"From my website" - form processor?

A robot is pointed at your script. There are a good number of ways to thwart these, the most important thing you can do is have your script log all raw input from forms and treat it like the poison it is.

The greatest danger here is if they are able to modify the headers via the input fields. That is, if I realize your subject or mail-from field goes directly into an email, and I can add a newline to that input field, I can do this:

$_POST['subject'] = 'Hi\nBCC:address1@example.com,address2@example.com....';

In reality a \n is not used, a hex or octal equivalent is sent to bypass normal filtering.

You get one email. Your account is used to send thousands via BCC and you never know it. Log your data to see what they are up to.

Form abuse thread [webmasterworld.com] (one of many.)

Thanks mate,

Im not sure how I would go about logging data. How about if I introduce a captcha type script so that people have to input the letters and numbers they see etc?

more info here:

the sender is

From: PiYIyqIOiNstmnKmR (EXAMPLE@gmail.com)

return path. mydomain.co.uk@hosts.co.uk

The actual sender is irrelevant, it's probably automatically generated. Probably not even a real email address.

A captchka might help, but it's not permanent and can be beaten (I've seen it done on vBulletin.) Depends on how determined they are. Some of the advice from that thread along the same lines, and much more simple, generate a random question (What is five plus six?")

No matter what works, you always want to know what's being input. Logging is the easiest thing to do in *any* server side language. For PHP:

// Define your log somewhere, make sure it's writable: 
$mail_log = '/full/path/to/log/off/domain/root/if/possible/mail-log.txt'; 
$max_log_size = 100000; // So it doesn't become a hog 
$filemode = (filesize($mail_log) >= $max_log_size)?"w":"a"; 
$ip = getenv('REMOTE_ADDR'); 
$currDate=date("D, m-d-Y h:i:s A"); 
$input_content = " 
============================================ 
DATE/TIME: $currDate IP: $ip 
============================================ 
"; 
foreach ($_POST as $key => $value) { 
 $input_content .= $key . ": " . $value . "\n";  
} 
if (is_writable($mail_log)) { 
 if (!$file = fopen($mail_log,$filemode)) { 
   die("Cannot open $mail_log in $filemode mode"); 
 } 
 if (fwrite($file, $input_content) === FALSE) { 
  die("Cannot write to $mail_log"); 
 } 
 fclose($file); 
} 
else { die("Mail log is not writable"); } 

die would actually be a reference to a templated output, and while going through the input, add a hook to check for spammy patterns - but this is how you start knowing the enemy.

I introduced a captchka but They must be using a cached version of the script because I am still getting those annoying emails.

I am confident it has been hi-jacked.

How is that possible? Even a 'bot pointed to a script will change output if you change it. Are there multiple copies on your server? Did you give it to someone else, and maybe it's not even coming from your domain?

Figure out how to log. This is how you start. :-)