends out an email to relavent (hardcoded) individuals... so that they can reply to the email and have that reply go to the originator of the request directly from the email client, the sender is variable. Wouldn't consider doing such a thing on an internet facing site, but I can definately see the usefulness.

Suppose this could also be accomplished with the reply to field though if you so choose.

-Rob

 

[DoubleV]

"Suppose this could also be accomplished with the reply to field though if you so choose."
and why didn't I think about it??? *lol* --------------------------------------------------
Goals are dreams with deadlines
-------------------------------------

http://www.nimlok.com

http://www.orbusinc.com