Anders Brownworth

Technology and Disruption

Interesting Crack Attempt to Relay Spam

I'm seeing an interesting new attack on my website where the attacker is hoping to exploit unchecked fields in a "web to email" form. The attack works by assuming a field used in an email header (such as the "From:" address or the "Subject:") is passed unchecked to the mail subsystem. Appending a newline character and a few more carefully crafted header lines with a BCC list and a spam message body might trick the underlying mail system into relaying spam for the attacker. An initial test sending a BCC copy to has been used on most forms on my site to phish for vulnerable scripts. I had an old perl script which didn't check for new lines in the "email" field which alerted me to the problem and allowed me to quickly fix it. If you run a site, you should check and strip fields for carriage return and newline characters used directly in email headers.

Details of this attack:

This is an attempt to exploit my comments form. There are many hits from a number of different IPs which I assume are other compromised hosts. Form field data is presented between brackets in the example hit below. Notice how the email field contains a newline character and finishes off the email header fields. It even has Multi-Part support. Impressive!

-- snip --

Content-Type: multipart/mixed;
MIME-Version: 1.0
Subject: 40d7e77

This is a multi-part message in MIME format.


Content-Type: text/plain;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit




This is an attempt to BCC to report a successful breach. Once a vulnerable script is found, the BCC line is filled with 25 or 30 addresses to spam. If the form doesn't set reply-to before the exploited field or the reply-to is a bad address or nobody pays attention to logs, the site owner may never know his site is compromised and enslaved as a spam bot.

Has anyone else seen attacks like this? Looks script-kiddie-ish as most of the phishing hits came within a two second period.

EDIT: I have written a more concise article covering this issue called Form Post Hijacking.

EDIT: A project of mine called can help control form spam through image based verification.

Comments (503)

Anders from RTP

Just got another one trying to report success to

Anders from RTP

And a couple more:

Anders from RTP

Just got one from which is funny because the next hit was to this story.

Anders from RTP

Yet another:

sam radion from UK

Yup just got a load of these through this morning bcc'd to

Forms were ok already, but very annoying

Sam Radion from UK

Actually - had a thought. Could this not be an attempt merely to grab the presumably valid email address that the form is being sent to for spamming purposes?

Anders from RTP

Could be, but as I say, I had a script that was vulnerable and it started to get hits from all sorts of differient IPs with 25-30 bcc'd addresses and "valid" spam. I shut it down in a hurry, but a few got out. I'm still seeing hits to the cgi even now weeks later.

Matthew Laird from Vancouver, Canada

They discovered an old feedback script of mine too and began spamming through it for a few hours until I caught them. I discovered your article by googling the test email address used,

I've sent a message to AOL abuse to hopefully shut this address down, but I'm not holding my breath AOL will care enough. That's the sad part... do I spend the time reporting all these zombie IP addresses, is it even worth it?

Ross Armstrong from UK

Loads today all within a few seconds of each other, bcc'd to, very frustrating

Teli A. from USA

It seems I'm not the only one, received a few from - started yesterday with one of my websites and just received more this scripts are secure, but it's just annoying having to deal with it...

kaphis from poland

Few probes of scanning vulnerabilities in "www to email" script and one with bcc to address. Blocked with adding few lines of php code.

Pavel from San Jose/CA/USA

I received the same attempt on my site.

Olger Smit from Netherlands

Got several too, by (may he grow bald and seriously sunburn his head). Thanks for advising.

jcjaxson from waldwick, nj

i've rec'd some of these with a bcc to the addy mentioned earlier, am a bit confused and would appreciate a bit more clarification.

in the confirm email i rec'd only one of the form fields contained all the "content type" and "mime" info appearing in the article. both the subject line and the email addy to which the form is sent are hard coded in my script. the originating email is pulled from the form and is validated to be a proper email addy.

how would i know if the script is vulnerable or not?


dreamer from Ireland Yeah, roger that.


Susan from Atlanta

Found this site by searching that address is bcc'd on about 25 messages 'from' our domain to our email address that receives the form in question (mine). I'm not a techie at all...any suggestions?

Anders from RTP

What you as a site admin need to do to be 100% safe is strip carriage returns (\r) and liefeed characters (\n) from form fields in your cgi scripts. How to actually do this depends on the language used in your cgi. In the case of perl, you could do it with a regular expression this way:

$field =~ s/\r/ /g;
$field =~ s/\n/ /g;

for each field used in an email.

Some clarification on questions posted: even if your forms are hard-coded to send you the email, you are still possibly vulnerable to this attack. Adding additional header lines, including a BCC: lists is possible whenever an unchecked field is used in the header of an email. Commonly with cgi forms on the Internet, the subject line, which is part of the email headers, comes from a cgi posted variable and hence can be exploited.

As I say, the fix that will work 100% of the time is to kill all \r and \n characters in cgi variables that are used in an email header. Unless you need to preserve formatting in some special cases, you might as well kill them everywhere as a rule of thumb. There is generally no need for them.

Ian from Spain

I've been hit 28 times by bcc's to I'm using php, how would i block this in the headers?


Anders from RTP

I don't know PHP, but PHP has perl-like regular expressions, so with a quick glance at the docs:

A default install of PHP 4.2.0 and later, you could:

$field = preg_replace( "/\n/", " ", $field );
$field = preg_replace( "/\r/", " ", $field );

This is also supported in earlier versions of PHP but you have to compile it in explicitly.

Brian from Dublin

I just got this tip from another forum and wondered what you thought. they went on to say:-
Instead of blocking
IP's, I'm checking the email address the user/bot enters. If the email
address domain matches the website's domain, then the form is not submitted,
i.e., it appears that the bot enters an email address with a random name
followed by the @ symbol, followed by the actual site's domain name.

Anders from RTP

Sure, that might help, but it won't be 100% failsafe. If the exploiter changes his method, he gets arround your solution. Add to that the fact that the field you are testing might be the field the exploiter is using to break your script so you can't assume it will strictly be an email address only.

I don't reccomend blocking IPs either because once a successful breach happens, exploits seem to come from an army of IPs. That's a loosing battle.

Killing the \r and \n characters will be successful 100% of the time.

Brian from Dublin

Thanks Anders for your reply.
I wonder if anybody can clear up then that if I was to remove the \r \n from the following (php) snip would this be sufficient or do I possibly need to write up another bit of scrip to run when the form is submitted?
$message = $_POST['Name']. ' is requesting some information.' . "\r\n";
$message .= ' ' . "\r\n";

Thanks again for this great help

Chris from MI

I have a site where this has been attempted. The emails sent from the forms are HTML emails, and the To, From, and Subject lines are NOT configurable by the end user...the only things the user provides is content for the body of the email (this content is then placed into an HTML template, the template assigned to the BODY, and then sent). Is this "configuration" still exploitable? Thanks for any and all help! :-)


Anders from RTP

No, you should be fine. Only fields from a form that are used in the headers of an email (like subject, reply-to, to and from) are possibly exploitable.

Christoph from Germany

I have a site where this has happened, is bcc'd. I think I don't really get how this exploit is meant to work... Come here by googleing for, impressive number of hits there...

Kasimir from Europe

Another here. No use blocking IP address, as it's an anonymous proxy.

James G from UK

We are noticing crawls for _all_ forms on sites, which then suffer the MIME injections, and it's getting worse.

Damin from Vancouver, Canada

I received the same attack with a on my contact form AND my post comments. Fortunately I watch my logs like a hawk. I've locked down my posted variable fields with partial string matches so if they try to use me as a spam relay all it won't send at all. The originating IP belongs to a university in Turkey.

Danny from s.e. Kentucky

This is to inform you that you are aiding in the spammers efforts.
Just as you noticed when you did a search engine check , your site was listed , just as when I did the search , I was led here. As a suggestion , It would be advisable to place the e-mail addressess as images so the search engines would quit indexing ( close to 5,000 ) articles relating , and aiding in the users spam. Therefore , still keeping people notified. Just a thought.
cheers !

Mackan from Sweden

If you use PHP:

Run function mysql_real_escape_string() on your POST-data. This function will replace the following characters: \x00, \n, \r, \, ', " and \x1a. For more information read the manual:

Steve from NJ, USA

Hey, I just saw this same attempt on one of my scripts, and after googling for the bcc address (, I found this site. Thanks for your explanation; it really helped clear things up.

In my script, I accept "Name, Email, Subject, and Message" fields, but actually all those are combined into the $message string, which is then passed to my script. My from, to, and subject parameters are all hardcoded in my script, so all guest emails are from a specific email address, sent to a specific email address, and have the subject "Guest mail from <website>". The message body then contains all the "From, Email, Subject, etc." filled out by the user. I believe this setup is immune to the attack described, so hopefully it'll give some of the victims of this attack ideas for combating it. Cheers.

Brian from Ireland

I?m most interested in your reply Steve. I?m quite new to PHP but what you described seem to be the way I have my form setup, for example:

$from = 'IMT<>' . "\r\n";
$subject = 'Message from your Web Site' . "\r\n";
$headers = "To: IMT <> \r\n";
$headers .= "from: $from\n";

$message = $_POST['Name']. ' is requesting some information.' . "\r\n";
$message .= ' ' . "\r\n";
$message .= 'The Subject is: ' .$_POST['Subject']. "\r\n";
$message .= ' ' . "\r\n";
$message .= 'They wrote: ' ."$messagedetails". "\r\n";
$message .= '' . "\r\n";
$message .= 'You can email them back at: ' .$_POST['Email']. "\r\n";
$message .= 'This email has been automatically generated. ' . "\r\n";

I?d be interested to hear a reply. Also if this is the case can we safely ignore any new emails that come in.

Vitor Pires from Portugal

Why don't you just check the email field with some simple regular expression check?
Something like:
I don't know if it's enough but it seems to me it's very light and at least excludes those attacks. :)

No More HGH & Hoodia from O&A

This is the spammer or spam partner:

Keep sending those reports to AOL. The BCC'd list always seems to contain the spammers verification account. The initial test messages reveal who the spammer is. As the spam run ensues, check the BCC list for that "test account". All the other headers appeared to be forged.

They are using hacked computers to relay through exploitable web forms, which conceals the true orgin and makes it appear as if your site is responsible for the spam. If you let the spam escape your network, you may be held responsible for the spam. If the spam makes it through your organization, there is a good chance you'll be BlackListed by the ISP at the bcc'd list.

I'd suggest converting your web form program into a spam trap. Force send any mail submitted to it, to a spam-trap account. Collect as much data as you can, in particular, the domain being advertised in the spam and the spammers verification, email account, including the where the spammer connected from (the other hacked computer) and share it with AOL. They may not respond to your requests, but they do investigate these reports.

Nick from

Just had bcc on my php contact form, no idea what hes trying to achieve or how i can stop this happening...

Flo from Germany

I also recieve attacks by as bcc - is it possible that a spammer has a chance to use an aol-acocount to verify possible relay-servers for more than 4 weeks without any actions by aol??? Even if the client is hacked, the verifying mail-address could be shut down or do they keep the address up and running to get the spammer somehow??? We will probably get no answer to this questions - well then good luck fighting these bastards and thanks for the good advices...

Björn from Sweden

We've also been getting BCC: attempts on our site, about once a month. I say *attempts*, because the moron doesn't seem to realize that our scripts aren't used to send mails in the first place. :)

MIC from Czech Republic

Also on BCCs. Our site is written completely in ASPX and the bot overwrites the VIEWSTATE field as well, causing the web application to report an error, which is how I identified the problem in the first place. Thank you folks for all the info, I was wondering for some time what was going on - suspecting someone is trying to send spams using our web application, but I had no idea about how it was intended to work or whether he succeded. As now I know what's goinng on and what to check, I am happy to sleep well again :-).
Thank you all!

Graeme from Dunedin, New Zealand

I have just had "" attempt to hijack my web-to-email script. Problem for them is it is hardcoded to send only to me... anyway the IP address is also sent to me and is (apparently - I've emailed complaints to as well as, although I suspect the AOL account won't be legitimate as such anyway.

Bruce from USA just struck here. They look for, but I don't use it. I just send them an email telling them to f*** off. Idiots.

Marve from Czech rep.

Well, I got regular attempts on my e-mail scripts.
The IP of the sender was
That's annoying... :(

There's a very nice info-page about that attack:

erkje from Urk, Holland is also spamming in the shoutbox on our site, trying to send e-mails I think. Here's an example of the message Content-Type: multipart/mixed; boundary="===============1153501684==" MIME-Version: 1.0 Subject: b2c188b8 To: bcc: From: This is a multi-part mess...

the text entered is chopped by200 chars (if I remember it right...). he used this ip: this morning 6 attempts within the same minute... maybe automated?

Interesting to see so many people around the world having the same inconvenience with this same person...
I thought this guy was just a kid trying to hack the local christian website :P

this shoutbox script isn't for emailing at all so he won't find a at my site either ;)

Shaun from Sydney, Australia

Another here.

They hit us a few weeks ago, my particular script (a custom one) was vulnerable but I picked up on it in 5 minutes and had the script fixed shortly after.

Quite a few attempts overnight as well, but this time the script wasn't vulnerable :-)

They've tried from Belgium, Jordan and Mexico so far.

M from Finland

I had similiar hits today. Three mails bcc:d to Luckily the form and php script were old and obsolete so I removed them instantly. It is very bizarre that AOL has not reacted in anyway to shut down that email account...

A from Germany

Same problem here from Germany. I informed AOL about bergkoch8, hope that they will remove it.

Mexoi from Holland

Bergkoch8 tried it on our site too (Dutch .com website). Fortunately the script doesn't mail the form, so no harm done.

Interesting though, to read about it on this website.

Graeme Leggett from Norwich, UK

Had the same pattern here, BCC bergkoch8@.... The website with the form is operated for us by another. I cut, edited then pasted the above into the to line and hit "submit". The system threw up a warning about newlines not beiing allowed in the 'to field', so ours checks out clean.

Andre F. from Staten Island, NY, USA

found this site with a google of anyway the attack was on a guestbook of a site i had coded, the inputs just gointo a database but its really annoying.

Sarah from Austin, USA

Same here and definitely annoying. ( I disabled my form and changed the email addy to a graphic. What a creepy little person.

Mathieu Jobin from Vancouver

got the same attempt on website (
he use my login form and comments form.
he tried for every fields, subject, email, fullname, comments, login, password, etc.

looks like he did not acheive what he wanted.
weird he use the same address

I was thinking reporting it to
but i don't know... how does he expect websites to send email like that ?

