Thu 1 Dec 2005
There are many forms on the web, that use PHP mail() function to send mail, most of the time to the site owner. The problem with this is that many of them do not verify submitted data and can be used to trick the script to send mail to any recipient with changed body of the mail. The trick is that most of the form give the user ability to write a mail subject and/or his mail, that will be used as “From: ” for sending the mail. The only thing a spammer should do to send spam through such a form is to inject a text, similar to this to the subject field:
Some subject here
Bcc: email@example.com, firstname.lastname@example.org
Here goes the spam body, take into account the fact that value that should be submitted as subject should contain one new line character between subject and bcc: and two newline characters between bcc and body.
So the only thing spammer should do is to try to insert text with new line characters to some (or all) of the form fields and your server will start sending spam.
The problem is the spammers know this and currently widely use it. Few days ago I was receiving few hundred mails a day from AOL that mail which originated from my network is marked as spam from user (you can register for free to this service here: http://postmaster.aol.com/tools/fbl.html). Trying to force hundreds users whose forms was abused to validate input data was not an option, so I’ve developed a patch for PHP’s mail() function that checks if subject or to fields have new line characters or if additional headers parameter have two subsequent new line characters and in this case trows a warning and do not send the mail. You can download it here:
It is developed for PHP 4.4.1 and it works for me. For few days already no user (from thousands) reported any negative consequences of this patch so give it a try.
If you’re a PHP developer, feel free to include the code or the idea into the PHP source. I’ll appreciate a credit in the ChangeLog if you do that.