i just got my site taken down...apparently, someone is using our php mail() function to send out 1,000's of spam emails.

what can i do to prevent this? i'm no schooled programmer...i figured a simple contact form using mail() would be better than displaying all our email addresses where bots could get them. now it seems this method is no good either!!

is there something about this that can address this security issue? i had no idea that someone could do this and still can't say i have a clue as to how they do this!

	$mail_to = $to;
	$mail_subject = $_POST[subject];
	$emailbody = $_POST[body];
	mail($mail_to, $mail_subject, $emailbody, 'From: "'. $_POST[from] . '" <' . $_POST[replyto] . '>');

    Ask your provider/check the logs to see the destination emails, simply prevent the setting of where the email will be sent (hard code it yourself to where you want it to go) so they cant make any use of it.

      thanks but where the email is going is dependant on another variable which is used to get an email out of the database to mail to.
      so i can't hardcode...it needs to stay dynamic.

        this sounds too simple, but would this work?:

        i have a list of about 50-60 destinations emails from our web form would go to.
        couldn't i simply run a check that makes sure it is going to one of the valid emails? if not, kill it?

        can someone explain also how this is happening so i can better think to counter it? are they using our form itself to send the mails? how could they send 1,000's if they have to do it one by one with our form?

          Ask your provider for the logs (or if you have access to them, check) and see how/who they are sending emails to.

          It wont be any use to them if they cant send to users they know.

          Alternativly, add a captcha image (google it) to prevent automated means of sending the emails (requires human validation).

            ok, backing up, i guess i should first have asked how they're doing this? it's automated? why isn't there a standard known piece of code that fixes this? i see many different possible fixes, yet i'm a fairly novice programmer. i don't even understand how they're doing this, much less how to get around it!

              Plasma wrote:

              Alternativly, add a captcha image (google it) to prevent automated means of sending the emails (requires human validation).

              so is this a full-proof way of stopping these?
              all spammers use some automated system to do this?

                so if i use a javascript that doesn't allow the form to submit if slashes are in any of the fields...would this help any?

                  No! Check for that in your php script. The reason why is because the spammer can write his own form and connect to your php mail script bypassing your javascript check.

                    ok, well...i've just finished implementing a cgi "nms FormMail" which apparently is secure as is...

                      A very similar thing has happened to me in the last seven days. Some SOB was using my script to harass hundreds of AOL users. I think I've plugged the holes he was relying on, though.

                      http://www.bobulous.org.uk/misc/mailformAbuse.html

                      Let me know if there's anything on the page you think needs to be clearer.

                        Write a Reply...