I receive tons of spam from [random letters]@[]
maybe tons of site are vulnerable to this problem,... a fix should be issued, maybe it would decrease the amount of spam dramastically.


same email,

Duke from Amsterdam

Just append this code to the processing of the form:


then you will find this address is sending the form:
then use the IP deny manager,
and strip \n from you form input's of course...

Ian from Spain

I've been hit again and sorry for being an idiot but I have no idea what to do with my send mail php doe, this is what I use what can I add / change to prevent this again.

$to = ';
$subject = $_POST['subject'];
$message = $_POST['message'];
$from = $_POST['from'];
$from_check = $_POST['from_check'];
$full_name = $_POST['full_name'];
$tel = $_POST['tel'];

$headers = "From: ". $_POST['from'] ."\r\n";
$headers .= "Reply-To: ". $_POST['from'] ."\r\n";

$message = "\nInformation Request: ".$message;
$message .= "\nName: ".$full_name;
$message .= "\nTel Number: ".$tel;
$message .= "\nEmail address 2 (could be different): ".$from_check;

if (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $from)) {

echo "<h4>Sorry info here</h4>";
echo "<h4><a href='javascript:history.back(1);'>Click here to return</a></h4>";

elseif ($from_check <> $from) {
echo "<h4>Info here.</h4>";
echo "<h4><a href='javascript:history.back(1);'>Click here to return</a></h4>";
elseif(mail($to,$subject,$headers,$message)) {
echo "<h4>$full_name</h4>";
echo "<h4>Your email has been sent, we will reply as soon as possible.</h4>";
} else {
echo "<h4>Cannot send email</h4>";

sean from cardiff, uk

just had emails.. my feedback form has been used to send emails with bergcoch in BCC field. I saw in some of the emails i received that he/she has managed to somehow get test email addresses to apppear in the to: field.. so i have taken site down while I fix it.

Paul Baker from Maidenhead, Berkshire, UK

To the people wondering why (s)he is still using the same email address, don't forget that the attempted hacks are automated - just seen a site that got 15 test emails from a form sent within a minute. So (s)he probably wrote the script months ago, and zombie PCs are picking it up and running it still. The email address may have been active once but I doubt it is now.

art101 from California

Greetings to all and thanks for the good comments and fix suggestions on this page. I found this page in a Google search for the phrase ' spam'.

We saw the first two attempts to compromise our PHP web-to-email contact form within one minute on 28 August 2005 at 3:39 local time. Each was sent (supposedly) from nonexistent addresses in our domain (random characters _at_ our Both attempted to Bcc Based on the IP addresses, they both appear to have originated on servers in Australia. I don't think the attack was successful, but I'll play it safe (see below).

I'm a designer, not a techie. I'm not familiar enough with PHP to go fiddling with the script on my site. My tech guru doesn't work on Sunday (unlike yours truly who works all the time and never has a life). Although I don't see anything particularly scary in my logs or bandwidth usage, I will shut down our contact form until he has a moment to look things over on Monday.

I will also post a brief explanation of why I shut down our form and link to this page from our contact page. I'm ticked off enough that I will also suggest that anyone who has experienced a similar attack should contact the good people at AOL - since they surely don't want their good name sullied by association with this jerk (or jerks).

I'm just paranoid enough these days that I don't even want to post my domain name here... but if you'd like to stop by, add a .com to my name in this post. I'm paranoid because my domain was joe-jobbed a while back by the notorious spammer Eddy Marin (see his extensive profile at the Spamhaus ROKSO) - which cost me tens of thousands of dollars and three weeks of my life. You can read all about that by following the link in the anti-spam area at the bottom of our home page.

If my tech guy can offer anything useful to this page, I'll report back ASAP. Thanks again to all of you for fighting to take back the net from the tiny minority of thugs who work to ruin it for the rest of humankind.

best - art101

art101 from California

That's an important point, Paul Baker... (quote: "So (s)he probably wrote the script months ago, and zombie PCs are picking it up and running it still."

This still leaves me wondering if AOL plans to take any action. The owner(s) and author(s) of this global assault obviously had to pay for their account via a credit card tied to a real bank account somewhere in meatspace or cyberspace. If AOL is serious about protecting the 'net from this sort of attack, it should be fairly simple for AOL to follow the money.

My earnest and polite phone call to AOL Security this afternoon (toll free from the US: 888 265-3733) pretty much went nowhere. After enduring endless hold times, shuffled from one perky, useless 'consultant' to another, a perky 'consultant' who could barely speak my language told me to send all complaints to She assured me that the account would be carefully examined and that "action would be taken" if AOL decided that action was required. Right. I felt so much better after that call. Another hour of my life... gone forever. My opinion of AOL's commitment to protecting the 'net from this sort of abuse soared. Not.

After putting the phone down in disgust, I wondered: How many people on this planet have been damaged by this particular assault? How many hours of global bandwidth and time have been stolen? Who barged in to our homes and businesses - like scumbag home invasion gangs - in an attempt to splatter crap all over us that no one in their right minds would ever buy?

The Internet is arguably the most important advance in human communication since the invention of the printing press - way back in the 1400s (western calendar). Who are the few hundred jerks who work so hard to turn the 'net into a giant, pervasive, dangerous strip mall from hell? And exactly which mainstream corporations tacitly help them do so? See:

By the way, Paul... I have relatives in Maidenhead. I hate to go off-topic here, but wouldn't it be a hoot if you knew them? Talk about six degrees of separation... more like two. They live in Bray, actually, just a stone's throw from the river. Feel free to drop me a line at my current throw-away Yahoo address... unitygain2001 (at yahoo dot you know what). Needless to say, I'll do whatever I can to make sure that any jerkoff spam harvester who spams that address is stopped. I will also pray that they die a slow, painful death, all alone.

cheers - art101

jeanmarc from Belgium

Well i see that i'am not the only one to get attack by ;)
I think a stripslash is enough to be protected in php, can someone post a "full protection" for php to email form?

Ian from Spain

This is what you need to do in PHP form:

Make sure you end your headers with \r\n\r\n.


$headers .= "From: " . $from . "\r\n";


$headers .= "From: " . $from . "\r\n\r\n";

It is always best to filter mail form inputs

// Strip \r and \n from the email address

$_POST['email'] = preg_replace("\r", "", $_POST['email']);
$_POST['email'] = preg_replace("\n", "", $_POST['email']);

// Remove injected headers

$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");

$_POST['email'] = preg_replace($find, "", $_POST['email']);
$comments = preg_replace($find, "", comments);

Ian from Australia
My latest news post suggests my solution. Basically for all variables use $name=stripslashes($_POST['name']);

bucky from us

try this in PHP:
function clean_variables( &$value )
} else {
$value = str_replace(array("\r","\n","Content-Type:"),"",$value);

Karl from New Zealand

Ugh, just had this same thing happen to me. I don't want to wind up on a black-list of spammers!

Tony from New York

I have also been ?visited? by this spam-bot. We actually saw two attempts on different domains in the past three days. At first I blew it off as it really does look very ?script kiddish? after the second attempt (yesterday) I took notice. The information here was very helpful in figuring out what the bot was trying to do and after a few tests of my own I came to the conclusion that my ASP based forms and CDOSYS are not vulnerable to this attack.

One thing I do think is that the BCC email address ( is not monitored by the account owner. It is probably owned by some poor guy who compromised his account and he doesn?t even know that the email address exists.

As to the IP address question. I chased down one of the IPs to a company in Montana. I spoke with the owner of the company who informed me that his SQL server machine had recently been hacked and that he had been attempting to repair it for the last few days. This reinforces the idea that this script is running on compromised servers without the owner even knowing. It also explains why there was no browser information in our ?message debug? information. (A part of our script that grabs IP, Browser type, and cookies and adds them to the message to help us to debug user issues)

I decided to call AOL and report the screen name to the abuse department. Imagine my surprise when the woman on the other end told me that there was nothing they could do unless I filed a report with the police. Basically she said that they were prohibited from looking at the customers records unless the police subpoenaed them to do so.

After some prodding she did give me an email address for reporting Terms Of Service violations. She said to forward the original email (don?t copy and paste it) to Swell, a lot of f?ing good that is going to do.

I am going to follow-up with them again today. I am also going to write an email to the address she gave me and reference this site. I would urge everyone here that has had this problem to do the same.

Peter from Canada

I've had the same thing ... their IP was

Ian from Spain

OK - I've managed to tie down any field you want for any forbidden character, the code is below:

If anyone can find faults with it (I've tested and seems fine) please post back.

$to = '';
$message = $_POST['message'];
$full_name = $_POST['full_name'];
$no_in_party = $_POST['no_in_party'];
$mail_list = $_POST['mail_list'];
$welcome_pack = $_POST['welcome_pack'];
$from_check = $_POST['from_check'];
$from = $_POST['from'];
$tel = $_POST['tel'];
$bcc = $_POST['bcc'];
$cc = $_POST['cc'];
function clean_from( &$from )
} else {
$value = str_replace(array("\r","\n","Content-Type:"),"",$from);
function clean_from_check( &$from_check )
} else {
$value = str_replace(array("\r","\n","Content-Type:"),"",$from_check);
$headers = "From: ". $_POST['from'] ."\r\n\r\n";
$message = "Additional Requests: ".$message;
$message .= "\nName: ".$full_name;
$message .= "\n\nNo in party: ".$no_in_party;
$message .= "\nMailing List: ".$mail_list;
$message .= "\nWelcome Pack: ".$welcome_pack;
$message .= "\nTel: ".$tel;
$message .= "\nEmail: ".$from;
$message .= "\nEmail check (different?): ".$from_check;

function validate_from_field($s) {
$forbidden = array('%', ',', ';', 'bcc');
foreach ($forbidden as $f)
if (strpos($s, $f) !== false) return false;
return true;

function validate_message($t) {
$forbidden = array('%');
foreach ($forbidden as $n)
if (strpos($t, $n) !== false) return false;
return true;

if (!validate_from_field($_POST['from'])) {
echo "<h4>Sorry you have entered an invalid email address, please check and try again</h4>";
echo "<a href='javascript:history.back(1);'>Click here to return</a>";
echo "<h4></h4>";
echo "<h4>If you are having problems with this form please email </h4>";

elseif (!validate_from_field($_POST['from_check'])) {
echo 'Validation failed'; // Crash and burn
elseif (!validate_message($_POST['message'])) {
echo '% not allowed Validation failed'; // Crash and burn

elseif (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $from)) {
echo "<h4>Sorry you have entered an invalid email address, please check and try again</h4>";
elseif ($full_name == "") {
echo "<h4>Sorry you have not entered your name</h4>";
elseif ($from_check <> $from) {
echo "<h4>Please verify your email address, they are different.</h4>";
elseif ($bcc != ''){
echo "System Error";
elseif ($cc != ''){
echo "System error";
echo "<h4>$full_name</h4>";
echo "<h4>Your reservation request has been sent, we will confirm back to you as soon as possible.</h4>";
else {
echo "<h4>Sorry we cannot send your email please try again or send an email to </h4>";
echo "<a href='javascript:history.back(1);'>Click here to return</a>";

Mark from The Netherlands

We are visited by
I just filed a complaint with aol as Peter suggested

O&A from USA

Please post the URL in the spam and the product being advertised. I've been following this spammer for a while and am curious what you guys are seeing.

Many of the domains being advertised in the spam have been listed here.

onno from Rotterdam / NL

Here a fingerprint of the hack:
Watch the bcc part!

Content-Type: multipart/mixed; boundary="===============0330895761=="
MIME-Version: 1.0
Subject: 201de07b

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit


Rahul from New York

from my contact page of the website, every day morning i am receiving tons of spam mails BCCd to I see that you all having a discussion about it here. what is this and who is doing this. What is that i have to do to eliminate this problem?...Thanks....

bed from France

I had similiar problem with mails bcc to and

Joe from New York

If the forms that are use are only coded using HTML and do not use PHP, is there a vulnerability to this?

O&A from USA

Too many spammertised domains to list here, but here's a short history of the spammer. Listed is the dates the spam runs went out and a short description of the spam being advertised. Nov. 2004 - Mar. 11, 2005 ( account closed )
securities fraud (CSDP.PK), mortage, car warrenties, HGH Mar. 18 - Mar. 20 ( account closed )
Human Growth Hormone (HGH) Mar. 21 ( account investigated ... closed?)
HGH Mar. 22 - Jun. 9, 2005
HGH Mar. 23 - Mar. 30, 2005
HGH, mortage spam Jun. 2 - Jun. 6, 2005
Test messages ... no spam, but testing of spam to a single email address Jun. 25 - Jun. 30, 2005
Hoodia Weight Loss drug Jun. 30 - July 7, 2005
Hoodia Weight Loss drug Jun. 30 - July 7, 2005
Hoodia Weight Loss drug July 5, 2005
Hoodia Weight Loss drug July 7 - July 9, 2005
Hoodia Weight Loss, HGH July 17 - July 19, 2005
HGH July 7 - Sept 1, 2005
HGH, Hoodia Weight Loss, Securities fraud (GTRD.PK) spam started 8/26/2005 - 9/1/2005)

Martin from Germany

I got the same Problem here. 20 mails in the last few days from my own contact page (bcc: or

Does anybody know a good formmailer to avoid this problem?

Joel from UK

A new one this morning:

Nothing in Google for this one as yet, so recording here.

note the spammer has changed it from the more ubiquitous

I'd like to see this fellow strung up. I will be adding him to my black magic scorpian bottle next time I bury one in the garden.

Tara Michelle from NJ, USA

This is not just happening with PHP, but also with Coldfusion. I am a webmaster and many of my forms are being attacked. Don't know what to do.

VB from Detroit, MI, USA

It is very annoying, we have logged many attempts by this person.
originated from or

had to block their network segment

Donna from FL, USA

I just had this happen to me today and I googled the bcc address that was included of "" and found this site. Thanks for all the information.

Ryan from Corvallis, OR, USA

I don't want to compromise anyone else's site by having someone post something here to help out a hacker, but I think maybe my site is fixed -- is there any way to check it to make sure?

Nick from UK

Yep, I've had two attacks on our site in the last couple of days now (the e-mail addy. Like others, I've e-mailed, in the offchance that they actually care and will do something. In any case, this is a short-term fix.

I don't believe that we've been suffering with acting as a spam-relay, the nasty part is that if we received the e-mail then it's a reasonable indication that the attack failed, I pity all the other admins that *didn't* receive such mail alerting them to a problem.

