Posted by Shelly on 01/24/08 04:40

On Jan 23, 11:29 pm, Manuel Lemos <mle...@acm.org> wrote:
> Hello,
>
> on 01/24/2008 12:07 AM Shelly said the following:
>
> > The email is only sent to the site owner, so the spammer has no way of
> > knowing what the email should look like. That tells me that they have
> > to be going through the form. Yet the proper email has an echo of
> > generated security code. The spam email has that field empty. So,
> > that says he can't be going through the form.
>
> > It seems to me that they must:
> > 1 - Somehow diverting a legitimate email so that copy is sent to
> > them.
> > 2 - Using that email copy to create a template and modify the output
> > so that junk is sent.
>
> > I really don't know how they are doing it.
>
> If you are not using a good CAPTCHA, I am not sure what you mean by
> security codes.
>
> Anyway, I suspect that your code has a common vulnerability of contact
> forms which is to not properly encode information that goes to message
> headers. This means that if the abuser inserts a well throught character
> sequences, he may make your script compose a message that uses your mail
> server to send spam to anybody in the world.
>
> It is hard to advise without seeing your script. Anyway, I recommend
> using a component that knows how to properly encode or escape malicious
> character sequences to avoid abuses like your suffering.
>
> I use this MIME message composing and sending class that is well aware
> of all the e-mail standards that are necessary to compose messages
> properly. You may want to use it to avoid the abuses.
>
> http://www.phpclasses.org/mimemessage
>

I use the class htmlMimeMail from http://www.phpguru.org/ by Richard
Heyes. The security code is just a randomly generated string of 6
characters. I am not using a CAPTCHA. I guess I will have to.

Shelly

[Back to original message]