View Full Version : Form injection: Is it THAT bad?

11-06-2006, 01:19 PM
One of my clients' accounts has been suspended two days before because of a huge email traffic. Reports say that nearly 28000 emails have been sent through that domain. My client is unable to send that much emails, so it must have been some sort of spam effort. The first thing I thought are the forms on the website. There is a contactus form and a login form for member entry. On the contactus form, I thought I had taken some precaution using:

if(isset($_POST['postquote'])) {
$name = $_POST['name'];
$gender = $_POST['gender'];
$email = $_POST['email'];
$email = urldecode($email);
if (eregi("\r",$email) || eregi("\n",$email)){
$admin_to = "admin@mydomain.com";
$admin_subject = "Spammer Injection";
$admin_message = "Sir, spammer injection has been a failure, script died as you ordered!\n\nEmail Phrase is: $email";
$admin_from = "Spam Warrior Of My Domain";
mail($admin_to,$admin_subject,$admin_message,"From: $admin_from\n");
die("Why ?? :(");
$phone = $_POST['phone'];
$fax = $_POST['fax'];
$quote = $_POST['quote'];

// code to send email


// contactus form


Obviously that was not enough. I protected the email field, seems that it may be possible that the spammers use the other fields to send email. So, I have to protect other fields as well. How can I do this? Is there no escape from these spammers?

11-06-2006, 01:44 PM
What's the "code to send email"?

11-06-2006, 02:19 PM
Also, try this:

First of all, give your email script a random name, such
as e442ma23il.php ... (not "formmail.php", or "email.php")

Then, create two other email forms, one with the script
name "formmail.php", another with "email.php". Put these into
your website before your REAL form, but comment them out.
The spamming robots will look through your HTML source and
see the form(s), but visitors to your site will not see them, as
they are commented-out.

Once a spamming robot sees a form and recognizes "formmail.php",
it will process that form and exit your site. In my experience, the robot
will not look any further.

A friend of mine had the same problem until I put in the commented-out
forms ... see this example: http://www.emilykimball.com/contact.php

View the HTML source and you'll see the fake forms served-up for the robots.

Bill Posters
11-06-2006, 03:04 PM
I've found that checking for valid UA referer info was enough to stop form spam abuse on my own site form a while back.


$referpages[] = 'http://mydomain.com/contact.php';
$referpages[] = 'http://www.mydomain.com/contact.php';

$valid_ua = !empty($_SERVER['HTTP_USER_AGENT']);
$valid_referer = !empty($_SERVER['HTTP_REFERER']) && in_array($_SERVER['HTTP_REFERER'],$referpages);

$username_ok = !empty($_POST['user_name']);
$useremail_ok = !empty($_POST['user_email']) && check_email_address($_POST['user_email']);
$usermssg_ok = !empty($_POST['user_mssg']);


if ($valid_ua && $valid_referer && $username_ok && $useremail_ok && $usermssg_ok) {
// send the form and return thanks;
} else {
// return to form and highlight errors;

I've never needed to insert spoof form handlers and I've never had to use cryptic file names*. The checks for UA and valid referers has always kept the form secure.

(* I tend to build the form handler script into the head of the actual form page. I submit the form back to the form page. Saves having to add extra files to a site.)

11-06-2006, 03:12 PM
Thanks for the answers, will evaluate them one by one.


Here is the code to send email:

$to = "info@mydomain.com";
$subject = "[Mydomain] Feedback";
$fullname = "$name <$email>, ($gender)";
$message = "";
$message .= "Following message has been sent to you from mydomain website:\n\n";
$message .= "Sender: $name\n";
$message .= "Email: $email\n";
$message .= "Gender: $gender\n";
$message .= "Tel: $phone\n";
$message .= "Fax: $fax\n\n";
$message .= "Message content:\n$quote\n";


if (mail($to,$subject,$message,"From: $name <$email>\n")){
echo "<p>Dear $name, your message has been sent to our staff successfuly...</p>";
} else {
echo "<p>There has been error while sending your message to our staff.</p>";

11-06-2006, 04:04 PM
You might want to also read this page (http://www.securephpwiki.com/index.php/Email_Injection). It explains a lot of the ways that your contact form can be used as a spam relay, and more importantly, how to stop it. The more you know about this sort of thing, the more measures you can take to prevent it from happening with your own form.

11-06-2006, 04:15 PM

Hi, how come the robots are not that smart not to understand that your form info is commented out? And why don't they parse the whole page and don't take your actual third form into account?

11-06-2006, 05:28 PM
Hi, how come the robots are not that smart not to understand that your form info is commented out? And why don't they parse the whole page and don't take your actual third form into account?

I'm not sure, but the spamming stopped. I think that the programs they are
using only take the time to hit the first form, then they move on to the next
site? I'm not a spamming robot expert, but it could be the same way
burglars hit parking lots. Quickly check each car and spend as little time as
possible with each one. If you find something, grab it and move on.

11-06-2006, 07:22 PM
One more obvious problem is that you put the un-tested $name variable from the form into the header field - "From: $name <$email>\n"

In addition to the other checks mentioned, I recommend putting any name/email into the message body (which you already have) and make the From: address be your email address. The email looks like an email to yourself from yourself and there is no way that the header parameter can be mis-used.