Gerard from Castricum, netherlands

Same 'attach' to me from Interesting to see that the person or robot first visited som eregular pages of our site and then entered 6 entries within a few seconds in our guestbook. Ans then it visited again a page of our site. all from same public proxy ip

Diwic from Sweden

Another thing one could do would be to make sure that there is only @ in the from-email field, and remove all other @:s. That would effectively block the spam attempt...

Uwe from Germany

Seems like they're very active, again. Found this site via googling "". Luckily I was sitting at my computer yesterday around 21:50 when the first attempts dropped in at my EMail account. Took the formmail script off immediately and then searched every POST variable in PHP with the following code:

if (eregi("\r",$MailFrom) || eregi("\n",$MailFrom) || eregi("Content-Type:",$MailFrom)){
die("SPAM Injection Error :(");

Now I also added hostname logging as suggested earlier in this thread..

Mark from Canada

There is one thing that would stop all bots attempting to abuse the contact us page trying these scripts.

Add an image verification code to your form. The bots dont get a chance this way.
And if you want to go a step further, add a function to parse the arguments before calling the php mail function. If you detect foul play, ban the ip automatically just have code to update your .htaccess with the banned ip. That should take care of the rest. (You could also add a timer say a couple of months for the banned ip to be released since these are zombie pcs)

The thing is if you dont ban them, the spammers get chances to update their scripts. Sooner or later they figure our another weakness.

If you get some public image verification code its good idea to customize it as the spammers try to find weaknesses in common functions so they have max effect.

mika from germany / magdeburg

Thank you Ian from spain for the script! I think it is a very good idea to double the email field and compare the strings. Hope the robot won't get it. I named the second field "clicker2" so there's no "from" at first sight if the HUMAN programming this code is able to look at the php data somehow.

Many thanks mika.

stu from new zealand

Also have had visiting our subscribe form. The bot, or person, tries each input field, but I truncate all fields apart from a comments field at about 50 characters which I hope stops it in its tracks.
I'm also going to add a test for the string "BCC:" and not allow any form processing if this occurs. A blunt, but quick fix I think

One way I'm using, to test if my form fields are susceptible, is to take the text of the attempt, change the bcc address to one of my own, and see what comes to that address.

Rob from England

Just had the same problem here I googled the email address that came through in the attack. My site traces the ip address of such attempts and it appears to be a Lithuanian dialup ISP it originated from

Mark from England

Just had an attempt this morning from and as many of you people here followed up a search through google. Sounds like your all doing as much as possible, but is there a way of blocking the ip address at all? My site is a big message board and all the failed attempts show up as entries - annoying and not pretty!

Lydia from

I have had the same problem, all my forms have
$name = htmlentities($name, ENT_QUOTES);
for all form data which seems to have stopped the attack as their quotes were disabled, it doesn't affect how things show up in messages so you could use it as an easy measure although it may not be totally fool proof.

Alan from Todos Santos, Mexico

Getting hit here as well over the past month on multiple sites.

I'm using HTML forms that call an ASP page using the CDONTS to mail. No PHP used here.

The script being used seems to bypass the form page and go directly for the "post" page since I'm seeing the number of characters inserted in some fields far in excess of the "maxsize" values I set for them in the form page.

Isn't it just as effective to use a simple referrer check n the form processor to ensure the request originated from the form page on our domain and not somewhere else?

Brum from Germany

Graah! Added a php-email form yesterday with a code modified from this page: (first one that comes from a 'php email form' google search) and today mr had made a visit. Í think that the extra data injected to 'your email'-field worked :-( Corrected this now with all the data going to message field and from & subject -fields are fixed strings that have nothing to do with postdata. Well, hopefully that jrubin-address wasn't working anymore and I haven't been the source of tons of spam. Still a nasty thing, especially for us inexperienced coders looking for code snippets from net.

Al from New Zealand

I just got spammed with a bcc to:
I'll report it to AOL, fwiw.

Greg from AZ, USA

I received the contents of a form with the BCC of I checked my logs and the IP address was within Greenville Public Schools. I sent the details to the Webmaster of their site.

Jacob from SLC, UT

I am a web developer and I am currently working for a company calle WI Works, Inc. We have over 300 clients and have a portfolio that contains most of the urls to our clients websites almost all of these sites contact forms are being spamed with what was explained above. If anyone comes up with a solution to this prob. then please contact me at . Our clients are starting to get pretty anoyed and we do need to resolve this prob. A.S.A.P . I am sure we will be able to put some money into this if needed.

Thank you,

WI Works, Inc. - Web Development Engineer

Raphael from Luceren (Switzerland)

Hi there
Just got the same problems on my Page ( ).
They were not able to send mails (because my script doesne't send any mails ;)) but deleting the "bad" entries is annoying ... I modified the script so it doesen't show the "bad" entries but logs them.
I think that's the best idea ...

Bob from UK

At the risk of missing the point completely, is there a way to immunise my contact forms against this spam without removing the message's own line breaks/carriage returns?
Having them 'cleaned out' before it's sent makes for a less readable message at this end.

Niek from The Netherlands

Another attack to some forms on our site. The BCC was sent to

David from Germany

I am totally confused by all of this. I Googled the address: and found this site. I am not a programmer, so I don't know exactly what is happening here. If I get blank emails from my own forms (from my site to my site), does that mean that the spammer was successful and my site is comprimised or does that mean that he failed and my scripts are okay?

Mikkel from Denmark

Quote:"I just got spammed with a bcc to:
I'll report it to AOL, fwiw."

The same happened on my site twice in two days... really annoying!!!

Anna from England

We've just received the same from and have reported them to TOSREPORTS @ and the ISP, although I guess from scanning the posts above that the source PC was some other unsuspecting victim.

I'm 99% certain that and are one and the same as we had an identical attempt about 5 weeks ago from the latter. We reported them then to AOL and the ISP - who were really prompt and helpful "We have informed the owner that we are
aware of this activity and that it should cease immediately", and hadn't had this problem again until today.
Thankfully our web app catches the attempts but it's really irritating. I guess we're eventually going to have to go down the random-letters-in-jpg route.

Meanwhile I believe in promptly reporting them. Even if the source PC is a victim, the owner really needs to be told!

Joern from Essen, germany


while our website is online for testing, we have found following in our mailbox. All form-fields were filled with urfdpps@ru*.de .

Content-Type: multipart/mixed; boundary=\"===============0578799144==\"
MIME-Version: 1.0
Subject: 831ab45a
To: urfdpps@ru*.de
From: urfdpps@ru*.de

This is a multi-part message in MIME format.

Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit



Niki from UK

We've had this exact problem over the weekend. We have two .asp forms that send mail to use using CDONTS. I don't know whether this knobcheese has succeeded in relaying mail through us, but I want to make sure he can't. Any idea on what to put into asp scripts to block this please? (am I the only person in the world using ASP?!?)

Eric from USA is still up - AOL clearly has no interest in stopping these people if this was first reported to them in July.

Marianne from Las Vegas, NV, USA

I am getting tons of these sent to me using my various contact forms on my sites. I wonder if they have been successful in using it to send spam. It is an old perl script. How can I check if it has been successful? They have looked pretty much like this and thank God I found your article because I was quite clueless and thought it would stop. These are my client's contact forms and it is getting really annoying for them and myself. Any help would be glorious.

This message was sent from
------------------------- COMMENTS -------------------------
Content-Type: multipart/mixed; boundary=\"===============1255325315==\"
MIME-Version: 1.0
Subject: 2c1b597b

This is a multi-part message in MIME format.

Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit


Eric from USA

Niki, I'm using CDONTS too. Just create a regular expression object to strip all of the unwanted characters from your form fields before they're passed to the headers. You may want to experiment with the characters you allow, depending on the function of the form field.

Something like:

<%Dim sc
Set sc = New RegExp
sc.Global = true
sc.Pattern = "[^.,:@0-9a-z A-Z]"%>

<%dim vartext
vartext = sc.Replace(request.form("textfield"), "" %>

You'd then use the vartext variable instead of a direct form request in the CDO object.

Anders from RTP

The only way to tell if your site has been commandeered to send spam is to check your mailserver logs. If you see suspicious looking emails being sent by your webserver, then chances are you were sucessfully targeted. Patching the vulnerability is easy enough for a technical person, so if you're not technical, contact the people that do your web hosting and have them fix or upgrade your script. If you don't know where your mail logs are, your website hosting company can help you with that as well.

Anthony Cartmell from UK for me too!

Joachim from Bremen, Germany

I'm a PHP minimalist and the following seems to prevent from getting any more of these mails:

|| eregi("\n",$_POST["email"])
|| eregi("",$_POST["email"])
|| eregi("",$_POST["message"])
|| eregi("boundary=",$_POST["message"])

art101 from California

We recently swapped some email with the founder of ( about this issue. While somewhat limited in functionality, the most recent versions of his generic feedback form (PHP 2.04 or Perl 2.2.1) appear to be currently immune from this sort of attack. Webmasters who simply need a basic feedback or contact form on their site(s) might consider checking out his Feedback wizard. The scripts are good and the interfaces for downloading them are seamless (and free).

I tried once again to reach AOL Security and AOL Legal... anyone at AOL who could knowledgeably address this issue. AOL seems uninterested in protecting the broader Internet community from this sort of assault. AOL's corporate spin seems to be, "We just want your money, so f*ck you if you aren't an AOL customer." I will encourage our clients to avoid giving AOL any money or trust.

I uploaded a copy of an open letter to AOL at the Contact page of our site today ( and sent a copy to and I encourage readers of this forum to stop by, read the letter, and pass it along.

Martin from UK

Does anyone know if there are any issues regarding the latest version (1.92) of Matt's Perl FormMail script with respect to this business? From what I can see it's been fixed to remove linebreaks so the form can't be used for spam. But I still get these "reconnaissance emails" which are annoying, sent to randomchars@mydomain with all the fields filled out with the same randomchars. My ISP says to stop receiving these I should remove my catch-all email addresses and just have a list of specific addresses @mydomain to use. Is there not also an option to add a few lines to the FormMail script to prevent a BCC line being used?

Kris from Denmark

I do also have problems with a bcc to: The spammer uses my email-form at my homepage. Quite frustrating..

kilbot from Melbourne, Australia

I just started getting some through today.. seems like this is getting wide spread. Seems like somebody doesn't like .

memex from Hungary

Hi guys, my forms also got hacked in the same way. Just got 23 emails in which the bcc field contains the same address.

Joachim from Germany: thanks for this short code, i will try it out myself.

Jon Freeman from Seattle, WA hit here, or tried to at least. ColdFusion MX 6.1 in use with CFMAIL tag for delivery. Some sort of message was burped out oddly back to me as the form recipient, with a to/from that didn't match, but it never made it outside my network.

About 10 attempts to send mail out - appears to be automated. Checking the logs things seem to be fine.

Haze from Spain

Hi. Same here but we are using ASP and J-mail. Anyone who know the script for that? We have 3 websites in different countries attacked so its for sure a robot following our links between the websites. Regards Haze

Lightbox from Dublin Ireland

to stop the annoying mails coming through we have simply put an if statement into the form to stop this type of mail coming through:
They always use bcc to send the mail so now we just block any mail with bcc

<% if (CGI.getValue("bcc").length()>0) { %>
// This is SPAM
// So dont sent any emails!

<% } else { %>

Martin Smith from London, UK

Alan from Todos Santos, Mexico


Isn't it just as effective to use a simple referrer check n the form processor to ensure the request originated from the form page on our domain and not somewhere else?

Unfortunately some people use things like Norton Personal Firewall which block out the referer for privacy reasons!

Randy from Europe

I'm not sure how secure this is, but this fixed the problem for me. It includes the \r\n fixes and removes bcc:, cc:, to:, and content-type from the variables used by the contact form originally createdd by rapid weaver:

$email = $_POST["email"];
$_POST['email'] = preg_replace("/\r/", "", $_POST['email']);
$_POST['email'] = preg_replace("/\n/", "", $_POST['email']);
$comments = $_POST["comments"];
$name = $_POST["name"];
$_POST['name'] = preg_replace("/\r/", "", $_POST['name']);
$_POST['name'] = preg_replace("/\n/", "", $_POST['name']);
$subject = $_POST["subject"];
$_POST['subject'] = preg_replace("/\r/", "", $_POST['subject']);
$_POST['subject'] = preg_replace("/\n/", "", $_POST['subject']);
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");
$email = preg_replace($find, "", $email);
$comments = preg_replace($find, "", $comments);
$name = preg_replace($find, "", $name);
$subject = preg_replace($find, "", $subject);
$msg = "Name: " . $name . "\r\n\r\n" . "Email: " . $email . "\r\n\r\n" . "Subject: " . $subject . "\r\n\r\n" . "Comments: " . "\r\n\r\n" . $comments;
$headers .= "From: " . $name . " <" . $email . ">" . "\r\n\r\n";

by the way some slashes are missing in the preg_replace examples in previous posts on this site, so i added them here.

Oz from Australia

These guys are a pain.
I'm not sure if this is the right approach, someone correct me if I'm wrong.
I had the luxury of being able to fix the code then change the url of the PHP script and changed all the pages that call it to refer new url. This was a quick fix to stop our site being used as a spam proxy.
I then modified the original php that had been spam scammed and hard coded the to,from and message content. It now sends all spammed email back to along with a nice "friendly" message. I just figure if we all did this it would make it a bit harder for these guys/girls. What do you think ?

Jen from Chicago, IL, USA

I use formmail.php ... can anyone tell me exactly what to change?

Randy from Europe

Oz: careful with that approach... if everyone did this you'd basically be building a ddos infrastructure for the attacker. he could then easily ddos aol.

also: you're making yourself vulnerable. with a relatively small http request the attacker can trigger an email which uses up more system and network resources on your side. he could dos your system, make your server use up all its bandwidth, he could possibly make you exceed your traffic limit if you have one and then you'll either be offline or you'll have to pay extra.

i don't think he actually reads any mail to, he probably has some script collecting the emails to fill a database with vulnerable ip addresses or so. would be kinda cool to know his script and exploit it with a "broken" email to this aol address though ;) you're better off looking for more vulnerable scripts on your servers and fixing them before someone else finds them though.

Oz from Australia

Thanks Randy.
Yes your right.I'll scrap it and just make sure the scripts are secure. It just p'd me off and I wanted them to know ir.

Ron C. de Weijze from Amsterdam

Hi, just sent the following mail to aol.

