I have seen very similar emails coming from a contact form on our website. It seems to be an injection attack. They try to inject their own email headers into the message sent by the mailing script. The one hitting my server tests each of the inputs on the form. I think that if the injection is successful then a message is sent to the AOL email account with a blind carbon copy (bcc: ****@aol.com). With this information they can start sending out spam using the vulnerability found on the server. For more information google the aol.com email address you posted. It seems to be probing quite a few servers.

From what I can tell the attempts made seem to be an automated process coming from multiple IP addresses from various parts of the world. You need to make sure your mail scripts do not allow headers to be inserted. For my contact page form I have hardcoded all the headers (subject, to, from) into the script. Since it can't inject it's headers all it can do is annoy me with the resulting garbage emails. If you need to allow the visitor to change a mail header then make sure and strip all newlines (\r and \n) from the inputs. You could also try checking for "bcc:" and not sending the email if it finds it.

How do I insert code preventing the headers? I use a php mailer.

You would only be vulnerable if you allowed visitors to change a mailing header in a form. For example, if you let the user change the Subject or the To address of the email with a form input. If you only allow visitors to change the content of the message (and you have the requisite newline separating the header from the content) then you are safe. If you do allow users to change mail headers, you could try something like this in your PHP code for each vulnerable input:

$variable1 = str_replace("\n","",$variable1);
$variable1 = str_replace("\r","",$variable1);
$variable2 = str_replace("\n","",$variable2);
$variable2 = str_replace("\r","",$variable2);
etc...

Or you could create a function and check the variables with it:

function check_input($in) {
$out = str_replace(array("\n","\r"),"",$in);
// Put any other filtering you need here
return $out;
}

$variable1 = check_input($variable1);
$variable2 = check_input($variable2);
etc…

You would still receive the garbage emails but they wouldn't be able to exploit your server. You could also put some code on the server to detect and not send garbage emails. Something like checking each variable for "bcc:" and killing the script without emailing if it finds it. The PHP function stristr could be used for this.

I'm glad you know what I'm talking about. :) How about an email graphic validation? How and where can I find articles about this type of validation?