spMailer

spMailer, a (hopefully) spambot safe PHP mailer

March 19, 2009 - Unfortunately, a spammer in the Phillipines proved that spMailer is not resistant to injection attacks when the script is used to drive a tell-a-friend form. Please stop using the script for that purpose immediately.

We have not finished our analysis, but at this time we don't have a solution. We are reasonably confident that the script remains immune to attack when used to power a contact-us form. Questions, comments, discussions? Visit the forums.

---

spMailer is a free (LGPL) PHP form mailer that is (hopefully) resistant to most forms of automated form-mailer stuffing attacks. Download it, discuss in the forums, or read on for more info. (See http://www.nyphp.org/phundamentals/email_header_injection.php for information about header injection attacks to which most mailer scripts are vulnerable.)

Version 4.0 Changes / Fixes / Additions
=================================================
ADD: The form is manipulated via jQuery (javascript) is a further attempt to block non-browser user agents that might try to stuff the form. Via jQuery, a field is deleted from the form before submission. Another field with a specific value is added to the form. On the processing page (spMailer.php), these fields and value are checked and sending happens only if the fields are the way they're supposed to be.
FIX: logic and core code problems fixed, these were leftovers from version 3 not new problems introduced with v4

Downloads so far — v4 = 2892 :: v3 = 720 :: v2 = 258 :: v1 = 611

spMailer: Install and Configuration Instructions

spMailer is a (hopefully) spambot-safe php form mailer. (See http://www.nyphp.org/phundamentals/email_header_injection.php for information about header injection attacks to which most mailer scripts are vulnerable.)

spMailer offers two modes of operation:

• Contact Form Mailer—in this mode, you hard-code the To address into spMailer. Users cannot specify a To address other than what you configure. This mode is for company or organization "Contact Us" forms.
• Tell-A-Friend Form Mailer—in this mode, you provide a field on your form that users fill in to specify the To address.

You can use and customize the sample contact/tell-a-friend forms supplied with spMailer if you so desire. They contain PHP code that will display error code messages, should users not fill out your forms as they should.

NOTE: PHP is case sensitive. Keep this in mind as you name your form fields and edit the spMailer.php file. Those values must match exactly, right down to upper and lower case. Also, please don't use spaces in your form field names.

Note 2: Check the new sample contact forms carefully. There's some PHP, JavaScript, and form fields that are required to support the new jQuery-based anti-spam techniques. If you don't use our sample form, you will need to make sure to include these snippets of code in your form.

Line numbers given below might not match the code exactly...sorry!

Configuring spMailer as a Contact Us Form Mailer

1. Unzip the files to a folder on your computer.
2. Open spMailer.php in your favorite text editor. (Not MS Word)
3. Line 18, enter your To address between the single quotes in the line: $config['to'] = '';
4. Line 35, enter your contact form's name between the quotes in: $config['yourContactForm'] = 'spMailerContactForm.php';
5. Make sure line 42 begins with // (to comment out the line). The line should look like //$config['fieldName']['To'] = 'to'; when you're done.
6. Lines 43-45, make sure the names between the quotes match the field names on your contact form
7. Configure other options as desired (see the comments in spMailer.php for configuration options)

Configuring spMailer as a Tell-A-Friend Form Mailer

1. Unzip the files to a folder on your computer.
2. Open spMailer.php in your favorite text editor. (Not MS Word)
3. Line 18, delete everything between the single quotes in the line: $config['to'] = '';
4. Line 29, change the line to read: $config['required']['To'] = 2;
5. Line 35, enter your contact form's name between the quotes in: $config['yourContactForm'] = 'spMailerContactForm.php';
6. Line 42, delete // to look like $config['fieldName']['To'] = 'to';
7. Lines 43-45, make sure the names between the quotes match the field names on your contact form
8. Configure other options as desired (see the comments in spMailer.php for configuration options)

Configuring spMailer to use SMTP Authentication

SMTP Authentication is required by some hosting companies as a spam-prevention measure. To use SMTP Authentication, you will need a valid email address (an inbox, not forwarding address), associated password, and SMTP server name.

1. Line 91, change to read $config['useSMTPAuth'] = true;
2. Line 92, enter a valid email address in your domain in the form address@domain.com
3. Line 93, enter that address's password
4. Line 94, enter your domain's SMTP server address in the form smtp.yourdomain.com

Including extra fields in your form

Starting with version 3, spMailer supports custom fields in your forms.

1. Do not change line 62, which reads $config['extraFields'] = array();
2. Uncomment line 63 and fill it in following the format: addFields('field_name', 'field_label') where field_name is the name of the form field and field_label is text you would like added before the field's contents in the resulting email message.
3. Copy / repeat line 63 as needed for each of your extra form fields.

• It has been tested with text, textarea, select, and select-multiple lists. It should work with radio buttons and checkboxes but it does not support file uploads.
• If you are using a field type that accepts multiple selections (select-multiple or checkbox), you must name the field with an opening-closing square brackets at the end of the name. For example, <select multiple name='my_select_multiple[]'>...</select>
• The field label parameter is optional. If you include it, it will be used to identify the field data in the email message. Without it, the field's name will be used.

Passing form field values to spSuccess.php page

Starting with version 3, you can pass the data entered by users into the form onto your success page.

1. Change line 119 to read: $config['passFormValues'] = true;
2. Follow the PHP code samples in the spSuccess.php page provided to see how you can output the form field values on your success page.

More information

spMailer takes the following steps to prevent header injection attacks:

• Verifies that it was loaded from a page on your site (it checks the http referrer value)—this prevents someone using a form on their site or local computer from using your mailer script to send messages.
• Verifies that required form fields are present, and optionally, filled in.
• Validates that the to, from, cc, and bcc addresses are legal addresses—it does not verify that they are working addresses, but simply that they match the prescribed format for email addresses.
• Strips extra SMTP headers and Content-Types from the body of the message, as well as To, From, CC, and BCC fields.

License and legal

spMailer is copyright (c) 2007 by Skypanther Studios (www.skypanther.com) and is written by Tim Poulsen - tim (at) skypanther.com. spMailer is free, open source software licensed under the Lesser Gnu Public License (LGPL). You may change or modify the software to suit your needs, at your own risk. spMailer uses phpMailer (http://phpmailer.sourceforge.net/) for mail sending and SMTP Authentication functions. phpMailer is licensed under the LGPL license. Skypanther Studios assumes no responsibility and provides no support for problems resulting from modifying the source code.

THIS SOFTWARE AND THE ACCOMPANYING FILES ARE PROVIDED "AS IS" AND WITHOUT WARRANTIES AS TO PERFORMANCE OR MERCHANTABILITY OR ANY OTHER WARRANTIES WHETHER EXPRESSED OR IMPLIED. NO WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE IS OFFERED. THE USER ASSUMES THE ENTIRE RISK OF USING THE SOFTWARE.

spMailer MAY NOT BE USE TO SEND UNSOLICITED COMMERCIAL EMAIL MESSAGES, AKA "SPAM" UNDER ANY CIRCUMSTANCES.