From: Ron de Weijze []
Sent: 07 September 2005 04:14
To: ''
Subject: spammer from aol is bothering the rest of the world.
Importance: High


This spammer is using an aol account and is responding to any internet form with nonsense letters.
Please search the net for (which he uses in the bcc field).
This forum is discussing his annoyances.


Thank you,

Ron C. de Weijze
M2M Matter to Man BV

Barta Csaba from Oradea/Bihor/Romania

Hy, thanks for the info, im a php+mysql programer and 7 of my sites got this "attack", none of my scripts are vulnerabil for this attack since i use htmlspecialchars and addslashes but im still heppy for knowing what is this "mail rubish" that i get :) oh and hears on of the script kiddies:

Chris from UK

Jsut htought I'd add support. was at my form yesterday. I'm not much of a PHP guy, so I've implemented a version of the fix off of Anders' other page.

What's stopping AOL from handling this? Laws in whatever country the spammer is doing it from?

Chris from UK

I just realised that the guy did NOT get access to mine. The bcc statement is in the BODY, not the header. That means my script is safe correct? Or does that just mean that it's masked in the header? This shows up in my message (Body):

Content-Type: multipart/mixed; boundary="===============0405870795=="
MIME-Version: 1.0
Subject: ebaa588e

This is a multi-part message in MIME format.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit


It looks to me like the spambot tried to inject the Telephone field? Am I right here?

markus from innsbruck, austria

filtering out all requests containing "bcc:" in the text seems to be a goog idea!

btw, here a few IP addresses that are used for this annoying contact form spamming approach:
always with bcc:

best regards,

Marin Saylis from North Yorkshire / England < another IP address, was exploiting my website contact form. Added the above mentioned filters, hoping nothing will get through to the bastards! ;)

MrKicks from Los Angeles

I too have attempts with a bcc of . We use a HTML forms that post to .Net that sends the data through SQL to our Email's com. There is no chance that this could be used for spamming but it is interesting to see the attempts.

I also sent this address onto AOL with an explination and a link to this site.

art101 from California

AOL continues to splatter "Want a better Internet?" TV ads all over the public airwaves here in the USA.

Calls and emails to AOL regarding the spam injection issue documented on this site are ignored. AOL is clearly more interested in marketing its crap to gullible new users than in serving a broader global community.

Greed and shortsighted profit... that's what AOL is all about. Shame on AOL. Shame.

thomas from Germany

I have been attacked by bergkoch8 several times. I fixed the contact form (ASP) but s.o. or stays trying. Tonight (REMOTE HOST: tried to crack it once more.

Tiigeress from Chicago

I recieved some attempts from this sick individual today as well. They didn't work but I saw someone a few posts back ask for a form handler that protects against this... best i have found is called Forms To Go, found at bebosoft (dot com)

may barbarians invade his personal space.

Anony from

According to

Please report these attempts to ""

With enough complains we can hopefully close their account

KLemmkeil from Germany

I´ve been attacked 4 times over the last few weeks by this sick individual too. Changed all scripts to stop this annoying stuff. If i ever get my hands on whoever that may be... Help him god.

jcjaxson from waldwick, nj

I'm using an ASP-based script (no "Niki from U.K." - you are not the only one using ASP) that does not interface w/CDONTS.

I'm not sure if this has been discussed, but what we've uncovered in our investigation is that jrubin3456 is modifying all fields ... including hidden fields and radio buttons ... into text fields, that he then fills with his code.

We've taken an approach where, once we detect the attempted attack, we stop the email from being sent. We then capture the IP address from which the attempt has been made. (The most recent attack this morning came from

Rather than dealing w/AOL, I've traced the IP Address back to the Administrator of that particular block of addresses and notified them of the attempt. I am also pursuing an approach through a blacklist organization to see what might be done through them.

comments, anyone?

Arthur from Virginia, USA

Good article and comments.

Looking at my logs, I noticed that the requests from the bots don't contain the HTTP_USER_AGENT field, and the HTTP_REFERER field is set to my home page, not to the address of my contact form.

So I added the following to my php script:
$valid_user_agent = isset($_SERVER["HTTP_USER_AGENT"]) && $_SERVER["HTTP_USER_AGENT"] != "";
$valid_referrer = isset($_SERVER["HTTP_REFERER"]) && $_SERVER["HTTP_REFERER"] == "http://{$_SERVER["HTTP_HOST"]}/contact.php";

if ( $valid_user_agent && $valid_referrer ) {
// send email
} else {
// spambot

Kevin from USA

Wow. Seems pretty common. I don't PHP at all, but I am guessing that a simple ASP replace function would take care of the hook. Almost seems like a SQL Injection Attack

Haze from Spain

Seems to me that some of you have ASP script that works, anyone who can show us how to do? I received over 100 emails from my forms today so he send more and more. Please HELP!
Regards Haze

GoGo from Netherlands

Got several too, by
Thanks for advising.

Tiigeress from Chicago

This is kind of interesting... after a failed attempt to hijack a testimonials section of my site, a few days later i get 4 new posts waiting for approval from i assume the same person with different attempts. A lot of them are advertising a URL - but there was one URL that stuck out at me as odd, it was the only one in a long list of strange characters. doing a few babelfish translations from chinese to english it appears that this is a company that makes or hosts advertising software or maybe the script that is taking over all of our sites. if this is the company this person is with, maybe it is worth further investigation. From what i gather, they call it "the hurricane"

here's a babelfish translation (i know it sucks) of part of the page...
"1st, enters the national large-scale information port, has your advertisement 2, enters each kind of type message center, has your advertisement 3, enters each kind of forum, turns on the mailbox........ to let your advertisement there is no place not in, lets your advertisement seize every opportunity"

here's another translation from the side menu:
"This website software face interlocks the net honestly to draft the business agent, the proxy condition extremely superiorly, enables you to become interlocks the net well-known group to send the software supplier and the group sends the service provider, and specially makes for the proxy has custom-made software, including business agent's individual copyright information, the contact method and so on other contents, our service and your inevitable success close is connected, welcome to relate, deigned to inquire! ! !"

what do you all make of this?

Tiigeress from Chicago

oh, more on that URL i just posted - the exact URL in the code was:

Joachim from Australia

I guess another way to prevent this is to check all the header-fields that are sent from the HTML Form. Do a regular expression, or a string search from either \r or \n and remove EVERYTHING, including \r and \n after it in the header field. This is acceptable because there are not supposed to be a line feed in any of these fields anyways.

Jordie from Australia

I got hits this afternoon from, I found this site through Google. I guess the best I can do at the moment is set up a Thunderbird filter and see if I can dig up a bit more on Mr.

I did something really stupid though... I sent an e-mail to the address, asking if he sent them or if he was receiving them too. Oh well.

Mike from USA

I got these emails from the mail address. I use ASP and told my provider about what was going on. I wonder if AOL was told that the bastard was using their system to pass kiddie porn would they react more diligently? I know it would be lieing, but if it got the guy shut down it would be good for the people he is exploiting.

Matthias from Germany

This is all very interesting. I have kept getting strange emails from our newsletter registration form since a couple of weeks ago and I first didn't know what was going on. Then I finally decided to trap the IP, which was If you enter "" on Google, you get very many results, it seems to be a proxy server in Poland. I also found out that "" appears in the BCC line of one of the emails.

So far he doesn't seem to have succeeded because almost eveything in my call to mail() is hardcoded. However, he won't stop trying.

David from Birmingham, UK

Just a thought for an easy fix. Rather than removing line breaks and characters to disable the hack, is it not easier to check for the term "bcc:" within the submitted fields and simply not run the script if it finds it?

Matthias from Germany

This morning I got another 18 attempts using the following IPs: ( ( ( ( ( (unknown) (unknown) ( ( (unknown) (master.worldnet.local) ( ( ( ( ( ( (

I found out that my script seems to be more vulnerable than I thought, but I fixed it so it should not be exploitable any more. I don't know why but the offender did not seem to try filling in any fields of my form, so I wonder what the purpose of this attack was.

Matthias from Germany

I have been hit by again. He was using the same IP three times within a couple of seconds, and he did not seem to be using a proxy server.

I reported to the ISP that corresponds with the hostname that I was able to resolve and asked them to reveal the offender's identity. I also wrote an email to, which seems to be the new address for complaints of this kind.

Well, let's see if I get any response...

Jon from UK

Thanks for the info here. I've been monitoring these attempts on a few domains over the last few weeks and have stopped them each time I find an e-mail gets through. I've sent a complaint to AOL at their TOSspam address.

Dan from UK

After watching them mess with my forms for the past couple of weeks they succeeded in sending out some spam last night. Deleted the script, patched it up then reupped it. Seems to have worked for now.

Interestingly a different ip from the bots is now rescanning the site and grabbing the new contact form after the last dozen bot attempts got 404 or 403 errors:

Rob Barkas from Haverhill MA USA

Received 15 of these this morning with the bcc being If AOL is getting so many complaints why is this account still open. I did report it to hopefully something will be done. I will now have to validate my PHP form due to this.

thomas from Germany


For ASP scripting with JMail try this code to replace linefeeds and carriage returns
Set RegularExpressionObject = New RegExp
With RegularExpressionObject
.Pattern = "[\r\n]"
.IgnoreCase = True
.Global = True
End With

name=RegularExpressionObject.Replace(name, " ")
email=RegularExpressionObject.Replace(email, " ")
subject=RegularExpressionObject.Replace(subject, " ")
message=RegularExpressionObject.Replace(message, " ")

Set RegularExpressionObject = nothing

You have to use your form variables for name, email etc.

to kill all mails containing "bcc" try this:
Dim found = false
Set RegularExpressionObject = New RegExp
With RegularExpressionObject
.Pattern = "/bcc/"
.IgnoreCase = True
.Global = True
End With

found = ( RegularExpressionObject.Test(name) or RegularExpressionObject.Test(email) or RegularExpressionObject.Test(subject) or RegularExpressionObject.Test(message))

Set RegularExpressionObject = nothing

If found Then

June Barkas from Haverhill, MA

It is king of obvious that AOL is not taking this problem very seriously as some of these accounts including are still open as my husband received some of them in his business web site. AOL obviously doesn't care about the internet community at all as this web site was first posted on July 8, 2005 and it is now September 10, 2005 and it doesn't seem that alot has been done. If anyone knows the code for elimating bcc mail using PHP I would appreciate it.

Anders from RTP

Eliminating BCC: is a little more complicated than it sounds. For example, my posting this comment would trigger your BCC block because BCC: is in the body of this message. A BCC block still won't block additional TO: lines either. Take these points into consideration if you choose to block BCC. Killing \r and \n characters eliminates all possible permutations of this attack.

June Barkas from Haverhill MA

Thanks for the quick response. If I take out the /n can I uses spaces in between as all of the information would be clumped together?

Anders from RTP

Yes, replacing \r and \n characters with a space is a good idea. My origional example does this.

Matthias from Germany

I just got another 3 hits from I simply send them to AOL as an attachment and I will keep doing so. If you do that as well, then AOL might finally learn what it is like to get trash all day.

Someone suggested that might already have been deactivated and that scripts on PCs keep using it, without the knowledge of their owners. But if this is not the case, then I wonder if it would help to mailbomb and all the other addresses he's using. If this does not help, then one should maybe simply mailbomb, making them aware of the problem by choosing an appropriate message body.

Anders from RTP

I wouldn't suggest mailbombing AOL. They have computers reading those messages before humans do so I'm sure they will just blacklist your IP and be done with you. Even though mail to these AOL addresses is not bounced back, we don't know if AOL hasn't already suspended the accounts and is just sending our emails to the bit bucket. The best strategy is for each of us to submit a rational complaint to AOL, hope they work on it and make sure we are not vulnerable to this attack.

Tiigeress from Chicago

Another thought... we could just block all of AOL from our sites - if enough sites do this people with AOL accounts will start complaining that they cant go anywhere on the net. maybe they would take us seriously then :)

I know it isnt a very practical solution, but this stuff is driving me crazy.

Has anyone looked at the site I mentioned a few posts back? I really think those people are the ones behind it all.

Klemmkeil from Germany

This annoying bastard is hitting my sites daily meanwhile.
Today, I got a returned mail by AOL stating that the Mailbox is full :-)
I keep fixing my scripts, but he seems to find a way every time. I am stripping all \r and \n, but one or two attemps went through anyway. When I try myself, no mails are sent at all.
I am getting really annoyed!

Matthias from Germany

I can assure you that is still an active account. I have just sent him an email, and it did not get bounced - neither did the other 5.000 or so... ;-)

Simon from UK

We've been seeing regular attacks of the same nature as discussed here on our web to lead form for a number of weeks. I've a feeling a few early attacks may have got through, but have tightened the backend up a lot since.

Today however we've seen over 30 attempts 2 or 3 an hour almost at random it seems. All failed.

At the suggestion of someone else I've initiated a log of the requesting IP - which in this instance was

The source IP was:
The hostname was:

Has anyone else had an attack launched from here?

I've reported it to the named contact in the domain registration records - what good it will do I have no idea. This time the BCC address was

We changed our web to lead so that it always has a fixed (hard coded) from and to address - and now is only informational to us, rather than also copying the original sender on the message. So far this seems to be holding... We copy all the email address info into the message body for later examination.

In the near future rather than email us from the form it will post directly to our eCRM system as a potential lead, which will cut out any chance of it's use as spam, but I guess will open other possibilities....

It's good to see others are having the same problem, and share ideas.

Matthias from Germany

Now look what I just found in my inbox:

----- The following addresses had permanent fatal errors -----

----- Transcript of session follows -----
... while talking to
>>> RCPT To:<>
<<< 552 jrubin3456 MAILBOX FULL
554 <>... Service unavailable

:-D :-D :-D

Russ from Los Angeles CA, USA

I have been dealing with last night and this morning. It doesn't look like any of his 150 attempts went through, but he sure tried. I Googled his email address and found this page. Thanks for the info. I fixed some of my code, but with the information above I can now totally protect my site against these punks.

Jason from Tyson's

To report this guy to AOL call 888-665-3733. He also tried to crack my php contact form.

Greg from Canada

I got plenty of %#*! spam from, trying to use my website forms.
I coded the PHP on my site 5 years ago, and I have long forgotten my code... Could anyone who came up with some nice working code against this problem be nice enough to post it for me and remind me where to append the code?
I saw the code with mysql_real_escape_string but I can't seem to figure how to use it from the PHP help file. There are too many different solutions in this thread. What's the definitive code people use?

