So I got this PHP code for a "Contact us" form online (I do not code PHP myself), but it contains my e-mail address in full. Does the following form make my e-mail safe from spammers?
contact.php file (real email has been replaced by MYEMAIL#COMPANY.COM):
<?php
// Contact Form
// Get posted data into local variables
$EmailFrom = Trim(stripslashes($_POST['EmailFrom']));
$EmailTo = "MYEMAIL#COMPANY.COM";
$Subject = "A User Has Contacted You";
$Name = Trim(stripslashes($_POST['Name']));
$Message = Trim(stripslashes($_POST['Message']));
// Validation
$validationOK=true;
if (Trim($EmailFrom)=="") $validationOK=false;
if (Trim($Name)=="") $validationOK=false;
if (Trim($Message)=="") $validationOK=false;
if (!$validationOK) {
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
exit;
}
// Prepare email body text
$Body = "";
$Body .= "Name: ";
$Body .= $Name;
$Body .= "\n";
$Body .= "Message: ";
$Body .= $Message;
$Body .= "\n";
// Send E-Mail
$success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>");
// Redirect to Success page
if ($success){
print "<meta http-equiv=\"refresh\" content=\"0;URL=success.htm\">";
}
else{
print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">";
}
?>
html snippet:
<form method="POST" action="contact.php">
...
</form>
I've read that e-mail addresses contained in PHP is completely safe from crawlers since it is all server side (that is assuming your server/site is secure). Not sure if this is true or not, there's so much information out there I couldn't find a definitive answer after searching online. If someone could confirm if this code is safe to use or not that would be great, thanks!
Unless they have access to that file and read it, you're fine. They can't get at it. It's all server side like you said.
The address is safe, except in the unlikely event that the files gets served as plain text and is readable (as Sean says), but you should read up on email injection attacks as you're vulnerable to those.
Your e-mail is protected since it's all serverside, unless for example he has fpt access to your website or you have some type of vulnerability.
Also you might want to consider something like this to prevent flooding.
session_start()
define('TIME_INTERVAL', 120);
if(isset($_SESSION['ip']) && (time() - $_SESSION['last_post']) < TIME_INTERVAL)
}
die('stop spamming !');
{
$_SESSION['last_post'] = time();
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
Also regarding your e-mail validation you might wanna take a look at this, which also validates the domain of the email to see if it's an existing email server.
function validate_mail($email)
{
if (filter_var($email, FILTER_VALIDATE_EMAIL))
{
list($username,$domain)=split('#',$email);
if(checkdnsrr($domain,'MX'))
{
return true;
}
}
return false;
}
Simple answer, You are safe. Because the PHP elements will only be processed on the server, therefore there is no way for anyone to see your email address.
Related
I am building my first site using an MVC framework, and the view that the user sees is determined by the $_GET['page'] variable. If you would like to see other code I can post it, but as far as I can tell, the code that is having the problem is displayed below. I'm not sure if it makes a difference, but this code is held in a different folder from the actual form itself, and all applicable files are included via the index folder and the include() command.
I am trying to redirect the user to a different page after submitting an email form, and have tried both header() and using window.location in javascript, but I am new to PHP and cant seem to get it to work, it just submits the form and sends the email.
<?php
ob_start();
$error = ""; $successMessage = "";
if ($_POST) {
if (!$_POST["email"]) {
$error .= "An email adress is required.<br>";
}
if (!$_POST["subject"]) {
$error .= "A subject is required.<br>";
}
if (!$_POST["contactMessage"]) {
$error .= "A message is required.<br>";
}
if ($_POST['email'] && filter_var($_POST["email"], FILTER_VALIDATE_EMAIL) === false) {
$error .= "A valid email adress is required.<br>";
}
if ($error != "") {
$error = '<div class="contactFormElement infoMessage" role="alert"><p><strong>There were error(s) in your form:</strong></p>' . $error . '</div>';
} else {
$emailTo = "example#example.com";
$subject = $_POST['subject'];
$contactMessage = $_POST['contactMessage'];
$headers .= "From: Mailer <mailer#example.com";
$headers .= " Reply-To: ".$_POST['email'];
$headers .= " Return-Path: ".$_POST['email'];
if (mail($emailTo, $subject, $contactMessage, $headers)) {
header('Location: index.php');
exit();
} else {
$error = '<div class="contactFormElement infoMessage"><p><strong>Your message was not sent. Please try again later.</strong></p></div>';
}
}
}
ob_end_flush();
?>
I have tried to put header() where it is currently located in the code, as well as trying this javascript in its place
echo '<script type="text/javascript">
window.location = "http://www.google.com/"
</script>';
When I echo the javascript, all that it does is submit the form and display window.location = "http://www.google.com/" on the screen, it doesn't seem to actually execute the script, and with the header() command, it just exits the page, it doesn't redirect it.
Any help would be greatly appreciated, thank you!
This answer is simply for anyone looking at this question in the future. I was able to get the header(); function to work, but it required reworking how my entire site redirects between pages, so I wouldn't take anything that is displayed here very seriously, as this is my first attempt at coding anything by myself and has a lot of flaws.
Add ob_end_flush(); before header('..');
I love the PHP form I have and how it works, but can't figure out how to add the functionality to upload image files to it. I've spent the past couple hours googling various resources and experimenting with adding what seems to be correct, but haven't had any actual success.
I realize there's lots of information out there on this but I guess I just can't get my head around where and what to add to the code I have now (my experience with using and editing PHP is incredibly limited). This is probably very simple when it comes down to it and I feel silly asking at all but ultimately I haven't been able to get it on my own and I'm hopeful someone can point me in the right direction!
The form I am using:
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = strip_tags(trim($_POST["name"]));
$name = str_replace(array("\r", "\n"), array(" ", " "), $name);
$email = filter_var(trim($_POST["email"]), FILTER_SANITIZE_EMAIL);
$phone = trim($_POST["phone"]);
$message = trim($_POST["message"]);
if (empty($name) OR empty($message) OR ! filter_var($email, FILTER_VALIDATE_EMAIL)) {
http_response_code(400);
echo "There was a problem with your submission. Please complete the form and try again.";
exit;
}
$recipient = "myemail#gmail.com";
$subject = "New message from $name";
$email_content = "Name: $name\n";
$email_content .= "Phone: $phone\n\n";
$email_content .= "Email: $email\n\n";
$email_content .= "Message:\n$message\n";
$email_headers = "From: $name <$email>";
if (mail($recipient, $subject, $email_content, $email_headers)) {
http_response_code(200);
echo "Thank You! Your message has been sent.";
} else {
http_response_code(500);
echo "Something went wrong and we couldn't send your message.";
}
} else {
http_response_code(403);
echo "There was a problem with your submission, please try again.";
}
?>
Thanks so much!
You can add attachments to the emails sent using the PHPmailer library with the "addAttachment" method (if you provide the path of the file) or the "addStringAttachment" method (if you provide the content of your file):
https://github.com/PHPMailer/PHPMailer/wiki/Tutorial
If you have trouble uploading a file on your server from an HTML file upload field, make sure you added the following attribute to the tag:
enctype="multipart/form-data"
In the PHP part, you will find the file's name/path in $_FILE, just move it where you want on your server. You can find some examples on this page: https://www.w3schools.com/php/php_file_upload.asp
Hope it helps ;)
With an HTML contact form such as
HTML contact form
<h1>Contact Form</h1>
<p>Please fill in the following details and click on SEND.</p>
<form action="mail_contact.php" method="POST">
<p>Name<br> <input type="text" name="name"></p>
<p>Email Address<br> <input type="email" name="email"></p>
<p>Message<br><textarea name="message" rows="6" cols="50"></textarea><br>
<input type="submit" value="Send"><input type="reset" value="Clear"></p>
</form>
I am trying to stop spam messages getting through by checking for certain words being used in the message.
