|
|
Posted by Manuel Lemos on 01/24/08 04:29
Hello,
on 01/24/2008 12:07 AM Shelly said the following:
> The email is only sent to the site owner, so the spammer has no way of
> knowing what the email should look like. That tells me that they have
> to be going through the form. Yet the proper email has an echo of
> generated security code. The spam email has that field empty. So,
> that says he can't be going through the form.
>
> It seems to me that they must:
> 1 - Somehow diverting a legitimate email so that copy is sent to
> them.
> 2 - Using that email copy to create a template and modify the output
> so that junk is sent.
>
> I really don't know how they are doing it.
If you are not using a good CAPTCHA, I am not sure what you mean by
security codes.
Anyway, I suspect that your code has a common vulnerability of contact
forms which is to not properly encode information that goes to message
headers. This means that if the abuser inserts a well throught character
sequences, he may make your script compose a message that uses your mail
server to send spam to anybody in the world.
It is hard to advise without seeing your script. Anyway, I recommend
using a component that knows how to properly encode or escape malicious
character sequences to avoid abuses like your suffering.
I use this MIME message composing and sending class that is well aware
of all the e-mail standards that are necessary to compose messages
properly. You may want to use it to avoid the abuses.
http://www.phpclasses.org/mimemessage
--
Regards,
Manuel Lemos
PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
Navigation:
[Reply to this message]
|