Michael Grimm from Florida

I took out the /n however the data submitted is harder to read as it is all crunched up... Not sure if this is spammer proof yet though.

Matthias from Germany is back again. I got another 3 attacks this morning and forwarded the information to AOL. Looks like the address is really being used by someone, as emails do not get bounced any more.

Oh well, then let's send another couple of thousand messages. If AOL does not react soon, then I might also send the information more than once next time...

Matthias from Germany

Ok, here we go again! :-D

----- The following addresses had permanent fatal errors -----

----- Transcript of session follows -----
... while talking to
>>> RCPT To:<>
<<< 552 jrubin3456 MAILBOX FULL
554 <>... Service unavailable

Dean from Melbourne Australia

I've had about 120 attacks (with as the BCC) across 8 different websites that I host, and which all had running my own custom php script.

However, as Pair Networks ( is my web host, they have their own custom script available -- they advised me to either use this script or find a more secure PHP option.

I settled on Tectile's PHP form mail variant -- free to use -- at

This includes two very helpful security features -- you can specify the target email for the form in a config file, and you can "mangle" your form's hidden fields so the recipient email is not in a valid email format for any trawling spam bots.

As soon as I implemented this solution today, I noticed 48 attempted attacks fail! (The Tectile program can email you at a separate address to advise you of when a user "fails" the form, although you can turn this off).

And I tried adding linefeeds and extra bcc addresses into my own forms, which immediately failed and stopped the form from working.

Thought I'd let you know how I solved it.

Chris from's email showed up in my LAST SEARCH query.. Along with a limited amount of garble:
1.0 7bit 90f81d6f ===============1599482751== akytvbu bcc boundary= charset content-transfer-encoding content-type format. from message mime mime-version multi-part multipart/mixed subject text/plain us-ascii -===============1599482751

Lin from Uk appears to be at his tricks of hacking my site. He is a menace, what can be done about this? I am no techie and would appreciate some advice?

Matthias from Germany

Ok, enough is enough. I got hit by again and AOL does not seem to care a fig. This time I'll mailbomb them, too.

June Barkas from Haverhill MA

What I still don't understand about this whole situation is that most of us have contacted AOL regarding this and they have done nothing. They claim that they have an anti-spam policy? They certainly don't enforce it do they. When I receive any type of spam from hotmail or yahoo within a day or two the account is closed. I don't understand what is taking so long for them to do anything? If you search out any of these email addresses you come up with tons of guestbooks that have been signed by them. What is wrong with AOL? If they email addresses indeed did get hijacked then the accounts should be closed immediately if not sooner. Still don't understand their policy.

Matthias from Germany


----- The following addresses had permanent fatal errors -----

----- Transcript of session follows -----
... while talking to
>>> RCPT To:<>
<<< 552 tosgeneral MAILBOX FULL
554 <>... Service unavailable

I am surprised to learn that the postmaster has a limited account - maybe he should buy an upgrade to be able to receive more emails... ;-)

June Barkas from Haverhill MA

Yesterday I removed all of the \n in all of the fields and today got slammed again 16 times with a bcc of including the Mime message. Any suggestions?

nic from virginia

Try using a more secure form like this one below (see web address) i was getting spammed just like most of you mention above so i changed my form to a new one where user has to look at image and type in letters from it as well as some more security checks and feature.. it's a good form. to use

Uli from Berlin

I had the same attempt on one of my administrated websites. He used the adress: and was trying to attept a hack on the 06th Sept.2005 at 02:08am MEZ with the ip:

Eduard from Amsterdam

I found Arthur's comments (#134) to be useful, also I think Anders' comments at the top are relevant in explaining the mechanism allowing for the hack.

I'm using Richard Heyes' php formmail script and interestingly enough, the version I was using was already set up to add a lot of /r/n's but it was still hackable. I updated it to his latest one and will see if this helps. I also used the referer and user_agent filtering.

Matthias from Germany

AOL anti-spam policy? Don't make me laugh! Rumor has it that they even sell the data of their customers, so signing up with AOL is the best way to get spam.

I was hit by again, and I forwarded the information to AOL as before. The email did not get bounced, so someone must be reading this stuff.

My script should be secure, but it's still annoying to get these tests all the time. Well, I am mailbombing again...

Dami from Germany

I have the same problem, which is costing me lots of money as mails get forwarded to my phone.

As AOL seems to sleep, has anyone contacted CERT or government authorities yet? I'd also be happy to supply IP addresses...

Anders from RTP

Matthias: please don't mailbomb.

Dami: CERT is a good idea. I haven't contacted them, but we should first check to see if an advisory is out. This has been going on for a long time so someone may have already submitted something.

Another clarification, with the \r and \n replacement fix, you will still get the test emails which is quite annoying. Some additional checks (such as the BCC: suggestion from earlier) can be used to stop you from seeing the probe emails as well but you have to be carefull as I mention in comment #152.

Matthias from Germany

Why should I not mailbomb AOL does not seem to be able to close the account, and I am really fed up with that guy.

Anders from RTP

Matthias: This guy is frustrating I know, but script around it for now. Check on CERT and see if they know about this problem yet. Submit if they don't know yet. I have a feeling AOL will listen to CERT.

Matthias from Germany

Well OK, I will cease mailbombing and AOL. But as far as CERT is concerned, I hardly know anything about that organization or it's purpose, so could anyone else do that please?

Decibles from India

I?m a PHP newbie and has been a pain ....its been more that two weeks now and I?m tried of handling spam in my personal mail and all my clients are after me to resolve it as eventually the same PHP script runs on their site too....don?t know if this is a great idea but it just occurred to me that by separating the email "from" field from the rest of the form and collecting this on a separate page and collecting other details on a different page work? And will it stop the spam...? Would really appreciate the feedback

Pieter from Netherlands is attacking formmail here.
If you subscribe him to many boards to spam him, you're only give him new scripts-adresses.

He is using different anonymous proxy servers and sent a bcc to

The last time I had problems with a "bomber", I created an account at the internetcafé on Ebay and in the control-panel (after activation) I changed the free email account. Did some bids on Ebay and 2 weeks later the email adress was out of order. Seems Ebay is working on AOL

Chess from San Diego

I have used Forms To Go and am being hit by jrubin about 5 times a day with 12 emails sent each time.

I use a PHP Script. Is there a simple code that I can include in my script that would kill all bcc emails AND strip the \r and \n strings while at the same time not clump all my information together into an unreadable mess?

This may have been covered befoer, but I am not sure which codes will work best for PHP. Thanks. Let's put an end to this joker!

Luke from QLD Australia

I have found that the dropkick has been using these IP's

I also found that the IP address is changing every hour or so.

Could this be some sort of spyware or trojan program that has infected other computers?

Or maybe there is more than one spammer involved in this crap??

Jo from Hamburg

Many people are asking for the best change to prevent email injection and to get rid of the annoying test emails from the spambots. As Anders suggests, I think also the best way to secure mails is to replace linefeed (\r) and newline (\n) charcters with spaces in all variables intended to be placed in the mail header. This is not necessary for the message body. Some have done this and got ugly formatted emails as a result.

Next is to reject the test emails. This is easy for all fields which will be added to the mail header. If they contain \n or \r you may stop sending the email. How to do this is explained from Uwe in post #81.

After grasping the fields contained in a form the spambot by-passes the form and sends his request directly to the script. In his repeated tries he fills his malicious email in one form field after the other, so not always the email field contains the garbage. As the message content may contain any text it is site dependant if you are able to define expressions which are not allowed in the content. The same is for all other fields too. You have to decide individually what content is wrong and define similiar expressions as in post #81. As more expressions you find as less spamtest mails you will receive.

The current spambot also can be recognized by the missing HTTP_USER_AGENT and incomplete HTTP_REFERER fields. But this is not unique. As posted earlier some firewalls delete the HTTP_USER_AGENT and if someone has bookmarked your site no HTTP_REFERER is set. Also future spambots will probably do it better.

And don't blame AOL for the outrage of the spammers. They can not do very much. The probing mails as well as the spamming mails are not sent from AOL but from a lot of pc's which are hijacked by a trojan virus. It will not reduce any of these annoying test mails with bcc to or if the AOL account is closed. The only thing AOL can contribute, is to prevent anyone to download the mails from that accounts, so the spammers do not get new addresses of cracked web sites.

Barbara from UK

I have tried some of the fixes suggested for my html/php forms and would like some help for an error I am seeing in the POSTed email.
Where I test for \n, this is being replaced by \\r. I know this is not a problem, just wondering why this is happening when I would expect " ".
Dear Mr.AOL appears to being a little blocked by what I have done and is now spamming me with empty response forms.

With everything else that I am testing for, how do I add in a NULL test. Not all fields are required so I only need to test if all fields are NULL.

Or, has my form been hijacked completely and I am only getting the NULL part sent through while the script does its evil work on my server?

Chess from San Diego

I read post #81 and have copied the script. Is this something that I paste into my php script. And if so, where do I paste it? Apologies for being such a newbie at this.

In my script he only fields that get called into the header are the name and email. So, I just strip the \n and \r drom those fileds? How do I add a space so that the fields don't run together in the email that I get sent?

Thanks for any straight forward answers.

Optima from Malaysia

We using ASP form and got the spam attack as well, any way to cure it or fix it?

Matthias from Germany

Looks like the attacks are getting less. While used to send 3 emails in each attack, he has only send a single one this morning. I hope he did not get disturbed by my script detecting the hack and sending him more than just one email to :-D

I know that AOL is not responsible for the spammer trying to hijack our forms, but preventing anyone from downloading the information gathered in these accounts will make the spammer's life much harder, and this is the goal of closing them.

Besides, these accounts are the only chance to identify the offender, as the logged IPs only tell us whose PC was abused for the attack. However, AOL seems to protect this guy.

Carl Colijn from Netherlands

I use ASP and CDONTS on my website, and I did a check whether the script was vulnerable. The value of the "To" field is hardcoded in the script, but the "Sender'", "From" and "Subject" header fields are not. For testing purposes I set these fields to "Request.Form("email") + vbNewLine + "Bcc: spam@ (etc.; our company web address)"; and the results were this:
- Setting "Sender" triggered an error while sending the mail
- "From" and "Subject" seemed to get their newlines stripped already by CDONTS (replaced by spaces).

The mail got through to our inbox (when I removed the "Sender" test), and the mail's source revealed no extra header lines with the BCC field; the BCC line was merged in the To, From and Subject line.

Our server is using IIS 6.0.

Just to be on the safe side, I still patched our script ;) I used the following code in the new email script:
Function SecureHeaderField(sFieldValue)
SecureHeaderField = Replace(Replace(sFieldValue, Chr(10), " "), Chr(13), " ")
End Function
You use this function i.e. like this:
oMail.From = SecureHeaderField(Request.Form("email"))

I invite anyone that wants to give this script a test (including mr. jrubin3546 et al. :) ) at our web form: (the page is in Dutch, but the form is easy enough to understand).

Hope this helps anyone.

Cosmo from UK

I'm trying a different approach. Using PHP.
1. Clean all $_POST fields
2. use regex to check all named fields for presence of an email address in the text; count the hits.
3. reject any input that contains more than one email address anywhere
4. validate that one email address as the 'from' adddress (the regex excludes /n and /r as a matter of course)
5. 'to' address is hard-coded.

This way, you don't lose formatting on the message body. You don't allow bcc or other addresses anywhere - just the sender's address.


Matthias from Germany

Looks like I spoke too soon. I got another couple of hits from I called AOL Germany and asked them what they could do about that guy. They told me that I would have to report to the police. AOL really sucks... It seems to be the provider of choice for hackers.

Well, I am now going to incorporate the code from Uwe in post #81 into my script.

Greg from

i don't use a bcc in my post variables, would this kill it if i put it up top?

if(isset($_POST['bcc'])){ exit; }

is it possible to check for the presence of variables outside of the few i use that aren't mine and if found exit?

Greg from

wold be nice to have a script that checks for the variables you expect and if others are found, it will kill the form

Ian from Australia

Yep, I had three different servers I run have this hack today, all from

Given I don't know a single techo person who actually uses AOL, I think (as well as putting in the sugestions above) I'll do a search for '' in every field. If it exists, die() will be called...

June from Haverhill MA

Hi Nic, I like the idea of having a box to type in the letters and numbers to verify. What are those called and where do you get them from. Call me stupid, as I have seen them around every where but don't know where to get them from.

Michael from Atlanta

It started about two weeks ago for me. My site was hacked into by I now need to pull my site off line. How can we trace this culprit down and prosecute!

Ben from Bristol, TN, USA

I have been severely affected by this problem. I maintain abouut 25 websites and about 50% of them have been hit by 20+ e-mails and the frequency is increasing. They aren't "working" in terms of relaying, but it's still consuming time and my customers are asking questions.

I'm afraid this could be the beginning of a significant change to web development. We have made the decision to begin utlizing a low-level "turing" test on all our forms to verify the form submitter is indeed a human being. I realize we could implement steps server-side to prevent these automated contacts, but I also realize that this problem will only continue to evolve as enough insecure forms and servers exist to be exploited in the future in new ways.

We are going to start with a simple question, such as "What is the third letter of the alphabet?" but we dread moving towards CAPTCHA ( techniques because they are inaccessible to those with vision impairments or browsers not displaying images.

It may be that we will have to continue to devise ways to trick computers until that inevitable moment when it's impossible to differentiate and we'll have to resort to fighting the losing battle of IP bans, e-mail bans, and string recongnition deflections.

jrubin_victim from USA

To Jrubin - congratulations - it takes alot to piss me off - with over 300 attempts this morning - I hope someone hacks the $#!^ out of you.

Kirk from Carlisle, PA

A HTML/PHP contact form on my web site was compromised this morning by Over 300 attempts corroded my inbox. What an annoyance! Is there anyway to tell if this person was successful in sending spam or attaining there goal?

Jo from Hamburg

Hi Matthias,
I don't believe any mailbombing is a good idea. I think this helps primarily the spammers because all mails to that AOL addresses may be evidence if this guys get caught. And if the mail accounts are full the evidence is lost. Therefore it is important that the spammers can not download their mails.

A way to force AOL to give a statement about what they have done with these accounts may be to inform computer magazines (like c't in Germany) about that spam campaign (with evidence of received hacking attemtps, discussion forums at the web, persons who get infitrated by the trojan virus as described from Tony in post #62 and that AOL gives only general statements). In their issue 5/2004 c't had a report how they revealed the cooperation of a hacker group with spammers. Last I've heard was that the three leading guys from U.S. and UK were brought to court.

