FreeBSD Blog

Contact Form Abused Through BCC Field

November 16, 2005 Posted by KP

A simple contact form on my website was abused to send spams. I received weird messages sent from the contact form in the past two weeks, I thought it was just from some boring persons, and didn’t pay attention to it until I got some messages bounced back from other servers. After checked the mail queue, I was shocked that there were still a few emails with a very long recipient list.

Here is my original code:

$name = trim($name);
$email = trim($email);
$message = trim($message);

if(!$name)
print (”Please input your name!”);

else if($email)
print (”Please fill in your e-mail address!”);

else if(!$message)
print (”Please input your message!”);

else
{
$recipient = “my email address”;
$extra = “From: \”" . $name;
$extra .= “\”

The above code didn’t check the input “name” and “email”, a spammer can easily make a BCC field containing many email addresses by constructing the fields “name and “email”.

The problem was fixed by adding some checking code:

// removes anything after a line ending (including that line ending)
function b4nl($string)
{
return preg_replace(”!(\r|\n).+$!sU”, ”, $string);
}

// this function is copied from vBulletin.
function is_valid_email($email)
{
return preg_match(’#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s]+\.+[a-z]{2,6}))$#si’, $email);
}

$name = trim($name);
$email = trim($email);

// Make sure $name and $email don’t include a long email list.
if((strpos($name, ‘@’)!==false) || strlen($email)>50 || strlen($name)>30 )
die();

$message = trim($message);

if(!$name)
print(”Please input your name!”);

else if(!is_valid_email($email))
print (”Please fill in your e-mail address!”);

else if(!$message)
print (”Please input your message!”);

else
{
$extra = “From: \”" . b4nl($name);
$extra .= “\”

Related Posts:

• PHP Debugging
• .htaccess error
• DNS Setup
• Google App configuration for bind

Filed Under: Security