View Full Version : Can someone help me from receiving these spam messages through contact form

09-11-2005, 03:13 PM
Hi all,

Can someone please tell me if the following is a common spam problem.......I have several hosting accounts on a shared server, we all seem to be getting 100s of messages sent through our contact from which uses a simple mailform script. Each form field result comes back as zfsd@jeztechs.com or something simular like the example below....

bzmfbqkn@jeztechs.com has submitted the Jeztechs Enquiry Form
Their details are as follows:

Email Address: bzmfbqkn@jeztechs.com
Country: bzmfbqkn@jeztechs.com
State: bzmfbqkn@jeztechs.com
Content-Type: multipart/mixed; boundary=\"===============1205436919==\"
MIME-Version: 1.0
Subject: 43114a4e
To: bzmfbqkn@jeztechs.com
bcc: bergkoch8@aol.com
From: bzmfbqkn@jeztechs.com

This is a multi-part message in MIME format.

Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit


URL: bzmfbqkn@jeztechs.com

May we telephone you:
Telephone Number: bzmfbqkn@jeztechs.com
Template Number: bzmfbqkn@jeztechs.com

Is this common...and is there an easy way I can adjust the mailform script to stop this.

Many thanks in advance

09-11-2005, 04:08 PM
You could add one of those anti-bot images or ban the email address.

09-11-2005, 05:01 PM
This is an email injection attack (http://securephp.damonkohler.com/index.php/Email_Injection) which seems to be taking place across the net (http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay) on a pretty large scale. If you search Google for the aol email address used in the Bcc: field you'll find it all over unattended guestbooks and forums. (There are a couple of other aol accounts they use as well.)

One solution is in this thread, http://www.codingforums.com/showthread.php?t=67546.

09-12-2005, 03:40 AM
Is it possible (and legal) to crash such a spam bot? If so, does anyone know how to do it?

I received 105 emails in the last 2 days, many of which had Bcc: jrubin3546@aol.com, which is another common address used in these attacks. Tonight I used code to search for strings such as "%0A," "Content-Type," etc., and die if those strings are submitted. As an extra precaution, I moved all of the inputted variables including sender name and email to the body instead of the headers, so nobody can enter anything into the headers.

Someone also suggested adding a hidden field to the form, not allowing POSTs into the script, and not executing the mail script if the hidden field's variable is not submitted. Because of the way the spam bot works, it will probably miss the hidden field.

Last night I set the script up to send me not only the REMOTE_ADDR but also the X-Forwarded-For, referrering url to the form, and the url of the page that contained the form. In ALL of the emails, the referrer and X-Forwarded-For were blank, and the form was supposedly at mydomain.com and mydomain.com/index.html, even though the contact form is not actually located on my home page, and there is no index.html in my root directory. After contacting tech support for my host, here is what I was told:

We examined our access logs and found out that the attacker submits the messages with empty referral and user agent HTTP headers.

Your account is not compromised nor are our servers. Since you already filtered incoming messages, you should not be flooded with such messages any more. There is not much more that can be done as the bots use trivial POST requests to the contact forms.So I would guess that it's not possible to crash the spam bots, but I thought I would ask, just in case.

Another thing I noticed is, for many emails that did not contain Bcc: jrubin3546, the IPs were random. Then there would be a block of emails all from the same IP, and some of them would have jrubin3546 in them. Then more random IPs with no jrubin in any of them, then another block with the same IP (different from the previous block) and a few of them containing jrubin. Of the email blocks with the same IPs, 2 of the IPs went to Italy, one went to France, and the two in Italy were two different companies. I don't know what all this means, but maybe someone else here will know if this info can be used productively.

The IPs, whether randomly generated somehow or routed through someone else's compromised systems, tell me that crashing the spam bots probably isn't a possibility. But I'm no expert in this area, so I could be wrong.

Email addresses that have been associated with these attacks:


Notice they are all AOL. If anyone here has AIM and wants to look up their profiles, it would be interesting to see if these screen names still exist. Since they were still doing it tonight, I doubt AOL has done anything about it. :rolleyes:

09-12-2005, 04:33 AM
Something else you can do is test the "from" email address by using a regular expression. This will test to see that they're only using one "from" email address (so you don't end up doing a reply-all when you answer the inquiry) and that the addy they're using is in proper format, for example:

if (eregi('^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]+\.([a-zA-Z]{2,4})$', $_POST['from'])) {
// set up and send the email
} else {
// error message

09-12-2005, 04:49 AM
That's a good suggestion, vinyl-junkie, but after looking at these injection attacks in a few guestbooks, it seems that many times the attempted injection can occur in the name or subject field, and only one email address may or may not be in the email field. So yes, it would catch many of them, but not all.

I received two more of these emails after my last script change, and they were both blank form submissions. Using a regex like you suggest should account for this one (I think?), since a blank email doesn't contain an @ or a dot.

There is one thing that all of these injection attacks seem to have in common, and that is whatever email address they enter (if the form isn't submitted blank), it always contains the domain name of the form being attacked. Therefore, everyone should add a check in their script to see if the email address contains their domain name and not send an email if this is the case. Of course, this is only a good suggestion if no legitimate person submitting the form has an email address with that domain, but how often does that happen on a contact form?

To avoid spam in places other than email, people should also be using these techniques in their guestbooks and in other places where people can post without an account.

09-12-2005, 05:02 AM
There is one thing that all of these injection attacks seem to have in common, and that is whatever email address they enter (if the form isn't submitted blank), it always contains the domain name of the form being attacked. Therefore, everyone should add a check in their script to see if the email address contains their domain name and not send an email if this is the case.
Ah yes. I neglected to mention that I had beefed up my contact form with a check for this very thing also.

$fromtest = strpos($from, 'napathon.net'); // checking to se if the sender is using napathon.net (my domain) as their email address
if($from == "" || $fromtest == true) {
header("location: $YourWebsiteURL");
I also have code that tests to see if the message being sent is fewer than 10 characters in length (you can adjust that as you wish):

// Send 'em back to the contact form if their message is fewer than 10 characters in length
if (strlen($message) <= 10) {
header("location: $contactURL");

BTW, my contact form was spammed recently (first time that had ever happened, and I've been using it for a while). That's why I made these changes.

This thread and the other one mentioned both have some excellent suggestions! :thumbsup:

09-12-2005, 05:49 AM
Yes, this does seem to be a new outbreak. I have had my contact form up for 2 years without a single incident, before being bombarded just this past week.

Thanks for posting that code, vinyl-junkie. It can help a lot of webmasters. :)