Terry from MN

If you're using a formmail script rename the script to something other than formmail. The bot searchs for formmail file handles.

Matthias from Germany

These attacks seems to follow a certain pattern: I always get 3 Emails per attempt, one without any spam injection and 2 with spam injection. Having included the code by Uwe in post #81, I seem to have got rid of the spam injection probes at least. However, I still get the other one.

As Jo from Hamburg has suggested, I have just sent an email to the editor of the c't magazine, asking him to search for on Google and to check out this discussion (I included a link to this page).

Maybe they will investigate the issue and publish an article, forcing AOL to take action in order not to lose their reputation (which won't change the fact that I have never held AOL in high esteem anyway).

Sergio from Barcelona, Spain

Another victim of jrubin and bergkoch8 here. Fixing my PHP scripts right now. Thanks for this site!

June from Haverhill, MA

Not sure if this is working, but today I didn't receive any bogus emails. If someone can take a look at this code and give some feedback, I would appreciate it.

if ($Submit) //if Submit is hit
if ($to == "" && $subject == "Inquiry for Function" ) {
mail($to, $subject, $from, $body);
echo "<meta http-equiv=\"Refresh\" content=\"0;URL= \">";}
else {
print "Sorry! Wrong information, cannot send form";

} }?>

Nick from UK

Each time I've been hit it uses my own domain in the fields, e.g:


Could a script be used to block any e-mail addresses that include one's own domain -

Tommy from Germany

A friend contacted me a couple of days ago with the plea for help for he was getting strange emails sent through the contact formular on his website. Turned out to be the problem described here and was fixed fast. But by carefully scrutinizing the access statistics another problem popped up - some of the attackers have supplied a correct referrer (ie, if the URL of your contact formular is", the attackers often supplied "" as a referrer). Now, since the site is entirely realized with PHP, there is NO SUCH document, so the referrer is obiously as fake as a 3-dollar bill).

Looks like some malignant software writer is trying to get smarter.


If the $from variable in post #208 is from a input field of the form this code is unsecure. You have to apply a substitution as Anders has described in his article to disable email injections.

If you want to ignore such attemps apply a check similiar to post #81 from Uwe. But this does not ignore all attempts. Although they are harmless and only fill your mailbox.

Linda from Virginia Beach, VA

I got 273 of these emails this morning. I think I've fixed my form & don't want to help spammers by posting how they are doing this, but I'm not really sure I understand how this is being done. I'd really like to test my form to make sure it is fixed. Can you give some tests or suggestions to make sure it is fixed?

Jay from London, UK

I'm really stuck!
Whatever i try, i just can not stop these emails incoming.
The other day i had about 60! :(
Is there anyone with a fool proof bit of code?

June from Haverhill, MA

The form variable on post#208 is not from an input field. It is a variable that is desinated $to= '' and $subject=Inquiry for Function'. They are preset and not from input fields that is why I was curious if this would work.

Pete from UK

I had someone try to use my contact form too. BCC'd to another AOL address:

I've put some code in now to stop it happening - however it still sends the email to me, so I can see who is trying what.

I've hardcoded the to, from and subject into the mail() command now, and I check all the other fields for the @ symbol and replace any found with another character. Should stop it happening.

Tiigeress from Chicago

Carl, #193 posted a way to test: Request.Form("email") + vbNewLine + "Bcc:";

in your browser's URL bar, type in the url like so:"email") + vbNewLine + "Bcc:";

at least I think this is how it is supposed to work, i tried it on my form and it sent to my spambot error page <3 if this is not how it goes, I too am looking for a test script. thanks all. :)

arctangent from Seattle

We had posts appearing in numerous forms - mail, guestbooks, etc. - on our system, which serves many hosted domains. We hit on a similar solution, modified for our multi-site environment; thanks to Anders and to all who posted for the confirmation.


RE occasional coders: I've noticed many people in this forum typing /n /r when they mean \n \r. It's the \ backslash (escape) one must use to trap newlines and returns. With / you'll be debugging your code forever.

Haze from Spain

Hi again. ASP/JMAIL. A Swedish girl told me to move the JMail.Subject and JMail.Body to the top, right below "Set JMail = Server.CreateObject("JMail.SMTPMail")" and have all the others below, JMail.AddRecipient and JMail.AddRecipientBCC etc. She says that my info will write over the info put in by the spam robot. I'm not sure if it works but have not received any spammail since then, Friday last week..


just an update, this was useless - if(isset($_POST['bcc'])){ exit; }

greg from

check this out!

if ( eregi( "MIME-Version: ", $_POST['field1'].$_POST['feild2'].$_POST['etc'] ) ) { die( 'Get out, spammer.' ); }

from -

Alex from Santa Clarita

A good primer on how these header injection attempt :


i have 2 commands at the top of my scrip tand it's workign "so far"

"MIME-Version" and "Content-Type"

check all fields for that

and if it starts up again, make sure you are bcc'ing yourself so you know what to ban.

hopefully no one is getting their domain banned on account of this jerk-off

FoTo50 from Austria

Syncronising O&A's list, mine and the rest of this age I have following list of email adresses as Bcc rcpt (in alphabetical order):

Once again I would like to understrike, that it is NOT ENOUGH to validate the form field values via Javascript (e.g. like <form .... onSubmit='return validateForm()'>) since this Worm (or whatever we call it) does not submit manually the form but tries to send POST-Data directly to the executing script (<form action='....'>).

jcjaxson from waldwick wrote, that it will try to exploit all fields including hidden or radio fields. I could not see that, but definately had attacks for each text field (input type='text'>, <input type='password'> and <textarea>). So if e.g. your form is a newsletter subscription (very attractive for those hackers) has only 2 fields (name,email) you will get "only" twice a attack email. If you have a complete feedback form with 6 fields (name,street,postalcode,city,country,comment) you'll get 6 times a try to see if your form is "unclean".

For all those using PHP (and I thing they're quite a lot) I have a function public that I use to validate my forms and hope it can be helpful for one or the other. You can find it at (use it at your own risk) ;o)

PS.: Thanks to Anders for this rich info pool!

greg from

jrubin is obviuosly reading this thread ... know the server referer variable is using the applicable domains name.

Greg from

here is my latest, i think it's working now.
note: as stated above ... miss 1 variable and he will get through.

he can only go so far before his emails will be malformed and worthless

if ( eregi( "Content-Transfer-Encoding", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'] ) ) { exit; }

if ( eregi( "MIME-Version", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'] ) ) { exit; }

if ( eregi( "Content-Type", $_POST['var1'].$_POST['var2'].$_POST['var3'].$_POST['etc'] ) ) { exit; }

MG from Bribane QLD Australia

253 emails from

Matthias from Germany

FoTo50 from Austria finally explains why I am always getting 3 hits: I got 3 fields in my form, 2 text fields and one submit button. The latter does not transmit any string, therefore it is not causing any spam injection.

Phil from Davie / Florida / USA

I've been getting hit by probes under the variation in connection with spam relaying. I think I've plugged all the possible leaks and the relaying has stopped. I'll try to report more details once I have documented the details. Phil

Barbara from uk

This is for all those who want to get the attention of AOL. Ever read the 'review this site' posts on Usually reserved for very good sites and for scams.
Now, if everyone who is getting no response from aol about blocking the email addresses was to put a review about aol and how they allow spammers to carry on.....
After reading how aol was the first site to be attractive to phishing - getting unsuspecting aol members to part with user profiles so that they could use valid email addresses for their spoofs - I think that aol needs some encouragement to sort this out. Even if it means asking a genuine aol client to change their email address so that the hacke/phisherr can no longer use it.

Mike from UK

If you want a simple contact form, this code should be fine. It is simple enough to expand the fields. I didn't write it, this site did basically, make note of its use of the "stripslashes" to clean up the output.
Just copy/paste this code to a page and call it something like contact.php (no other processor scripts required)

If anyone can see a flaw in this, I'd be happy to know about it :)

$your_email = "";
$subject = "Contact Form Submission (";
$empty_fields_message = "<p>Please go back and complete all the fields in the form.</p>";
$thankyou_message = "<p>Thankyou. Your message has been sent.</p>";

$name = stripslashes($_POST['txtName']);
$email = stripslashes($_POST['txtEmail']);
$message = stripslashes($_POST['txtMessage']);

if (!isset($_POST['txtName'])) {

<form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>">

<p><label for="txtName">Name:</label><br />
<input type="text" title="Enter your name" name="txtName" /></p>

<p><label for="txtEmail">Email:</label><br />
<input type="text" title="Enter your email address" name="txtEmail" /></p>

<p><label for="txtMessage">Your message:</label><br />
<textarea title="Enter your message" name="txtMessage"></textarea></p>

<p><label title="Send your message">
<input type="submit" value="Send" /></label></p>




elseif (empty($name) || empty($email) || empty($message)) {
echo $empty_fields_message;

else {
$referer = $_SERVER['HTTP_REFERER'];
$this_url = "http://".$_SERVER['HTTP_HOST'].$_SERVER["REQUEST_URI"];
if ($referer != $this_url) {
echo "Haven't you got anything better to do?";

// The URLs matched so send the email
mail($your_email, $subject, $message, "From: $name <$email>");

// Display the thankyou message
echo $thankyou_message;

Greg from Canada

I second Chess #190 's question, which didn't get a reply... How do you get to use the script in #81 ???

The best way to counter these attacks is to help guys like us fix our code.

Karl Groves from MD, USA

I am also getting hit with the same 'test' messages.
Rule #1 - Validate the form server-side, not client side.
Rule #2 - Somehow the spammer is setting the 'from' field to be from your domain. So, if you get an e-mail from, then you know it is bogus. Add code to your validation to check and make sure that it is NOT coming from a bogus address on your domain.

In my case, it was easy, as there is only one valid e-mail at my domain. A simple snippet does the trick:

// note that '$flizzum_flazzum' is my form's e-mail field - a workaround due to other spammer's attempts to read common field names

if (preg_match("/$your_domain/i", "$flizzum_flazzum")) {
$bogus_warn = "true";

As you can probably assume, if the $bogus_warn variable is true the form fails to send and the user has to fix the error or bugger off.

Greg from Canada

Ok Chess I have added the code in #81 to everyone of my php file containing the function MAIL, and I put this code just before the line containing this function. So far I haven't received any more spam (it's been about 2 hours) and I still receive the forms submitted on my site.
Hope that helps.

Simon from UK

As others had done, I decided to report the jrubin email to AOL just in case they didn't already know. AOL: tough on spam, tough on the spammers. Yeah right... This is the very poor response I received. Apparently they only help if you are an AOL member. All I wanted to hear was that they were investigating... Perhaps others can do the same, and they will block/trace this email account?
Dear Sir/Madam,

Thank you for your recent inquiry. We are always more than happy to help you with any questions you may have about the AOL service.

Please be informed that your screen name is not associated with AOL UK account and that we are unable to focus on the same.Please note that we can only provide assistance to UK members, if your account was registered in another country please contact the relevant country using the information below:

---list of AOL website followed...

I thank you in advance for your patience with this matter.

We sincerely apologise for the inconvenience that has caused to you.

If you need further assistance please do not hesitate to contact the Member Service Area of that particular country.

Kind Regards,

AOL UK Member Services.

Andy from Manchester, UK

how about this...
(feel free to ammend if there's a hole)

// Sputnik Internet's spam stopping script.
// If you have any text fields that should allow /r or /n,
// add them in the 2nd line separated by ||, as so:
// if ($postvar_name == "comments" || $postvar_name == "questions") {}

foreach ($HTTP_POST_VARS as $postvar_name => $postvar_value) {
if ($postvar_name == "comments" || $postvar_name == "questions") {}
else {
if (eregi("\r",$postvar_value) || eregi("\n",$postvar_value)){

Ben from UK

On sites that I build (php), I have a custom error handler class that emails me whenever an error occurs on a site. recently I have been getting hundreds of errors where there are undefined variables being submitted to my form. For instance, on a send to a friend page, I save the previous page url as a session variable - this hack attempt isn't able to set the session variable that is included in my message body, which got me to thinking of a way around the problem.

Maybe implement a check to see if a session variable is set once a form is submitted. If it isn't it fails to process, if it is, send the email. In order for this to work, you'd need to set a session var when the form is first displayed.


Linda from Virginia Beach, VA

Thanks to everyone who posted possible solutions using a combination of the code from posts 81, 233, and others, I now think I finally have a form that will foil any further attempts by and his buddies and keep my email box from even knowing he exists.

By the way, I didn't notice anyone mention this, but when I tested my form originally for the vulnerabilities, one way I tested was by simply using a semicolon in the email address form field to put another address (for example;; and it emailed the form to all the addresses I put in, so I added an additional error check for semicolons.

Shaun from Bolton

This is what I am using now after 400+ email from

if (isset($_POST['Submit']))
$find = array("/bcc\:/i",

$_POST['name'] = preg_replace("/\\\\r/", "", $_POST['name']);
$_POST['name'] = preg_replace("/\\\\n/", "", $_POST['name']);
$_POST['name'] = preg_replace($find, "", $_POST['name']);
$name = $_POST['name'];

// other fields
// check all data is imputted
//send mail

It creates an array containing BCC CC etc and checks the posted data if anything is found remove the inforamtion, then it checks to see if and \r or \n occur in the field if so remove them as well. Also escape the from email address as above and add \r\n\r\n to the end to stop any extra headers being added. eg.

$from = "From:$email\r\n\r\n";

Hope this helps. Please post any suggestions to improve this code


Greg from Canada

My code didn't work... I got 50+ e-mails this morning!!!!

Shaun where do you place your code. Is this in the form to which the information is submitted after the user hit "submit" (I assume so)?

Greg from Canada

Also, shaun, I'm not clear about what I need to replace in your code to adapt it to my form. Any variable name that should go in?


Shail from India

Oscommerce have this problem too..There is a contribution which fixes this. Go to following links to get instructions.



