Posted by Tyrone Slothrop on 01/10/06 16:24

On Tue, 10 Jan 2006 15:24:07 +0800, Dan
<dan@dontspammecauseidontlikit.com> wrote:

>
>
>I had a php script running under Apache web server on a Debian Linux
>box. The script used a form to send me email using the 'mail'
>routine. Somehow a spammer managed to hijack the script to send spam.
>
>My first question I have, is how did he do it? I've included the
>script below.
>
>My second question is, how do I set up an -unhackable form and how do
>I test that it's safe? I don't want to have the email address on the
>web page.

A spammer used a form on one of my client's sites to send the spam by
entering headers into the textarea of the form, including a large
number of BCC's and an HTML formated message. I stopped it by
evaluating the text from that field searching for a Bcc: line and
killing the mail command if positive.

[Back to original message]