Using PHP to extract Source IP from email header input via HTML form
Hi,
I am very much a noob at PHP and have been trying to get a web page up that extracts source IP's from an email header that has been pasted in to a form.
I can get the data into an array but am having massive trouble getting the IP's to print. I am pasting in the code I am using below. Please dont laugh too much as I said I am very new to this and have been trying to teach myself as I go.
The html:
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<body>
<p>Enter the headers here: </p>
<p> </p>
<form id="header" inputname="header" method="post" action="checkheader.php"><textarea name="headers" id="headers" class="box" type="text" rows="20" cols="130" ></textarea>
<input type="submit" />
</form>
</body>
</html>
The PHP:
<?php
$header=$_POST['headers'];
$ipreg="/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/im";// /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/
preg_match_all("/Received:.*((?:\d+\.){3}\d+)/",$header,$stored);
print_r($stored);
echo count($stored);
?>
And an example header (taken from a spam message)
Return-Path: <kenken_8880@yahoo.com>
Received: from fep08.mfe.bur.connect.com.au (mfep08.mbe.bur.connect.com.au [203.63.232.28])
by mcn01 (Cyrus v2.1.18-CCA_b9) with LMTP; Sat, 28 Apr 2012 00:50:15 +1000
X-Sieve: CMU Sieve 2.2
Received: from fep08.mfe.bur.connect.com.au (localhost [127.0.0.1])
by localhost.mfep08.connect.com.au (Postfix) with ESMTP id 6D9DB13355
for <timbass@aapt.net.au>; Sat, 28 Apr 2012 00:50:15 +1000 (EST)
Received: from bware04.bur.connect.com.au (bware04.bur.connect.com.au [210.8.230.175])
by fep08.mfe.bur.connect.com.au (Postfix) with ESMTP id 5181A1334A
for <timbass@aapt.net.au>; Sat, 28 Apr 2012 00:50:15 +1000 (EST)
Authentication-Results: bware04.bur.connect.com.au
header.from=kenken_8880@yahoo.com; domainkeys=neutral (no sig)
Received: from nm17-vm10.bullet.mail.sg3.yahoo.com (nm17-vm10.bullet.mail.sg3.yahoo.com [106.10.149.89])
by bware04.bur.connect.com.au (BorderWare Security Platform) with SMTP id FD5C78DA29008A4D
for <timbass@aapt.net.au>; Sat, 28 Apr 2012 00:50:14 +1000 (EST)
Received: from [106.10.166.120] by nm17.bullet.mail.sg3.yahoo.com with NNFMP; 27 Apr 2012 14:50:14 -0000
Received: from [106.10.167.180] by tm9.bullet.mail.sg3.yahoo.com with NNFMP; 27 Apr 2012 14:50:13 -0000
Received: from [127.0.0.1] by smtp153.mail.sg3.yahoo.com with NNFMP; 27 Apr 2012 14:50:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1335538213; bh=G/EpuDM1NHRGk3zqlboZHdgTsi7MZNxK5d2VM2G0KeA=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:Message-ID:Date:From:Subject:To:Content-Type:MIME-Version:X-Mailer; b=bg3NakKWomvHD8JsrUcg38oY1wo7aIZmeLY2glPi9SweUkT8Eraag4rhTasTWDAzk6nH8lpprcm+CX28u1yHK0uCj51JTvmEu9 JG0anJmJB7qnx2C3H0j0kmQKzlR7MxmbgQtz6fdDasIN4SYyJt2invUlSeoB4e6Z0tlen9gBc=
X-Yahoo-Newman-Id: 982234.55022.bm@smtp153.mail.sg3.yahoo.com
X-Yahoo-Newman-Property: ymail-5
X-YMail-OSG: ioQGUHQVM1khkn4gVNtG5fj3OvLcl02KaqzhSm835IHEEd2
nPZ9Ve2PoKnwlpcntjCEQdCKmbW3dlmPslSS2EMzYSl32ntiWPxOwm0HE8eh
TRoibAq13X2yNPvtV4YgofhnGg3Zk56t6UwEZdqdwmMHF3wkr6bZ_.E9DNLR
X7r2QNmU8icr97WcgeyPUOjlZ9o_Bz._NStEOZ7TtFGeMZvIiBsH6xf8pP.k
l0AhkP_LkA14x.cRElQxaNm6YIBYlqdLr7.Ry4zFHMOVDXXUMo4vBmx2lgg4
2FfIahUb.iKvX13QiKkiFLTuobXM2eRAMRxe_NEX1V1vTqa4guruAA85qgDm
GgWY18daVOj_7GmBp4kuIe6JtWMZ5jSt1Evf.S3r5rmDexCA03sKgwsGBrbz
J8iJz1LCvHiaOqE4R0LviWpFbyxUltDSrAaiDFAI3Igy79o1Szr85qip.5R9
GbvqPHjq2WBqECw--
X-Yahoo-SMTP: VaaK2FWswBANOx4IY0VlY5PxOg2D.3jj
Received: from [192.168.1.1] (kenken_8880@180.252.140.97 with login)
by smtp153.mail.sg3.yahoo.com with SMTP; 27 Apr 2012 07:50:11 -0700 PDT
Message-ID: <4F9A6CD5.37A1AFEE@smtp.mail.yahoo.com>
Date: Fri, 27 Apr 2012 09:54:46 -0500
From: "kenken_8880@yahoo.com" <kenken_8880@yahoo.com>
Subject: FW: your arrest record
To: timbasham@embarqmail.com
Content-Type: multipart/alternative;
boundary="nprc8bOdbL=_olGWFbMto1GfLmlfWflfo5"
MIME-Version: 1.0
X-Mailer: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.5+)
Gecko/20011102
X-BTI-AntiSpam: score:58,sta:66/030,dnsbl:passed,sw:passed,bsn:42/passed,spf:none,bsctr:off,dk:passed,pbmf:none,ipr:1/3,trusted:no,ts:no,bs:no,ubl:passed
Received-SPF: none
Re: Using PHP to extract Source IP from email header input via HTML form
You can try to capture IP packet whether it is UDP or Rtp from user space by going to winpcap website, they have a proper documentation which is very straight forware to use.