How to? send an E-Mail using LUA - Developers

Hello! I'd like to know what the code/library would be to use for having a garrysmod server send an email (either by connecting to POP/SMTP or some other way, not fussed). I did a google and came up with the 'socket' library, but that result was from 2009 and no longer works. I can't find anything else. I'm putting together a script so players can alert admins who are not online if the server is being attacked. MySQL will probably do the job I'm trying to do but having a simple email alert on my cell phone seems a lot easier, the infrastructure is there already and I can add other admins' email addresses easily later. Thanks Tim

Easiest way would be to do a POST request to a webserver with the data you want in the e-mail, and have a script send the e-mail [editline]4th August 2013[/editline] You'd certainly have to add something to stop abuse though.

What's a POST request? What you're suggesting sounds like a good way to go as I have access to a webserver

Not without a module, no. You could maybe use lua to communicate with a php script that would do it, but that is sloppy and is ripe for exploitation. The idea doesn't make much sense to me though. I, for one, do not check my email that often. How does your system even detect that the server is being "attacked"?

[QUOTE=SashaWolf;41708419]Not without a module, no. You could maybe use lua to communicate with a php script that would do it, but that is sloppy and is ripe for exploitation. The idea doesn't make much sense to me though. I, for one, do not check my email that often. How does your system even detect that the server is being "attacked"?[/QUOTE] How is a POST requeste to a PHP script asking for exploitation? If you have a smartphone then chances are you'll get push notifications when you get the e-mail, which is what I assume OP is talking about.

[QUOTE=Banana Lord.;41708568]How is a POST requeste to a PHP script asking for exploitation? If you have a smartphone then chances are you'll get push notifications when you get the e-mail, which is what I assume OP is talking about.[/QUOTE] ^this by attacked I mean, someone prop spamming, pushing, general mingebaggery... The players online can submit a request for help to admins. There are of course limits on the frequency they can be submitted edit: Banana showed me the http.Post command, which can submit to php forms in the same way a php form normally handles $_POST, it's a little round-about but super simple and I know php, so no problem :) thanks

Lets say a player F5's this for awhile: [URL="http://www.mygaywebsite.com/reportdacheeter.php?report=CHEETER"]www.mygaywebsite.com/reportdacheeter.php?report=CHEETER[/URL] IS IN THE SERVER HELP ADMENS RIP mailbox. Also, if you do use php, don't make the message sent a parameter like I did up there. Having a player do it ingame a bunch of times would result in the same effect. You say there are limits, but even if they can email once every minute or five minutes, just imagine the spam. Even legitimate players will spam if the minge is in there long enough. Then again, I'm just being a smartass right now. I'm sure you can iron out flaws like that, just make sure you do. If I found out a server had a system like that, it's like the equivelent of placing a big red button in front of me and expecting me not to push it.

[QUOTE=SashaWolf;41708771]Lets say a player F5's this for awhile: [URL="http://www.mygaywebsite.com/reportdacheeter.php?report=CHEETER"]www.mygaywebsite.com/reportdacheeter.php?report=CHEETER[/URL] IS IN THE SERVER HELP ADMENS RIP mailbox. Also, if you do use php, don't make the message sent a parameter like I did up there. Having a player do it ingame a bunch of times would result in the same effect. You say there are limits, but even if they can email once every minute or five minutes, just imagine the spam. Even legitimate players will spam if the minge is in there long enough. Then again, I'm just being a smartass right now. I'm sure you can iron out flaws like that, just make sure you do. If I found out a server had a system like that, it's like the equivelent of placing a big red button in front of me and expecting me not to push it.[/QUOTE] that's true, but having one of the POST vars used like a 'key' which must match the PHP script will prevent anyone from executing the script outside of the gmod server, as well, the script can be set to be executable only by the gmod server's IP

[QUOTE=SashaWolf;41708771]Lets say a player F5's this for awhile: [URL="http://www.mygaywebsite.com/reportdacheeter.php?report=CHEETER"]www.mygaywebsite.com/reportdacheeter.php?report=CHEETER[/URL] IS IN THE SERVER HELP ADMENS RIP mailbox. Also, if you do use php, don't make the message sent a parameter like I did up there.[/QUOTE] What holds you back from using some sort of security system? Generate a key and use it for the POST request. If the submitted key is not valid, then do not send an email. [editline].[/editline] Ninja'd