I have a .txt file which has words I want to filter for such as
File: spamwords.txt
CAN-SPAM
SEO
keywords
Keywords
In the PHP coding I have
mail_contact.php
<?php
// Create Variables
$name = $_POST['name'];
$email = $_POST['email'];
$message = $_POST['message'];
// Function to deal with errors
function died($error) {
echo 'We are very sorry, but there were error(s) found with the form you submitted.';
echo 'These errors appear below.<br><br>';
echo $error.'<br>';
echo 'Please press <b>back</b> and fix these errors.';
die();
}
// Validate email address
$error_message = "";
if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$error_message .= 'The email address you entered does not appear to be valid.<br>';
}
if(strlen($error_message) > 0) {
died($error_message);
}
// Prevent spammers from using contact form
//Create an array containing the words in the message
$MessageArray = explode(" ", $message);
//Get SPAM words from file and store them in an array
$SpamWords = file_get_contents('/spamwords.txt');
$SpamArray = explode("\r\n", $SpamWords);
//Cycle through all the words in the message
foreach($MessageArray as $word){
//Check the word for SPAM words, if it is don't send the email
if(in_array($word, $SpamArray)){
echo '<h1>Spam Guard</h1>';
echo '<p>Here in European Community, the Privacy and Electronic Communications Regulations 2003 cover the sending of email marketing. This legislation says that organisations must only send marketing emails to anyone if they have agreed to receive them, except where there is a clearly defined customer relationship.</p>';
echo '<p>It appears that you are attempting to send an unsolicited message (e.g. a marketing message).</p>';
echo '<p>We as an organisation do not send unsolicited messages and we request that you do the same for us.</p>';
echo '<p>If you are not attempting to send an unsolicited message, there may be an error in the system so please accept our apologies.</p>';
die();
}
}
//If we've made it to this point, our message doesn't contain any obvious SPAM words
// Formulate Email
$formcontent='Message: \n $message \n \n From: $name $email';
$recipient = << my email address >>;
$subject = 'Contact Form Message';
$mailheader = 'From: $name <$email> \r\n';
mail($recipient, $subject, $formcontent, $mailheader) or die('Error!');
echo 'Thank you for contacting us. We will be in touch with you very soon via your email address<br>' . $email;
?>
When I test this out with a message containing the word SEO for example SEO test message it should display the Spam Guard message to the visitor - hence the echo commands - and then not send the email to me, but it displays the thank you message and sends me the email.
Can anyone see where I have gone wrong as it has stumped me
[Additional Note]
I have been using a CAPTCHA mechanism but some still get through
Your explode function needs double quotes around its delimiter:
$SpamArray = explode("\r\n", $SpamWords);
With single quotes, explode will attempt to split on the \r\n literal.
Or you could use file() instead of filter_get_contents() which will return the file as an array, with each line per key. trim() each line that's returned and you have your resulting array:
$SpamArray = array_map("trim", file('/spamwords.txt'));
Eureka!!!
I had to take the forward slash out of $SpamWords = file_get_contents('/spamwords.txt');
mail_contact.php [Edited]
<?php
// Create Variables
$name = $_POST['name'];
$email = $_POST['email'];
$message = $_POST['message'];
// Function to deal with errors
function died($error) {
echo 'We are very sorry, but there were error(s) found with the form you submitted.';
echo 'These errors appear below.<br><br>';
echo $error.'<br>';
echo 'Please press <b>back</b> and fix these errors.';
die();
}
// Validate email address
$error_message = "";
if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$error_message .= 'The email address you entered does not appear to be valid.<br>';
}
if(strlen($error_message) > 0) {
died($error_message);
}
// Prevent spammers from using contact form
//Create an array containing the words in the message
$MessageArray = explode(" ", $message);
//Get SPAM words from file and store them in an array
$SpamWords = file_get_contents('spamwords.txt');
$SpamArray = explode("\r\n", $SpamWords);
//Cycle through all the words in the message
foreach($MessageArray as $word){
//Check the word for SPAM words, if it is don't send the email
if(in_array($word, $SpamArray)){
echo '<h1>Spam Guard</h1>';
echo '<p>Here in European Community, the Privacy and Electronic Communications Regulations 2003 cover the sending of email marketing. This legislation says that organisations must only send marketing emails to anyone if they have agreed to receive them, except where there is a clearly defined customer relationship.</p>';
echo '<p>It appears that you are attempting to send an unsolicited message (e.g. a marketing message).</p>';
echo '<p>We as an organisation do not send unsolicited messages and we request that you do the same for us.</p>';
echo '<p>If you are not attempting to send an unsolicited message, there may be an error in the system so please accept our apologies.</p>';
die();
}
}
//If we've made it to this point, our message doesn't contain any obvious SPAM words
// Formulate Email
$formcontent='Message: \n $message \n \n From: $name $email';
$recipient = << my email address >>;
$subject = 'Contact Form Message';
$mailheader = 'From: $name <$email> \r\n';
mail($recipient, $subject, $formcontent, $mailheader) or die('Error!');
echo 'Thank you for contacting us. We will be in touch with you very soon via your email address<br>' . $email;
?>
Check this out, it will be useful
Spam Word Blocker PHP
You can generate random variable name and random value for hidden input and save in session. After form submitting you can check they in $_REQUEST var. Also you can use interval between form rendering and submitting. Don't try to check spam words just protect from bots and don't use simple captcha.
