1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 8:29 am May 2, 2026

Forum Moderators: coopster

Message Too Old, No Replies

PHP mail forms being exploited?

misuse of PHP mail form

         

shaityam

2:12 pm on Apr 5, 2007 (gmt 0)

10+ Year Member



I have a couple of HTML forms on my web site (nothing much, just 4 fields, 3 text and 1 drop down). The results are emailed to my address when someone fills and submits. I have a JavaScript validation in place which is working fine.
The email script is very simple and uses the PHP mail() function. I perform a HTTP_REFERER check as well as a check for the correct email format [both employ ereg()]. If everything is correct (i.e. the HTTP_REFERER has my domain name "www.mydomain.com") and passes server-side validation, an email is sent to me and the visitor is sent back to the page he/she was viewing.
I do get a bit of spam which is fine (a few emails a day). However coming to the crux of the problem.
One day I find that my web site has been offline for a day! I contact the web hosting company and they tell me that the site is down because I have been sending more than 500 emails PER HOUR! (which is consuming most of the processor power and so my site has been pulled down).
Obviously, it was not "me" doing that so they told me that the email scripts are being exploited by "someone". To cut the long story short, I had to remove those scripts.
Can any one tell me where I was going wrong? And how should I rewrite my script?
[Thanks for reading such a descriptive post :-)]

whoisgregg

2:47 pm on Apr 5, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Welcome to WebmasterWorld [webmasterworld.com], shaityam!

Here's a good library thread about mail() header injection attacks [webmasterworld.com]. :)

cmarshall

2:48 pm on Apr 5, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Welcome to WebmasterWorld!

You should never, EVER allow the end user to specify the destination address. ALWAYS defer the addressing of the message until it is into the sending code (don't use hidden fields).

You also have to be careful about them inserting headers into the subject and body. That's a pretty common trick.

Filter your subject lines and body text for some header keywords, like "to:", "cc:" "from:", etc. Note the colons.

On my site, if you try this, you get a "tastes like spam" message.

Of course, there are always things like captcha.

shaityam

7:48 pm on Apr 9, 2007 (gmt 0)

10+ Year Member



Thank you whoisgregg and cmarshall. I got that sorted out. I did know about SQL injection but had no idea that the mail() function could be exploited in this manner. Now I use a array as suggested by whoisgregg and also a captcha (thanks cmarshall) - maybe this is overkill but its better to be safe.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 8:29 am May 2, 2026