Fix for PHP Mail Form Email Injection Hijack

Sep 13, 2005 | Website Development

Spam is one thing, but hijacking form mail scripts and spoofing other people’s domains and email is downright wrong. We need tough(er) penalties against these guys.

Lately our customers and ourselves had been receiving hundreds of emails sent from the forms on our sites. All form fields were filled out with email addresses from the domain in which it was sent. After checking the headers it was found that most had a BCC address of .

After a little research, and a heads up by a fellow website designer in our area, it looks like this automated hijack is going to become a very big and widespread problem.

Hijack Overview

The “attacker” sends an automated bot to exploit unchecked fields in contact forms. It works by assuming a field used in an email header (e.g.: “From:” or “Subject:”) is passed unchecked to the mail subsystem. Appending a newline characters and more header lines with a BCC list and a spam message body might trick the underlying mail system into relaying spam messages. Currently it seems to be just phishing for vulnerable scripts sending emails via Bcc.

Current List of Bcc Recipients (in alphabetical order):

The Fix?

It seems that stripping fields for carriage return (r) and newline characters (n) used directly in email headers resolves the problem. Note all your Post-Data variables (var) must be protected:

if (preg_match("/r/i", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}
if (preg_match ("/n/i", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}
if (preg_match("/Content-Transfer-Encoding/i", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}

For even more protection add:

if (preg_match("/MIME-Version/i", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}
if (preg_match("/Content-Type/i", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'])) {die("SPAM Injection Error :(");}