I'm using a PHP form to forward data to an email address. Everything seems to work fine except the the error message ["You have not entered an email"] appears when the page is loaded, before any input from the user is entered, rather than through validation when submitted.
The form is here http://www.soulwatt.com/contact.php
Note: I found this PHP code online after doing a search on how to forward data to email, so it is not mine. Please excuse the lack of proper code formatting.
<?php
$to = $_REQUEST['sendto'] ;
$from = $_REQUEST['Email'] ;
$name = $_REQUEST['Name'] ;
$headers = "From: $from";
$subject = "soulwatt.com Contact Data!!";
$fields = array();
$fields{"Name"} = "Name";
$fields{"Company"} = "Company";
$fields{"Email"} = "Email";
$fields{"Phone"} = "Phone";
$fields{"list"} = "Mailing List";
$fields{"Comments"} = "Comments";
$body = "Soul Watt has received the following information:\n\n";
foreach($fields as $a => $b) {
$body .= sprintf("%20s: %s\n",$b,$_REQUEST[$a]);
}
$headers2 = "From: noreply#soulwatt.com";
$subject2 = "Thank you for contacting Soul Watt!";
$autoreply = "Thank you for contacting us. Somebody will get back to you as soon as possible, usualy within 48 hours. If you have any more questions, please consult our website at www.soulwatt.com";
if($from == '') {
print "You have not entered an email. Please enter your email and try again.";
}
else {
if($name == '') {
print "You have not entered a name.<br />Please enter your name and try again.";
}
else {
$send = mail($to, $subject, $body, $headers);
$send2 = mail($from, $subject2, $autoreply, $headers2);
if($send) {
print "<p><span>THANK YOU FOR CONTACTING US!</span></p>";
print "<p><span>Someone will get back to you as soon as possible, usually within 48 hours. If you need immediate assistance regarding booking Soul Watt, please call Randy at (828) 729-3199.</span></p>";
}
else {
print "<p><span>We encountered an error sending your mail, please notify webmaster#soulwatt.com</span></p>";
}
}
}?>
Thanks for your help!
These 2 lines:
$from = $_REQUEST['Email'] ;
if($from == '') {
print "You have not entered an email. Please enter your email and try again.";
}
Mean that you check the email request (POST and GET) key. The first time you load this page this WILL be empty. You could add a check if there was a POST at all, for instance if there was submitted.
To be honest, there might a lot of problems with your code: a user can add all sorts of stuff in there, probably even add stuff in the headers to add 'to' fields and all.. You might be making a spam-machine here. This part: $headers = "From: $from"; just adds the request field FROM in your headers....
You'd want to wrap your validation section in
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
... do validation here ...
}
... print form here ...
That will only run the validation code AFTER you submit the form. As it stands now, it's running each time the page is loaded, so of course there's no form data to validate the first time around.
Does your form fields have the same name that you're checking?
I mean for
$from = $_REQUEST['Email'];
You should have
<input type='text' name='Email' /> <!-- Note the Capital E -->
I add my comments here:
Use $_POST or $_GET. Avoid $_REQUEST. That way you've more controll over your app.
Also, don't check emptiness with =="" try empty($from)
OK So if the form is on http://www.soulwatt.com/contact.php and you have
<form method="post" action="contact.php" name="contact_form" id="contact_form">
action="contact.php" : That means it is proccessing the form on the same address so you will see the results of the form processing on the same page, and since the form is empty, and you're checking it regardless of it having been posted or not, you get that error
The following code sends me an email holding the following variables. One of the last if statements says if(mail) then echo "You will be contacted soon". When the script runs I get echoed back "You will be contacted soon", however, I never receive an email.
