PHP: Secure Form Mailing

CGI forms have been notorious for abuse by spammers. The most used one of all is the famous formmail.cgi script. Most people have either moved on to other more secure scripts or turned to PHP for emailing their forms. That’s all well and good however PHP can be abused just as much. I started to receive a lot of spam through the script on my business site a few weeks ago so I put in a simple trap in the script which checks the content entered before emailing it to me and returning the visitor to a thank you page. If the trap is triggered the visitor gets set to instead (bye bye!). Nothing’s been received since. I’ll go into the trap more in my PHP learning section when I start to explore string functions.

However the other day I received an attempt to use my web form to spam others. Below is a copy of the email I received, with the intended recipient’s email blanked out. I’ve added an X in the middle of my domain to prevent other spambots picking it up, and XXX to the IP recorded.

Mobile: moonlight
Content-Type: multipart/mixed; boundary=b3b8beb3795e1c824f717fcad62d230f
MIME-Version: 1.0
Subject: the

This is a multi-part message in MIME format.

Content-Type: text/plain; charset=\”us-ascii\”
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

pa apers ivry mornin . ayciption at th hite ouse. mong th casulties was so



IP: XXX.174.190.170

So that’s what I received. Why didn’t it work? Well I control the headers of my script and set it to come from my web site and not the address entered in the from box. I originally did this because I don’t believe that everyone has an email address (my Dad doesn’t for a start!) and also just because I decided I wanted to control the headers more to be recognisable in my spam programs. However after a check with a very knowledgeable friend I’ve also learnt my script is more than secure (yay!). It sounds bizarre maybe that I’m saying this but until the above email I’ve never had or seen an attempt on what is commonly known as a header injection. Since the spamming happened I started to grab the IPs of the users too so the attempt has been emailed to the abuse address of the IP owner and the IP has now been blocked from my web site.

Last week I had a client email me in a panic. A form mailer that his previous developer had set up had been disabled by his host as it was being used for spamming and sure enough there was the typical, most used method of sending email using PHP:

mail("", "Web Form Results", $msgbody, "From: $name <$email>");

I changed this to

mail("", "Web Form Results", $msgbody, "From:");

So how can you be careful? Well in my opinion the best way to be truly careful is to prevent anything that is associated with visitor input to go into your email headers. This way you have complete control and there are no security risks whatsoever. However that is not always how clients want it, they like to just be able to hit reply to an email and reply back to the potential customer. So therefore some extra security checks or spam traps as I like to call them, need to be in place.

Instead of writing out various methods of what to do there’s a great page from Khalid that offers a few validation functions which should help you check the email given is valid.

There are other methods and checks that can be made. More will be introduced in my PHP Learning category as and when I get to the functions involved. But for now secure your scripts as much as possible!

You may also like...

2 Responses

  1. Tue, 11 March, 2008

    […] Khalid and Sarah put it much more wisely though. […]

  2. Sun, 31 August, 2008

    […] writing about validation. Contact forms are notorious for being insecure and left wide open for email header injections, allowing someone to hijack your form and spam anyone and everyone through it. However, there are […]