Shaun from

The way I use this code is:


if (isset($_POST['submit'])) //user presses send

$find = array("/bcc\:/i",
); //set up array to find information that should not be there. You can add other things here but cc and bcc are the most important to stop the spammer sending out email from your address

if ($_POST['name'] == NULL) {$name = false; $message_e .= 'please enter your name<br>';}
$_POST['name'] = preg_replace("/\\\\r/", "", $_POST['name']);
$_POST['name'] = preg_replace("/\\\\n/", "", $_POST['name']);
$_POST['name'] = preg_replace($find, "", $_POST['name']);
$name = $_POST['name'];
//you need to change the $_POST['name'] to $_POST['your_variable']
You will need to do this for all the variables that are posted to the script that sends out the email

if ($_POST['email'] == NULL) {$their_email = false; $message_e .= 'please enter your email address<br>';}
$_POST['email?] = preg_replace("/\\\\r/", "", $_POST['email?]);
$_POST['email?] = preg_replace("/\\\\n/", "", $_POST['email?]);
$_POST['email?] = preg_replace($find, "", $_POST['email?]);
$their_email = $_POST['email?];

If ($name && $email) //if the name and email field are fill in send email else return to form and display $message_e
$from = "From:$their_email\r\n\r\n";
$body = "Enquiry From: $name \r\n message: $enquiry \r\n how did you hear about us: $about";
mail('', $subject, $body, $from);
//if mail has been sent redirect to thank you page

<Html Display the from html >

Hope that helps

Brad from Winnipeg, Manitoba, Canada

Two of our sites were attempted to be hit. We received over 200 hits on one site in less than 20 minutes.

It seems the only place the script can inject extra email addresses is into the to/from/subject lines. I have gone back to the code on the sites and removed ANY access to these fields. Instead I place the users email address into the body of the email instead. The ?to? goes to our company, the ?from? is a fake email address (ie. and the ?subject? is User inquiry - All information entered by the user goes into the body of the email.

Additionally before submitting the email address is run through a regular expression to ensure that it is formatted correctly. For those interested in the expression: (all on one line with NO SPACES)
"^(([A-Za-z0-9]+_+) |([A-Za-z0-9]+\-+) |([A-Za-z0-9]+\.+) |([A-Za-z0-9]+\++))*[A-Za-z0-9]+@((\w+\-+) |(\w+\.))*\w{1,63}\.[a-zA-Z]{2,6}$"

Unfortunately AOL isn?t going to be able to do that much about the spamming other than close the email account. Anyone can create an email account at there web site for free by giving fake sign-up information. I have a hotmail, yahoo, gmail and local ISP email accounts. The hotmail, yahoo and gmail accounts don?t have my real contact information. The spammer can easily create these accounts; add it into their script and the get spam access for about a month until the email account is closed. They then can create new accounts (with new fake info) and start all over again. Don?t get me wrong, I still don?t like AOL, but with the number of different companies offering free email accounts they aren?t the only company out there with this problem.

Greg from Canada

THANKS Shaun I'm going to try that

Renzo from Peru

Hello, I have this problem too from : (


OK, folks forget all the coding. I changed the formmail.php file to something else (i.e.bigdog.php) and no more spam!!!!

Changing the file name took me 3 seconds. A heck of lot easier than troubleshooting new code.

Jed from Portland Or USA

I am curious. Most of the code solutions posted above remove the malicious content from posted information but still allow the email script to run and send the email. If the submitted form contains the characteristics of spam injection (bcc:, to:, /r, /n, etc.) why not kill the script (i.e. with an if statement that searches for these characteristics and if found the script dies with a spam alert message). Is there a reason I should not take this approach?

Karl from San Diego, CA

Jed, I am doing this but instead of killing the script it sends an email to me (I may change that when I get tired of looking at them). Several of the fields from our form return fixed values. "YES", for instance. The field names from the form all start with a code that tells the cgi script what to expect in the field. For instance, a field name that starts with "A_" should only have "YES" or "NO" values. The script checks the following:
1. All field names start with a valid code.
2. All field values are valid for their field name's code.
3. Only certain characters are allowed in text fields.
4. No \n or \r are allowed in fields that feed into mail headers.
5. Email addresses entered are valid and contain only one '@'.
Responses that pass all the tests are mailed to the desired person. Any violations of the above tests result in an email to me, containing the environment as well as the entire buffer that was passed to the script.
This way I can tell what IP its coming from and what they're trying to do.

Chess from San Diego

For those of us who are form creation challenged - Can somebody post a simple code for php that kills the sending of the bogus emails if there is a bcc attempt. AND can you tell us where in our current script to paste the code?

Am I off base here, or will thwarting any bcc attempt and then generating the error page simply put an end to this mayhem?


Chess from San Diego

Also, I had changed the names of my .php scripts to inocuous names a while back, it doesn't make any difference if they are called formmail.php or haveaniceday.php. The robot seems to be looking inside the source code and not at the name of the php file.

June from Haverhill, MA

The code I posted yesterday in posts #208 and #214 for PHP seems to be helping. I haven't received any malicious emails, but I am keeping my fingers crossed. I will keep everyone posted, as to if it is really working.

Matthew Pennell from Peterborough, UK


I've been getting loads of these through recently (same addresses as everyone else). My PHP mail function now looks like this:

function safeEscapeString($string) {
if (stristr($string,"Bcc")) {
die("F*ck off spamming c*nt...");
} else {
$temp = preg_replace("\r", "", $string);
$temp = preg_replace("\n", "", $temp);
return mysql_escape_string($temp);

Hope that helps. :)

Lin from UK

Have reported to Catherine Fitzpatrick at aol - who is security and very intersted ot get this orted. Send your complains with evidence to FAO: Catherine.
Good Luck y'all My Wemaste is hot onto him!

Chess from San Diego


Thanks. Now, where do I paste that into my php script?

Also, I tried pasting the folowing script and now only got one Spam email rather than the 12 that I normally got.

if (isset($_POST['submit'])) //user presses send

$find = array("/bcc\:/i",
// other fields
// check all data is imputted
//send mail

Greg from Canada


I have inserted your code in mine and although it blocks the spam it has also the unintended result of replacing all my fields with empty fields... So I get mostly blank emails from users now.
I'm looking into it but do you have a clue? Did you get properly filled emails on your end by using this code? I guess it has something to do with the line $temp = preg_replace("","",$string);

Greg from Canada

I meant the line $temp = preg_replace("\r", "", $string);

Preg-replace doesn't seem to do its job properly

Greg from

Have been trying to fix this for an hour now and all I get with preg_replace are blank variables.
I removed the 2 lines with this function, the rest works fine.
I'm wondering if there could be something blocking the use of this function, or do I need to add slashes somewhere, or what.

LP from UK


I've been all the way through the thread and have not seen a PHP form like the one at The Site Wizard which is getting spam on sites I work on.

The code is as follows

$name = $_POST['name'] ;
$email = $_POST['email'] ;
$comments = $_POST['comments'] ;
$http_referrer = getenv( "HTTP_REFERER" );

if (!isset($_POST['email'])) {
header( "Location: $formurl" );
exit ;
if (empty($name) || empty($email) || empty($comments)) {
header( "Location: $errorurl" );
exit ;
$name = strtok( $name, "\r\n" );
$email = strtok( $email, "\r\n" );
if (get_magic_quotes_gpc()) {
$comments = stripslashes( $comments );

$messageproper =

"This message was sent from:\n" .
"$http_referrer\n" .
"------------------------- COMMENTS -------------------------\n\n" .
$comments .
"\n\n------------------------------------------------------------\n" ;

mail($mailto, $subject, $messageproper, "From: \"$name\" <$email>\r\nReply-To: \"$name\" <$email>\r\nX-Mailer: chfeedback.php 2.04" );
header( "Location: $thankyouurl" );
exit ;


ANy thoughts on how to secure this?


unknown from USA

I've been getting spammed by "" for over a month now. Over 100 emails/day (which is actually 200 with the auto-reply that comes back to me because of my catch-all). Anyway, I think I have a simple solution.

Just like ticketmaster does, you can create a distorted text image. Then place a text field asking them to enter the word. Pick 1 word and have your PHP form validate that 1 word. Unless there's something I'm missing...would this spam program bypass the validation? If so, then I'm totally wrong. I will write back and let you know if this works.

THIS IS A TOTAL LOSER!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Chess from San Diego

Well, I tried the following script and I just received yet aqnother 12 spams from this a**hole.

The script that doesn't seem to work is:

if (isset($_POST['submit'])) //user presses send

$find = array("/bcc\:/i",
// other fields
// check all data is imputted
//send mail

I am dying for a simple and elegant solutin for php systems.

Thomas from Minneapolis

I appreciate all the work being done here. Can't wait until we find a solution!

lozeone from nj

Removing all the invalid data from the string dosen't stop the mail from being sent, it just prevents your server from sending out spam, right?

What about (along with removing the \r\n etc.) you check if the message field, name field and email field all equal the same string and if so, dont allow the contact email to be sent. Assuming that all fields would be the same, wich appears to be the case with mine.

Im not a programmign master, so i ask... Does anyone think this is a good idea?

abby from usa

the or other similar addresses don't belong to the spammer. They were probably in someone's address book that got infected with whatever worm is associated with this bot. So yelling at AOL is exactly what the malevolent monster wants you to do. I've been hit several times over the past few days too. We're working on a fix that will still allow my business to function. Perhaps if there was a bit less anonymity on the Internet this garbage would be less prolific.

K from USA

I posted above about the distorted image text validation has been several hours and still no spam. I would normally get at least 10 by now. A very easy solution...just require a word to be validated...anything at all. This program keeps sending the same thing throughout the form. I don't think it can get passed typing in a word that it does not know. Just a thought....

Matthijs from netherlands

It seems there's a huge need for someone to write a good summery of what has been suggested here, and try to summerise the different possible solutions for this problem.
I think anders explained the problem well in his article formPostHijacking on this site. However, a summery of what ways are there to prevent this from happening would be nice. If I would grasp the issue a little better I would want to do it, however that's not the case unfortunately. Who steps forward?

Thomas from Abq NM

I've spent a lot of time trying to find a solution and I have to say this site has been extremely helpful. I've put together a "secure" contact form (based on information here and from and will post the php page in it's entirety - it may be overkill in some areas but oh well. If anyone has input on how/if this could be improved please let us all know. Note that this page doesn't attempt to clean/reformat the data. It simply attempts to detect potential email injection techniques and throws a message if one's found - no need to format the data and send the email if it's a spammer! (I hope the formatting doesn't get borked)...


function diescript( $errmsg, $user, $domain ) {
// set up message to display if user doesn't fill out the form right or if injection exploit detected
$errormsg = "Sorry. You have entered invalid contact information, please check your input and try again. ";
$errormsg .= "<a href='javascript:history.back(1);'>Click here to go back</a>.<br /><br />";
$errormsg .= "If you continue having problems, use your email program and email me at: " . $user . "@" . $domain . " Thank you.<br /><br />\n";
echo $errormsg . $errmsg . "</body></html>";

if ( isset( $_POST['submit'] ) ) { // user pressed submit button
// who are we sending the email to
$user = "you"; // change this to your username
$domain = ""; //change this to your domain name

// set up array to find information that should not be there - using 3 different arrays for different form fields
$findfrom = array( "/bcc\:/i", "/Content\-Type\:/i", "/cc\:/i", "/to\:/i", "/", "/boundary=/i", "/\r/", "/\n/", "/%/", "/;/", "/,/" );
$findhead = array( "/bcc\:/i", "/Content\-Type\:/i", "/cc\:/i", "/to\:/i", "/", "/boundary=/i", "/\r/", "/\n/", "/%/");
$findbody = array( "/bcc\:/i", "/Content\-Type\:/i", "/cc\:/i", "/to\:/i", "/", "/boundary=/i" );

$email = $_POST["email"];
$name = $_POST["name"];
$address = $_POST["address"];
$city = $_POST["city"];
$state = $_POST["state"];
$zip = $_POST["zip"];
$phone = $_POST["phone"];
$comments = $_POST["comments"];
$subject = "Website Contact"; // change this to whatever you want to show in the subject line

// check from email against $findfrom array
foreach ( $findfrom as $n ) {
// checking email field
if ( preg_match( $n, $email ) ) {
$error = "Detected Potential Spam Attempt in Email: ".$n."<br />\n";
diescript( $error, $user, $domain );

// check head email items against $findhead array
foreach ($findhead as $n) {
// checking name field
if ( preg_match( $n, $name ) || preg_match( $n, $address ) || preg_match( $n, $city ) || preg_match( $n, $state ) || preg_match( $n, $zip ) || preg_match( $n, $phone ) ) {
$error = "Detected Potential Spam Attempt: ".$n."<br />\n";
diescript( $error, $user, $domain );

// check body email items against $findbody array
foreach ( $findbody as $n ) {
// checking comments field
$comments = str_replace( "%"," percent", $comments ); // convert % sign to percent text
if ( preg_match( $n, $comments ) ) {
$error = "Detected Potential Spam Attempt in Comments: ".$n."<br />\n";
diescript( $error, $user, $domain );

$emailmsg = "Name: " . $name . "\r\n\r\n" . "Subject: " . $subject . "\r\n\r\n" . "Email: " . $email . "\r\n\r\n" . "Address: " . $address . "\r\n\r\n" . "City: " . $city . "\r\n\r\n" . "State: " . $state . "\r\n\r\n" . "Zip: " . $zip . "\r\n\r\n" . "Phone: " . $phone . "\r\n\r\n" . "Comments: " . "\r\n\r\n" . $comments;
$headers = "From: ".$email;
mail( $user . "@" . $domain, $subject, $emailmsg, $headers);
$successmsg = "Thank you for submitting your contact information.<br /><br /><a href='javascript:history.back(1);'>Click here to go back.</a>"; // change link to whatever you want
echo $successmsg;

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
<html xmlns="" xml:lang="en" >
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<meta name="keywords" content="" />
<meta name="description" content="" />
<meta name="robots" content="all" />
<title>Your Site</title>

} else {

<form id="contact" method="post" action="<?php $_SERVER['PHP_SELF'] ?>">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td>Name:</td><td colspan="2">Address:</td></tr>
<tr><td><input type="text" name="name" size="30"></td><td colspan="2"><input type="text" name="address" size="35"></td></tr>
<tr><td>City:</td><td>State:</td><td>Zip Code:</td></tr>
<tr><td><input type="text" name="city" size="30"></td><td><input type="text" name="state" size="5"></td><td><input type="text" name="zip" size="10"></td></tr>
<tr><td>E-mail (required):</td><td colspan="2">Phone:</td></tr>
<tr><td><input type="text" name="email" size="30"></td><td colspan="2"><input type="text" name="phone" size="25"></td></tr>
<tr><td colspan="3">Questions / Comments:</td></tr>
<tr><td colspan="3"><textarea name="comments" cols="55" rows="3"></textarea></td></tr>
<tr><td colspan="3" style="padding-left: 2px;"><br /><input type="submit" name="submit" value="Submit Form"></td></tr>

?> </body> </html>

zoob from boulder

This is spreading like a bad rash across internet forums. I thought it was a person but now I see it's a bot. People are going ga ga writing huge scripts. This is going to be HUGE seeing as most forms are not secure. We didn't know there was gaping hole in the email's header injection method. Here, our sites can be shut down because the spamming is coming from our site. I'll try a few codes that I can understand what they're doing...but this is sad. Once the word gets out, copycats are going to hijack servers all over the globe.

shaun from bolton

If you want to script to die if there are signs of spam, use the count parameter for preg_replace

$count = 0; //set count to zero

$_POST['name'] = preg_replace("/\\\\r/", "", $_POST['name'], $count); // add count to all fields that you wih to check

if ($count == 0)
//send mail
echo "bye bye spammer";

check #243 for rest of code

Rex from Antwerp, Belgium

Interestingly, all suggestions here lead to checking every single input field in PHP forms.

