3 replies to this topic

[ghost2012]

I've been using a friends code to send an sms message via php. The only issue is that on receiving the message it gives out the hosting servers name. Now this I know can lead to a security issue. So am I'm turning to you guys to see what is it that I've missed.

This code uses the mail function of PHP
The default sub is set to TestingText

Here is the general form:

 <form id="sms" name="sms" method="post" action="send.php">
<table width="400">
  <tr>
    <td align="right" valign="top">From:</td>
    <td align="left"><input name="from" type="text" id="from" size="30" /></td>
  </tr>
  <tr>
    <td align="right" valign="top">To:</td>
    <td align="left"><input name="to" type="text" id="to" size="30" /></td>
  </tr>
  <tr>
    <td align="right" valign="top">Carrier:</td>
    <td align="left"><select name="carrier" id="carrier">
      <option value="verizon">Verizon</option>
      <option value="tmobile">T-Mobile</option>
   <option value="sprint">Sprint</option>
   <option value="att">AT&T</option>
   <option value="virgin">Virgin Mobile</option>
    </select></td>
  </tr>
  <tr>
    <td align="right" valign="top">Message:</td>
    <td align="left"><textarea name="message" cols="40" rows="5" id="message"></textarea></td>
  </tr>
  <tr>
    <td colspan="2" align="right"><input type="submit" name="Submit" value="Submit" /></td>
    </tr>
</table>
</form>

And here is the php code:

 <?php
$from = $_POST['from'];
$to = $_POST['to'];
$carrier = $_POST['carrier'];
$message = stripslashes($_POST['message']);

if ((empty($from)) || (empty($to)) || (empty($message))) {
echo"Fail";
}

else if ($carrier == "verizon") {
$formatted_number = $to."@vtext.com";
mail("$formatted_number", "TestingText", "$message");

echo"Success";
}

else if ($carrier == "tmobile") {
$formatted_number = $to."@tomomail.net";
mail("$formatted_number", "TestingText", "$message");

echo"Success";
}

else if ($carrier == "sprint") {
$formatted_number = $to."@messaging.sprintpcs.com";
mail("$formatted_number", "TestingText", "$message");

echo"Success";
}

else if ($carrier == "att") {
$formatted_number = $to."@txt.att.net";
mail("$formatted_number", "TestingText", "$message");
echo"Success";
}

else if ($carrier == "virgin") {
$formatted_number = $to."@vmobl.com";
mail("$formatted_number", "TestingText", "$message");

echo"Success";
}
?>

If anyone has any idea of cloaking the hosting servers name. Let me know please.
Thanks all.

[Alexander]

As you should be aware all SMTP reciepts contain the originating server name, and the accepting host has the option to reveal it or not. You cannot "cloak" the host name without the target host dropping the e-mail for frame security reasons.

If you're claiming it is a "security risk" on the host name being displayed, it isn't. It's revealed for the opposite reason.

[ghost2012]

Nullw0rm said:

As you should be aware all SMTP reciepts contain the originating server name, and the accepting host has the option to reveal it or not. You cannot "cloak" the host name without the target host dropping the e-mail for frame security reasons.

If you're claiming it is a "security risk" on the host name being displayed, it isn't. It's revealed for the opposite reason.

The host I'm referring to is the hosting server not the site where the request is sent from. This is a sample of the script send yourself a text msg and you'll see what I'm referring to. Send someone you know an SMS message via Thumbalong.com

[Alexander]

Then all you will need to do is set up your own mail server, modify the SPF records and you'll be done.