Results 1 to 2 of 2

Thread: Using PHP to extract Source IP from email header input via HTML form

  1. #1
    Join Date
    May 2012
    Posts
    1

    Using PHP to extract Source IP from email header input via HTML form

    Hi,
    I am very much a noob at PHP and have been trying to get a web page up that extracts source IP's from an email header that has been pasted in to a form.
    I can get the data into an array but am having massive trouble getting the IP's to print. I am pasting in the code I am using below. Please dont laugh too much as I said I am very new to this and have been trying to teach myself as I go.

    The html:
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Untitled Document</title>
    </head>

    <body>
    <p>Enter the headers here: </p>
    <p>&nbsp;</p>
    <form id="header" inputname="header" method="post" action="checkheader.php"><textarea name="headers" id="headers" class="box" type="text" rows="20" cols="130" ></textarea>
    <input type="submit" />
    </form>

    </body>
    </html>
    The PHP:
    <?php
    $header=$_POST['headers'];
    $ipreg="/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/im";// /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/
    preg_match_all("/Received:.*((?:\d+\.){3}\d+)/",$header,$stored);
    print_r($stored);
    echo count($stored);
    ?>
    And an example header (taken from a spam message)
    Return-Path: <kenken_8880@yahoo.com>
    Received: from fep08.mfe.bur.connect.com.au (mfep08.mbe.bur.connect.com.au [203.63.232.28])
    by mcn01 (Cyrus v2.1.18-CCA_b9) with LMTP; Sat, 28 Apr 2012 00:50:15 +1000
    X-Sieve: CMU Sieve 2.2
    Received: from fep08.mfe.bur.connect.com.au (localhost [127.0.0.1])
    by localhost.mfep08.connect.com.au (Postfix) with ESMTP id 6D9DB13355
    for <timbass@aapt.net.au>; Sat, 28 Apr 2012 00:50:15 +1000 (EST)
    Received: from bware04.bur.connect.com.au (bware04.bur.connect.com.au [210.8.230.175])
    by fep08.mfe.bur.connect.com.au (Postfix) with ESMTP id 5181A1334A
    for <timbass@aapt.net.au>; Sat, 28 Apr 2012 00:50:15 +1000 (EST)
    Authentication-Results: bware04.bur.connect.com.au
    header.from=kenken_8880@yahoo.com; domainkeys=neutral (no sig)
    Received: from nm17-vm10.bullet.mail.sg3.yahoo.com (nm17-vm10.bullet.mail.sg3.yahoo.com [106.10.149.89])
    by bware04.bur.connect.com.au (BorderWare Security Platform) with SMTP id FD5C78DA29008A4D
    for <timbass@aapt.net.au>; Sat, 28 Apr 2012 00:50:14 +1000 (EST)
    Received: from [106.10.166.120] by nm17.bullet.mail.sg3.yahoo.com with NNFMP; 27 Apr 2012 14:50:14 -0000
    Received: from [106.10.167.180] by tm9.bullet.mail.sg3.yahoo.com with NNFMP; 27 Apr 2012 14:50:13 -0000
    Received: from [127.0.0.1] by smtp153.mail.sg3.yahoo.com with NNFMP; 27 Apr 2012 14:50:13 -0000
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1335538213; bh=G/EpuDM1NHRGk3zqlboZHdgTsi7MZNxK5d2VM2G0KeA=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-IDate:Fromubject:To:Content-Type:MIME-Version:X-Mailer; b=bg3NakKWomvHD8JsrUcg38oY1wo7aIZmeLY2glPi9SweUkT8Eraag4rhTasTWDAzk6nH8lpprcm+CX28u1yHK0uCj51JTvmEu9 JG0anJmJB7qnx2C3H0j0kmQKzlR7MxmbgQtz6fdDasIN4SYyJt2invUlSeoB4e6Z0tlen9gBc=
    X-Yahoo-Newman-Id: 982234.55022.bm@smtp153.mail.sg3.yahoo.com
    X-Yahoo-Newman-Property: ymail-5
    X-YMail-OSG: ioQGUHQVM1khkn4gVNtG5fj3OvLcl02KaqzhSm835IHEEd2
    nPZ9Ve2PoKnwlpcntjCEQdCKmbW3dlmPslSS2EMzYSl32ntiWPxOwm0HE8eh
    TRoibAq13X2yNPvtV4YgofhnGg3Zk56t6UwEZdqdwmMHF3wkr6bZ_.E9DNLR
    X7r2QNmU8icr97WcgeyPUOjlZ9o_Bz._NStEOZ7TtFGeMZvIiBsH6xf8pP.k
    l0AhkP_LkA14x.cRElQxaNm6YIBYlqdLr7.Ry4zFHMOVDXXUMo4vBmx2lgg4
    2FfIahUb.iKvX13QiKkiFLTuobXM2eRAMRxe_NEX1V1vTqa4guruAA85qgDm
    GgWY18daVOj_7GmBp4kuIe6JtWMZ5jSt1Evf.S3r5rmDexCA03sKgwsGBrbz
    J8iJz1LCvHiaOqE4R0LviWpFbyxUltDSrAaiDFAI3Igy79o1Szr85qip.5R9
    GbvqPHjq2WBqECw--
    X-Yahoo-SMTP: VaaK2FWswBANOx4IY0VlY5PxOg2D.3jj
    Received: from [192.168.1.1] (kenken_8880@180.252.140.97 with login)
    by smtp153.mail.sg3.yahoo.com with SMTP; 27 Apr 2012 07:50:11 -0700 PDT
    Message-ID: <4F9A6CD5.37A1AFEE@smtp.mail.yahoo.com>
    Date: Fri, 27 Apr 2012 09:54:46 -0500
    From: "kenken_8880@yahoo.com" <kenken_8880@yahoo.com>
    Subject: FW: your arrest record
    To: timbasham@embarqmail.com
    Content-Type: multipart/alternative;
    boundary="nprc8bOdbL=_olGWFbMto1GfLmlfWflfo5"
    MIME-Version: 1.0
    X-Mailer: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.5+)
    Gecko/20011102
    X-BTI-AntiSpam: score:58,sta:66/030,dnsbl:passed,sw:passed,bsn:42/passed,spf:none,bsctr:off,dk:passed,pbmf:none,ipr:1/3,trusted:no,ts:no,bs:no,ubl:passed
    Received-SPF: none

  2. #2
    Join Date
    Jan 2006
    Posts
    605

    Re: Using PHP to extract Source IP from email header input via HTML form

    You can try to capture IP packet whether it is UDP or Rtp from user space by going to winpcap website, they have a proper documentation which is very straight forware to use.

Similar Threads

  1. Replies: 5
    Last Post: 25-05-2011, 10:21 PM
  2. How to include Header & footer within HTML?
    By seema_thk in forum Software Development
    Replies: 3
    Last Post: 09-12-2009, 08:24 AM
  3. HTML input type password
    By Antarjot in forum Software Development
    Replies: 3
    Last Post: 18-11-2009, 12:32 PM
  4. HTML form get method
    By TAMAR in forum Software Development
    Replies: 2
    Last Post: 22-06-2009, 01:40 PM
  5. Make a form in HTML, CSS, PHP
    By Gyan Guru in forum Guides & Tutorials
    Replies: 1
    Last Post: 11-11-2008, 05:26 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •