Customer Support

• FAQ & Knowledge Base
• Password Help
• Email Help
• Contact Support
• System Status >>
• Feedback

  Support Categories:

Getting Started FTP Moving Domains E-mail Stat Reports Mailing Lists Apache PHP CGI MySQL Database Other Software Billing & Terms Control Panel E-commerce Pre-Sales

Search for keywords:

Browse by category: -- Select Topic -- Getting Started FTP Telnet/SSH Moving Domains E-mail Traffic Reports Mailing Lists Apache PHP CGI Other Server-Side Scripting MySQL Database Imaging Libraries Other Software Billing & Terms Control Panel E-commerce Pre-Sales

My website forms are spamming me with
'gibberish@mydomain.com' or Form Email Injection Attack

Why is this happening:

This behavior is indicative of an attack by scripted 'robots' submitting your forms to discover vulnerabilities they can exploit to send out spam email. It works by assuming that a field (like "From:" or "Subject:") is passed unchecked to the mail system. The script is able to insert a BCC list and spam message into these unchecked fields.

More details on this crack outlined by the sites found below:
Email Injection
Anders.com

What can I do:

There are two problems caused by this attack.
A - The form submissions themselves. (Which e-mail you gibberish internally)
B - The hijacking of your form to send out spam emails.

A:
The only 100% sure way to stop a robot script from submitting your form is to use CAPTCHA verification or something similar. This usually amounts to user recognition of a graphic that humans can discern easily but computers have great problems with.

Read more about the CAPTCHA project here:
Captcha.net

A few scripts that may be easily implemented in your own system may be found below:
Freecap
SecureImage

B:
To secure your forms against this type of hijack you need to strip all carriage returns and linefeeds out of email fields before submitting them to the mail subsystem. The implementation will depend on what language you are using. Examples in PHP and PERL are listed below:

PHP:

(for each field used in an email.)
$field = preg_replace( "/[\n\r]+/", " ", $field );

PERL:

(for each field used in an email.)
$field =~ s/[\n\r]+/ /g;

User-Contributed Notes

28-Jul-2006 21:32 Instead of forms use this simple anti-spam javascript code (you can remove or change the subject= part of course): function noSpam(user,domain) { locationstring = "mailto:" + user + "@" + domain + "?subject=Website Inquiry"; window.location = locationstring; } Here is the mailto: hyperlink code: <a href="javascript:noSpam('name','yourdomain.com');">Email Fred</a>

anonymous -at- example.com 19-Nov-2007 06:54 Another option that is easy to implement and easier on users than standard CAPCHA is http://www.JustHumans.com/

Related Questions:

Sending email takes a long time and then fails.

I get "relaying denied" when trying to send email from my computer.

My ISP does not give me an SMTP/Outgoing mailserver to send mail from my own computer, so I must use yours.

How do I send email?

Do you have screenshots of Outlook Express configurations?

How do I receive and read e-mail?

Occasionally, Outlook Express just asks for my username and password but will not let me get my mail.

Someone is sending viruses or spam that appears to come "from" an address at my domain.

Why can't I send or receive email with large attachments?

Do you have screenshots of Entourage 2004 configurations?

I can't get my email because I am continually asked to retype my mailbox password, or am getting a [LOGIN-DELAY] error.

Do you support Secure POP and IMAP?

Can I have a special MX record so a different mailserver like everyone.net or my own Exchange server will handle all mail for my domain?

Why am I getting spam?

Is there a way I can bounce all email addressed to unknown users?

How do I delete hundreds or thousands of emails easily?

How many email addresses can I have and how do aliases work?

Can I pipe email to a program?

How do I protect email that contains sensitive information?

Can I have an automatic reply sent to people who email me while I'm on vacation?

I cannot get into webmail.

Which e-mail protocol should I use, POP or IMAP?

How does the mail server filter spam and viruses?

How Do I Backup My Email?

Why won't my email attachment go through?

I receive too much SPAM: what can I do?

Do you scan email for viruses?

Can I do mass emailings through my ISP that advertises my website?

When I "Add Mailbox" in Onsite, it says "That login name is already taken. Please choose another."

Why are HTML emails a security hazard?

How do I view full email headers?

I get this error when logging into Webmail: Security failure, data decryption error

How do I import addresses into webmail?

How do I forward e-mail in OnSite?

Do you support anti-forgery standards (SPF / DomainKeys) for email?

I'm having trouble with email.

Do you purge messages from Trash and Spam folders?

Why can't I forward @mydomain.com email to my ISP mailbox?

Why is/isn't an email being marked as spam?

Why can't I delete messages from my mailbox if it is over quota?

Can I have an email address which both stores and forwards mail?

How can I access my Modwest mail from another provider's webmail?

What does the "Flag Subject" radio button do in OnSite spam settings?

Why is webmail seem slow?

When I send from Modwest webmail, my email has the wrong 'sender' or 'reply-to' address

Toggling 'Default Email Composition Format' to 'HTML' inside Modwest webmail only works temporarily

My Interspire Shopping Cart isn't Emailing Order Confirmations

Why can't I sort my messages in Webmail?

I use Modwest webmail. Is there a way to attach an image to my signature block?

Browse Categories: Getting Started, FTP, Telnet/SSH, Moving Domains, E-mail, Traffic Reports, Mailing Lists, Apache, PHP, CGI, Other Server-Side Scripting, MySQL Database, Imaging Libraries, Other Software, Billing & Terms, Control Panel, E-commerce, Pre-Sales