I do have a smaller contact script (posted after this first and larger one) that does work.
Note: contants.php and functions.php are both included and work fine
WEBMASTER_EMAIL is defined in contanstants.php and is correct, because
my smaller contact script uses the same variable, and emails me fine.
Thanks for the help
<?php
// pull constant variables
include("php/constants.php");
error_reporting (E_ALL ^ E_NOTICE);
$post = (!empty($_POST)) ? true : false;
if($post) {
include ("php/functions.php");
}
// general info
$name = stripslashes($_POST['contact']);
$phone = $_POST['phone'];
$email = trim($_POST['email']);
$time_to_reach = $_POST['time-to-reach']; // what the best time to reach them?
// delivery info
$delivery_address = $_POST['del-address'];
$delivery_city = $_POST['del-city'];
$delivery_state = $_POST['del-state'];
$delivery_zip = $_POST['del-zip'];
// moving city info if applicable
$moving_address = $_POST['move-address'];
$moving_city = $_POST['move-city'];
$moving_state = $_POST['move-state'];
$moving_zip = $_POST['move-zip'];
// date needed
$month = $_POST['month'];
$day = $_POST['day'];
$year = $_POST['year'];
// how long do you need the storage?
$storage_length = $_POST['time-length'];
// how many containers do you need?
$quantity_containers = $_POST['number-of-containers'];
// how did you hear about us?
$tracker = $_POST['tracker'];
// message
$message_holder = htmlspecialchars($_POST['message']);
$error = '';
// check general info
if(!$name) { $error .= 'Please enter your name.<br />'; }
if(!$email) { $error .= 'Please enter an e-mail address.<br />'; }
if($email && !ValidateEmail($email)) { $error .= 'Please enter a valid e-mail address.<br />'; }
if(!$time_to_reach) { $error .= 'Please select the best time to reach you.<br />'; }
// check delivery info
if(!$delivery_address) { $error .= 'Please enter you current address.<br />'; }
if(!$delivery_city) { $error .= 'Please enter your current city.<br />'; }
if(!$delivery_state) { $error .= 'Please enter your current state.<br />'; }
if(!$delivery_zip) { $error .= 'Please enter your current zip code.<br />'; }
// check date needed
if(!$month) { $error .= 'Please enter the approximate date you need the storage.<br />'; }
if(!$day) { $error .= 'Please enter the approximate date you need the storage.<br />'; }
if(!$year) { $error .= 'Please enter the approximate date you need the storage.<br />'; }
// check length of time needed
if(!$storage_length) { $error .= 'Approximatly how long will you need the storage unit for?<br />'; }
// check quantity of storages
if(!$quantity_containers) { $error .= 'How many containers will you need?<br />'; }
// check advertising tracker
if(!$tracker) { $error .= 'Please let us know how you\'ve heard of us.<br />'; }
// check message (length)
if(!$message_holder || strlen($message_holder) < 10) {
$error .= "Please enter your message. It should have at least 10 characters.<br />";
}
// build email message
$message = "Name: {$name}
Phone: {$phone}
Email: {$email}
Best time to reach: {$time_to_reach}\n
-----------------------------------------------------
Delivery address: {$delivery_address}
{$delivery_city}, {$delivery_state} {$delivery_zip}
Moving address: {$moving_address}
{$moving_city}, {$moving_state} {$moving_zip}
-----------------------------------------------------
Date needed: {$month}/{$day}/{$year}
Length of time needed: {$storage_length}
Number of containers: {$quantity_containers}
Where did you hear about us?
{$tracker}\n
Message: {$message_holder}\n";
if(!$error) {
$mail = mail(WEBMASTER_EMAIL, $subject, $message,
"From: residential-quote#stocor.com\r\n"
."Reply-To: ".$name."<".$email.">\r\n"
."X-Mailer: PHP/" . phpversion());
if($mail) {
echo '<p>Thank you, you will be contacted soon.</p>';
}
} else {
echo '<div class="notification_error">'.$error.'</div>';
}
?>
The following script, contact script, does work meaning I receive an email.
<?php
// pull constant variables
include("php/constants.php");
error_reporting (E_ALL ^ E_NOTICE);
$post = (!empty($_POST)) ? true : false;
if($post) {
include ("php/functions.php");
}
// variables
$name = stripslashes($_POST['name']);
$phone = $_POST['phone'];
$email = trim($_POST['email']);
$tracker = $_POST['tracker'];
$message_holder = htmlspecialchars($_POST['message']);
$error = '';
// check name
if(!$name) {
$error .= 'Please enter your name.<br />';
}
// check email
if(!$email) {
$error .= 'Please enter an e-mail address.<br />';
}
// validate email
if($email && !ValidateEmail($email)) {
$error .= 'Please enter a valid e-mail address.<br />';
}
// check advertising tracker
if(!$tracker) {
$error .= 'Please let us know how you\'ve heard of us.';
}
// check message (length)
if(!$message_holder || strlen($message_holder) < 10) {
$error .= "Please enter your message. It should have at least 10 characters.<br />";
}
// build email message
$message = "Name: {$name} \n
Phone: {$phone} \n
Email: {$email} \n
Where did you hear about us?
{$tracker}\n\n
Message: {$message_holder}\n";
if(!$error) {
$mail = mail(WEBMASTER_EMAIL, $subject, $message,
"From: contact#stocor.com\r\n"
."Reply-To: ".$name."<".$email.">\r\n"
."X-Mailer: PHP/" . phpversion());
if($mail) {
//header("Location: thank_you.php");
echo "Thank you. You will be contacted soon.";
}
} else {
echo '<div class="notification_error">'.$error.'</div>';
}
?>
Using the naked mail function is just asking for trouble ( http://en.wikipedia.org/wiki/E-mail_injection , php specific info: http://www.damonkohler.com/2008/12/email-injection.html ), and prevents simple debugging. I suggest you use an object wrapper around the mail function, both because this has benefits when you filter the headers, by making it a non-standard target for php mail form header injection spammers, and by allowing you to debug the messages easier by just dumping the created mail object and reviewing it's contents. For debugging it also allows you to provide a "just echo out the mail at the end" alternative for local testing on machines where you don't have/don't want to have a mail server, and don't want to even try to send out mail while you're just testing functionality.
Here is a wrapper (freely available for modification and use) that I created and use myself:
http://github.com/tchalvak/ninjawars/blob/master/deploy/lib/obj/Nmail.class.php
Alternatively just check out PEAR mail: http://pear.php.net/package/Mail/
It's not jumping out at me, why don't you try turning the errors all the way up and see if that works.
error_reporting(1);
At the top of the script.
EDIT: Sorry, I see now you do have error reporting turned on. Make sure your INI file is set properly too. Try removing the ^ E_NOTICE so that you see those warnings, too.
I've had problems where mail() wouldn't say anything at all (and it would execute as if successful) when it didn't really. If you're bent on using mail(), you can use SwiftMailer, which generally throws helpful exceptions when something goes awry and includes a transport class Swift_MailTransport which uses mail() but is all dressed up in a nice object-oriented interface.
So, due to the nature of the problem (mail is being accepted for delivery - $mail is true), the problem is likely in the message content. Do you have access to the mail server itself? Can you check the logs? var_dump() the $subject, $message, and set the headers to a var and var_dump() that as well. Examine the contents with a fine tooth comb. Remove suspect characters and line breaks until it does work.
One thing to try... (though, the fact that your other mail is being accepted says this is likely not the case)
http://www.php.net/manual/en/function.mail.php
If messages are not received, try
using a LF (\n) only. Some poor
quality Unix mail transfer agents
replace LF by CRLF automatically
(which leads to doubling CR if CRLF is
used). This should be a last resort,
as it does not comply with ยป RFC 2822.
The problem with mail() is that its just feeding mail to the local sendmail daemon. It doesn't give you any active feedback on the mail, and the relay headers sometimes get you spam de-rated.
I'd check out http://sourceforge.net/projects/phpmailer/
Try wrapping lines in the message to 70 characters with
$message = wordwrap($message, 70);
Try replacing \r\n in the additional headers with \n in case your mail function is replacing \n for \r\n and you're ending-up with \r\r\n