Databases
StackOverflow2013
Postsdbo
POHow do people send spam through my contact form
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow do people send spam through my contact form
    primarykey
    data
    text
    <p>I was contacted today about masses of spam being sent from a domain. It is a relatively simple php website with a contact form which contains name, email, phone and message. I cannot see any other way the site can be used to send spam messages to multiple users unless the whole server has been hacked.</p> <p>The email is validated and bad chars are stripped from the body of the message. I have tried multiple ways to try and modify the headers through the form but can't seem to get anything to work so I am beginning to think the forms are secure. </p> <p>This is the form validation:</p> <pre><code> $to='owner@website.com'; $messageSubject='Enquiry from the website'; $confirmationSubject='Your email to website.com'; $confirmationBody="Thankyou for your recent email enquiry to website.com.\n\nYour email has been sent and we will get back to you as soon as possible.\n\nThe message you sent was:\n"; $email=''; $body=''; $displayForm=true; if ($_POST){ $email=stripslashes($_POST['email']); $body=stripslashes($_POST['body']); $name=stripslashes($_POST['name']); $phone=stripslashes($_POST['phone']); // validate e-mail address $valid=eregi('^([0-9a-z]+[-._+&amp;])*[0-9a-z]+@([-0-9a-z]+[.])+[a-z]{2,6}$',$email); $crack=eregi("(\r|\n)(to:|from:|cc:|bcc:)",$body); $spam=eregi("http",$body); $businessBody = "Enquiry from: $name\nEmail: $email\nPhone: $phone\n\nMessage:\n$body"; if ($email &amp;&amp; $body &amp;&amp; $phone &amp;&amp; $name &amp;&amp; $valid &amp;&amp; !$crack &amp; !$spam){ if (mail($to,$messageSubject,$businessBody,'From: '.$email."\r\n") &amp;&amp; mail($email,$confirmationSubject,$confirmationBody.$body,'From: '.$to."\r\n")){ $displayForm=false; echo "&lt;div&gt;&lt;p&gt;Your message to us was sent successfully, and a confirmation copy has also been sent to your e-mail address.&lt;/p&gt;&lt;p&gt;Your message was:&lt;br&gt;".htmlspecialchars($body)."&lt;/p&gt;&lt;/div&gt;"; } else echo '&lt;div class="emailMessage"&gt;&lt;p&gt;Something went wrong when the server tried to send your message. This might be due to a server error, and is probably not your fault. We apologise for any inconvenience caused. You are welcome to telephone us on 01383 625110&lt;/p&gt;&lt;/div&gt;'; // the messages could not be sent } else if ($crack) echo '&lt;div class="emailMessage"&gt;&lt;p&gt;Your message contained e-mail headers within the message body. This seems to be a cracking attempt and the message has not been sent.&lt;/p&gt;&lt;/div&gt;'; // cracking attempt else if ($spam) echo '&lt;div class="emailMessage"&gt;&lt;p&gt;Your message contained characters that our system has flagged as spam email and has not been sent.&lt;/p&gt;&lt;/div&gt;'; // spam mail! else echo '&lt;div class="emailMessage"&gt;&lt;p&gt;Your message could not be sent. You must complete all fields - name, phone number, e-mail address and a message.&lt;/p&gt;&lt;/div&gt;'; // form not complete } </code></pre> <p>Can anyone see a way this form can be abused?</p> <h2>EDIT</h2> <p>It turned out someone had placed another encrypted file on the server built for mass mailing, so it wasn't actually coming from this form. Thanks for the answers anyway, they may help others!</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USRobert Went
    1. USRobert Went
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHow do people send spam through my contact form
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POHow do people send spam through my contact form
      1. UStripleee
      1. VTFavorite
    3. VO
      singulars
      1. POHow do people send spam through my contact form
      1. USblackbull77
      1. VTFavorite
    1. COyou send a email to $eamil (populated from the form), i could just automate submitting with a bunch of addresses to spam.
      singulars
      1. POHow do people send spam through my contact form
      1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload