Is my form mail script being used to send spam?
March 15, 2006 6:40 AM   Subscribe

I have a website with a feedback form script. Suddenly, over the past week, I've been getting a lot of weird, spam-like mail sent to me via this script. (It doesn't actually sell products--it just contains gibberish, of the sort that might be used to confuse spam filters.) I'm more worried that my feedback form is being used to spam other people. How can I figure out if this is the case? And either way, how can I stop abuse of my feedback form?

You can see the feedback form page at . Below is a sample of the weird e-mails I've been getting.
Received: from ( [])
by (Postfix) with ESMTP id 549B7EFE44
for ; Tue, 14 Mar 2006 09:58:47 -0800 (PST)
Received: from ( [])
by (Postfix) with ESMTP id 4E55CEE235;
Tue, 14 Mar 2006 09:58:47 -0800 (PST)
Received: by (Postfix, from userid 44434)
id 37AA8603A4; Tue, 14 Mar 2006 09:58:47 -0800 (PST)
Subject: Feedback Form Results
Content-Type: multipart/alternative; boundary=e9a039f0704f05be6921da0ddf3c3a33
MIME-Version: 1.0
Subject: accommodate them. owever, he added
Message-Id: <2>
Date: Tue, 14 Mar 2006 09:58:47 -0800 (PST)

Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

nd so she is, sir. he s as honest as the day. . o you call it honest to steal my geese . he didn t steal them, sir. t was me that stole them. . h nd why the devil did you
posted by yankeefog to Computers & Internet (11 answers total)
Well, there's a certan technique that's used to send spam via email forms. What they do is, include SMTP instructions directly in the email, so that when your PHP script opens a network connection with your email sever, it sends one text file but the email server sees it as two (or more) seperate emails.

here is some more info I googled up.
posted by delmoi at 6:59 AM on March 15, 2006

Um, by the way your email address,


(except with 'newsuperhero' in place of the hyphens) is in plain text in those headers you pasted....
posted by delmoi at 7:02 AM on March 15, 2006

any legit email addresses you typed above will now be inundated with spam due to appearing on ask, fyi.
posted by dobbs at 7:03 AM on March 15, 2006

is hard-coded into the form?
(i.e., is it a variable in the php script or a constant?)

if the latter, you're probably not guilty of spamming anyone else. if it's a variable, then you want to fix your leaky script. The page isn't loading right now so I can't see to check.
posted by handee at 7:03 AM on March 15, 2006

Response by poster: any legit email addresses you typed above will now be inundated with spam due to appearing on ask, fyi.

D'oh! Talk about a self-fulfilling AskMe. Oh, well. I'll just abandon that address.

Handee, it's hard-coded, so that's good.

Delmoi, thanks for the link. Very helpful. I've made the change they suggested, but I'm not a clever spammer, so I'm not sure how to try the spammer's trick and see if I have blocked it. Would somebody be willing to try to hijack that form post for me and see if it works?
posted by yankeefog at 8:15 AM on March 15, 2006

The googlable term is email form header injection. Spammer tries to insert extra header lines in the outgoing email, so that email spam can be sent to arbitrary addresses through the form. (The form can be hardcoded to mail To: you, but if they can slip in an extra header line of BCC:,, then they can spam-bomb the world.) Notice how they're adding extra header lines that duplicate already-existing ones? Solution: heavy filtering of the data that gets mailed, including especially newline and linefeed characters. Plenty of Google links that show you what to do.
posted by jellicle at 8:30 AM on March 15, 2006

PHP Mailer is the way to go.
posted by blag at 9:17 AM on March 15, 2006

When spammers first start feeling out your contact form, they'll send a series of test messages, each attempting a different exploit. You'll get e-mails each time.

Note that having your e-mail address hard-coded will not prevent your form from being used to send spam; I thought that until a few months ago, when my own http logs revealed how wrong I was. Jellicle's link will explain more.
posted by waldo at 9:33 AM on March 15, 2006

Just make sure that your form script will properly escape various forms of whitespace (carriage return, newline, and so on.) The common way of doing this is submitting the form with a "subject" of e.g. "subject\r\nTo:" which if naively processed will result in that To: line being inserted in the generated message.

If you are worried about it, just strip all characters except [0-9a-zA-Z,.:@!- ] from all form input fields before doing anything. Or have the script create a log somewhere that lists every message sent and the full values of each field. Or use a script that has been proven secure.
posted by Rhomboid at 4:16 PM on March 15, 2006

We had loads of similar e-mails like that too, and I thought they were harmless. After a week or two, our web host informed us that they had to disable our website due to spammers utilizing injection attacks to send mass mails.

Turns out that the series of mails sent out earlier, similar to what you've received, is a round of "testing" to find out if the injection is possible on your scripts. has an informative article about this.

You can also drop me an e-mail; I've modified our PHP form processors to filter out spam injection attempts. I will be glad to share it with you.
posted by arrowhead at 8:22 PM on March 15, 2006

Response by poster: Thanks, everybody, for all the help. After beating my head for a brief time against some of the propose solutions, I ended up taking a step backwards, rethinking my site design, and deciding that I really didn't need a feedback form. Instead, I've just put an e-mail address up (modified slightly to prevent spammers from getting it.)

I'm not marking Best Answer for this thread because it's one of those great AskMe's where every answer is a best one.

Thanks again!
posted by yankeefog at 1:52 AM on March 19, 2006

« Older Good distance learning schools?   |   Wild Turkeys Newer »
This thread is closed to new comments.