Firstly I suggest having something like this running on some webserver (you'll need to set up PHP's mail() function properly in php.ini) [code] <?php $password = "mysecretpassword"; if ( !isset( $_POST[ "key" ] ) || $_POST[ "key" ] != $password ){ die("Bad key."); } else { $admins = array( "admin1@hotmail.com", "admin2@yourmother.com", "etc@etc.etc" ); $subjet = isset( $_POST[ "subject" ] ) ? $_POST[ "subject" ] : "Default subject"; $message = isset( $_POST[ "msg" ] ) ? $_POST[ "msg" ] : "Assistance is required on " . $_SERVER[ "REMOTE_ADDR" ] . " server."; foreach ( $admins as $email ) { mail( $email, $subjet, $message ); } echo "OK"; } ?> [/code] Then on your SERVER you could have something like this : [lua] local reports = {}; local vote_count = 3; local player_cooldown = {}; net.Receive( "ReportSomething", function( ply, len ) // The table that's sent as paramters the PHP script local data = { ["key"] = "mysecretpassword" }; if ( !ply:IsAdmin() ) then if (player_cooldown[ ply:SteamID() ] && player_cooldown[ ply:SteamID() ] + 120 <= CurTime()) then return; end player_cooldown[ ply:SteamID() ] = CurTime(); else data.message = net.ReadString(); data.subjet = net.ReadString(); http.Post( "www.mywebsite.com/myscript.php", data, function() end, function() end ); return; end // Read the innicdent index local index = net.ReadInt( 32 ); if ( reports[ index ] ) then reports[ index ] = reports[ index ] + 1; else reports[ index ] = 1; end if ( reports[ index ] >= vote_count ) then http.Post( "www.mywebsite.com/myscript.php", data, function() end, function() end ); table.remove( reports, index ); end end); [/lua] And then you could add some front-end on the client. The code above stops people from reporting things more than once every 2 minutes and requires 3 people to vote on a report before it's emailed. [editline]4th August 2013[/editline] It's essential that the client does not know this "key", make sure the script that sends it isn't shared with the clients.

Why are we using secret keys? Just don't let the script run if the originating IP isn't the game machine's main IP.. [editline]4th August 2013[/editline] Also beware of mail header injection: [url]http://www.phpsecure.info/v2/article/MailHeadersInject.en.php[/url]

[QUOTE=thejjokerr;41711734]Because you can spoof the IP and so can't trust any POST info just on the IP delivered in the packet. Having a secret key that has to be stolen in some way is more secure, having both is even better.[/QUOTE] If you have someone spoofing the gameserver's main IP address to e-mail bomb you then you have much, much larger issues on your hand. How is the client supposed to find the location of the e-mail script anyway? I think we're over complicating and over thinking this.

also make sure you add something at the bottom unique like "GMODSERVERREQUESTASDASDASD" or something that isn't going to be caught in other emails. so that you can search it and just delete all the emails if you get bombed.

[QUOTE=Banana Lord.;41716700]If you have someone spoofing the gameserver's main IP address to e-mail bomb you then you have much, much larger issues on your hand.[/QUOTE] Not really. Just because someone can spoof an IP doesn't automatically mean that they can do other worse things. In fact, if that's the worse someone with technical skill can do to your server, it is safe to assume that you aren't really under too much threat. Anyway, from what I understand of how IP works, spoofing the IP is as easy as using raw sockets to send a custom packet with the origin address set to that of the server. There's even a lua module that gives you access to raw sockets, putting this sort of attack in range of most people who code for gmod. You are right, though, we are definitly thinking too much into this. However, adding countermeasures for the offchance that someone tries to misuse something you create is never a bad idea.

[QUOTE=SashaWolf;41721881]Not really. Just because someone can spoof an IP doesn't automatically mean that they can do other worse things. In fact, if that's the worse someone with technical skill can do to your server, it is safe to assume that you aren't really under too much threat. Anyway, from what I understand of how IP works, spoofing the IP is as easy as using raw sockets to send a custom packet with the origin address set to that of the server. There's even a lua module that gives you access to raw sockets, putting this sort of attack in range of most people who code for gmod. You are right, though, we are definitly thinking too much into this. However, adding countermeasures for the offchance that someone tries to misuse something you create is never a bad idea.[/QUOTE] I don't see why this even requires thought. Perhaps the chances of someone exploiting your script via IP spoofing is slim, but that in no way justifies not adding 10 lines of code. There are no downsides using keys, only upsides. This same mindset should be encouraged and practised too, you should never rely on the chance someone doesn't notice a security floor in your programs/software/scripts. Otherwise bad things happen. I once found a server that allowed clients to explicitly set their rank in ULX by sending net messages. I talked with the owner and he said that it was fine because sv_allowcslua was set to 0 and that no one would've known without snooping in their scripts. The moral of the story is bad things happen when you leave the backdoor open.

Thanks for the discussion :) I have both a key in the script as well as IP restrictions, just to make sure. The email account is a gmail account I set up specifically for this so, if I do get bombed, it's not the end of the world. If anybody would like the code, feel free to PM me.