As every PHP mail is sent out as mail($to, $subject, $body, $headers) why not check those 4 variables for the existence of Content-Type?

(yes, I know this will not work if you intend your mail to be send as HTML)

Barbara from UK

To those who are thinking that the 'fixed' code is broken because they are getting blank responses I can only say - do nothing, for now. Except maybe remove your form from your site.
When I check my form, and the amended script, it all works fine and emails me the test content. The empty mails that I am receiving can only be coming from a script.
Something is queueing mail on my mail server which its security is blocking.
Matching the time of getting these empty response forms I am seeing peaks on incoming and outgoing bandwidth on my server. As I write I am waiting to hear from support on what is actually happening on the server.

To those who feel that they are safe if they check the input fields used for the mail headers, think again. One hacked email I received contained the bcc in the message content.

If you get any strange email from your form, do not rely on the visible message. Look at the message source to ensure that there is nothing unusual. Keep all such unusual emails in a folder so that you are able to present it as evidence to the police. If you have not yet reported this to the police, do so today and send through as much supporting info as you can including emails and server logs.

So, my warning to all of you is that the fixes that have been given here have been got around by the hacker, if you are seeing blank response emails.

Anybody got another idea?

BTW I see that alexa have stopped anybody from adding any reviews to the site. That's a shame because I have got a lot I would like to say, most of which has been said by others here, too. No worry, I am sure that Google will be kind and index all these comments.

Foddski from UK

I have managed to stop the spamming using the tools above, but I wanted to get rid of the 'testing' emails. The easiest was was to block the domain name the form was on, as the spammers generate a random email from that domain to test for the loophole. here it is, hope it helps (nb no need for the other methods as this stops them all)
if (eregi("",$from)){die("SPAM Begone");}

Carl Colijn from Netherlands

Tiigeress #216 and Linda:
The way I tested my ASP script was not via the browser, but by altering the script itself to fake corrupt input. Let's assume the line of script that sets the "From" address reads i.e.:
___ oMail.From = Request.Form("email")
The part
___ Request.Form("email")
codes for "get the value that is in the field called 'email' from the form, and use it as the 'From' address in the email". Now, when a spammer tries to crack your mail form, it will not use your form, but it will send field values directly to your mail script. And the value in the fields will not contain a single line with an email address on it, but it will (might) contain the email address, followed by a line separator, and then the text "Bcc: <another email address>".

If you want to simulate a crack attempt, you cannot do it via the form itself (it doesn't allow for more than one line of input), but you can alter your mailing script instead. What I did was change the above example line to read:
___ oMail.From = Request.Form("email") + vbNewLine + "Bcc:"
What this codes for is: "get the value that is in the field called 'email' from the form, add a line separator to it, then add the faked 'bcc:' to it, and use that as the 'From' address in the email". A note: don't forget to remove the extra code once you're done testing :)

So, Tiigeress and Linda: typing something in your URL address bar won't test your script.

I will follow this post with a post that explains the technical details, because a lot of people are quite confused (I would be too if I weren't a web programmer :) ).

Kirk from Carlisle, PA

Received an interesting attempt today from IP = University of Wisconsin

More interestingly somehow they managed to change my submission ID... I have programmed my script to count each submission (i.e. submission ID) and today it was reset to one. Hmmm?

Foddski I tried adding if (eregi("",$from)){die("SPAM Begone");} however, just received more attempts - where and how to place this?

Barbara from UK

Foddski - I do not recommend getting rid of the test emails - at least they tell you if anyone is trying to get through - if you are receiving the test email then assume that you are being hacked. The test emails I have received today are blank so your idea of testing on domain is of no value.

A comment made above - sorry, read too quickly to recall name, mentioned not getting any more problems after changing the name of the page containing the form. This is a good solution. The script has the page url in its dirty little paws and is going out to POST itself direct to your mail url without GETting the page containing the form.

However, this is not a long term solution because soon enough the script robot will find the new name and start to POST to it. Nevertheless, this is the solution that I am now trying - I will check my logs again in an hour to see how successful it has been.

After seeing how this script came back in a new form after a couple of days, I suspect that the only solution for forms that have been hacked is to remove them from your site until you are happy that they are not vulnerable. Missing out on a few emailed customer forms is nothing compared with the cost to your internet business if your IP address has been used by a spammer.
Add a note to apologise that the form is temporarily unavailable and ask customers to phone you - and display your freefone number so that it does not cost them anything.

You never know, you may just get more queries this way.

Chess from San Diego

Something very frightening happened to me this morning. I received a dozen emails from a php form that I took down several weeks ago. I had a php script that would send an email to me with the subject "Call Request." I changed that to "Call Me" about 2 weeks ago and have ever since gotten the spams with the subject "Call Me" However, today I get a dozen blank emails with the OLD subject line. This tells me that the hacker has copied my old script to their computer and is now generating spam from my old script, which was removed from the internet.

If this is true, then any fix I make to my current script is useless, since the hacker might be working off of a vulnurable script that they have placed on their own server.

jcjaxson from waldwick

for what it's worth, my approach seems to be working at this point.

background for those who haven't seen my messages earlier in the thread - i'm using aspmail, coded w/vbscript.

we're not worrying about linefeed or return characters. we're simply counting the number of email addresses being submitted on the form itself plus looking for any occurrence of "bcc:". i know how many potential email addresses are expected within the input. if the number exceeds that, and if there is a "bcc:" in the input, i'm doing two things:

1) i stop the standard email from being sent from the website to my client's inbox, and
2) i send an email to my own inbox with the subject "Hijack attempt from ''" (i manage over 150 websites). this email contains all the form fields plus an identification of the ip address from which the attack has come.

after using whois to determine the range of ip addresses from which the attack came, we then block that range from the web server. to date, all of the attacks have originated outside the U.S., so i'm not concerned at this point about causing traffic reduction issues for any of my clients since none of them do business outside north america.

it's simple and seems to be working. since we implemented this approach last week, i've received approximately 600 "hijack attempt on" emails, and we've blocked about 30 ip address ranges.

the only downside is that it's taken about 5-10 minutes per new ip address to look it up and add it to the blocklist. but it's working well. my client's have been very happy that they've not been getting these emails (before then, i would tell them to just ignore them, explaining that we had protected their site from being exploited). in fact, they are so happy i may wind up being able to bump their hosting fees by a buck or two to cover the cost of this protection, which they will willingly pay not to see jrubin's name again!


jcjaxson from waldwick, nj

new development ...

shortly after my last post, i received another hack notification ... the originating ip address is assigned to - AOL!!!!!!

this is definitely a new development since all of the other ip addresses to date originated from asia or europe. it puts me in a quandry since i really can't block a range of aol ip addresses without potentially affecting my ecommerce clients!

i've notified CERT and am awaiting a reply from them to find out if this falls within their jurisdiction. and while i haven't as of yet contacted aol, i am now going to do so since the attack has originated from one of their ip addresses ... and doesn't just involve an aol addy.

i'll let you all know if i get anywhere.

Kirk from Carlisle, PA

After adding the code:

if (eregi("",$from)){die("SPAM Begone");}

Instead of receiving 10 messages in any given attempt - I now receive 2 blank attempts ... perhaps we can figure out how the attack works ... for instance:

1) 1st attempt fills in all available fields with masked email address (ie. bdofkg at yourdomain dot com)

2) then it tries to inject the exploit for each field it was successful in entering a masked e-mail address

Here's what I noticed ... injection attempts on fields assigned to add info to headers such as $User-Name and $Email ... display injection first, then the formatted message, and the masked e-mail address in the To field in the actual message header. Does this mean success?

All other attempts show injection as part of my formatted message without the additional e-mail in the To field.

Thought once -- what if the hijacked addresses (such as jrubin) are not even significant. What if the script is running through steps if first steps succeeds goto next step. Once the script realizes that it can exploit a web form couldn't it be programmed to pull e-mail addresses from a database, inject multi-part message, change all header info and spam away?


Kirk from Carlisle, PA
if (eregi("",$from)){die("SPAM Begone");} where is the domain your form is on and where $from is the value of the senders email.
Barbara, are you sure your blanks aren't caused by the preg_replace or mysql_real_escape_string blanking that field, coz thats what it did to mine, which was innefective as the email got through albeit with a blank field, but I do still have the email validator in and also stripslashes to get rid of \n\r etc.

lozeone from nj

Heres another idea I had. some one let me know if this sounds like it could work...

in your form make a hidden field.
in the email script, do not let the email be sent if this hidden field isnt equal to a certain vaule that you pick.
using javascript, onSubmit, or onClick of the button that submits the form, set the value of this hidden field to what it needs to be intordre to sucessfully send mail.

I think this should work for 2 reasons:
1 i belive we determined that the bots are just sending raw post data, so this value will never be set
2. since its chanaging all the fields to the value of the hiddenfield will be incorect when attempting to send email.

Haze from Spain

These are the small changes we did in our ASP/Jmail script.
Simply changed place on the subject and body and moved them to the top instead.
No spam-emails so far (1 week) from the sites we did this changes on.
From normal..:
Set JMail = Server.CreateObject("JMail.SMTPMail")
JMail.ServerAddress = ""
JMail.AddRecipient ""
JMail.AddRecipient ""
JMail.AddRecipientBCC ""
JMail.Sender = ""
JMail.Subject = "The subject"
JMail.Body = register
Set JMail= Nothing

Set JMail = Server.CreateObject("JMail.SMTPMail")
JMail.Subject = "The subject"
JMail.Body = register
JMail.ServerAddress = ""
JMail.AddRecipient ""
JMail.AddRecipient ""
JMail.AddRecipientBCC ""
JMail.Sender = ""
Set JMail= Nothing
Regards haze

eric from atlanta, GA

This is all very interesting but has anyone got suggestions for replacing a vulnerable cgi script for a non-programmer? I've been using junk.cgi for a couple years and have it on a dozen different locations. I could probably figure out how to switch all of them out to a php form page but that will require a lot more work than if I can just find a secure cgi script to replace my existing one. I don't mind paying a modest fee for a decent script but I'm not a developer so most of what I'm reading here is over my head.

zoob from boulder

I did just that (hidden form field) and haven't had any spam for 2 days and counting...

Kirk from Carlisle, PA

The hidden form field sounds very interesting ... can someone provide instructions on how to implement the hidden form field?

Is this attack bypassing the actual HTML web form and communicating directly with the form processor? ... if so would it not bypass any javascript validation methods?

Chess from San Diego


I am not sure that the bot is even going through the originating form. I think that it is hacking directly into the script. So, if I unbderstand you correctly, addeding anything in the originating form won't make a difference.

Flip from Rotterdam/Holland

Can you post your formdata in here to see how you,ve done this with the hidden formfield.
You ,ll make me very happy, i am no techi

Matthew from MI

Havn't tried the hidden form field but I added the following to my PHP script to stop the "Test" emails:

//Prevents Test Emails From Being Sent
if (eregi ("@", $_POST['Fax'])) {die("SPAM Injection Error - <h2>Please Go Back and fill out the form properly.</h2>");}

Note that the "Fax" field was used as it souldn't contain a "@".

Barbara from UK

Chess- having the bot use an old script may be more down to search engines holding the old version in their cache than anything more sinister. What better way to find forms than to search using a search engine - specially one that keeps old caches for months.
There is also the WayBackMachine which faithfully holds on to your old code forever.

Kirk - I do not think that the blanks are down to my scripts checking fields. So far it has been established that only one field is infected with extra code by the hacker. Checks would then either cause my script to stop processing or clean the field. I will double check my code but I did not understand that there was anything there that would turn all fields into NULL fields.
At the end of the day, changing the file name appears to do just as well, judging from the number of POSTs to the old page that my logs are showing. Instant goodbye to the emails.

Lydia from

I think they are using external forms so I am going to try checking that the referer is from my site.

pa from Sweden

Hi there ! How about this code ?
I can't test it, but I think it should work.
(Im bored, sitting at my brothers job, waiting... drinking my xx can of beer for the evening here, so please dont get angry if it does not. :))


// Check the variable $message for spambot generated code...
if ( ( eregi( "(Content-Type)|(MIME-Version)|(Content-Disposition)|(%0A)|(0x0A)|(0x0D)|(%0D)", $_POST['message'] ) ) )
die( "Hello little spamboy. Your IP and Street adress (Oh yes it is) has been logged). Soon your mummmy will know you've been a bad boy..." );

// Let's do a rudimentary email validation
if ( ! eregi( "^[_\.0-9a-z-]+@([0-9a-z][0-9a-z-]+\.)+[a-z]{2,3}$", $_POST['email'] ) )
die( "Oiiink!! Something is wrong with your email address. Please go back and check... <- back" );

// Check the variables $name , $subject and $amail for spambot generated code
if ( ! ( eregi( "(Content-Type)|(MIME-Version)|(Content-Disposition)|(\n)|(%0A)|(0x0A)|(\r)|(0x0D)|(%0D)", $_POST['name'].$_POST['subject'].$_POST['email'] ) ) )

// Yipiie, no spam detected, it seems like it's a real person sending us a message. Let's send the mail...
mail(, $_POST['subject'], $_POST['message'], "From: $_POST['email']\n" );



Change the variables and parameters to suit your needs.

A little tricky to write code in this tiny textbox : )
Hope it helps anyway. Peace !

I apologize in advance for any mistake I may have made. *burp*

Dave from In Orlando

Here's a site you might want to take a look at for some more info and a few tips on the problem.......

Elena from cupertino, CA USA

Hi folks,

I wonder when they will stop? I'd like to see all emails, so I modified all my scripts to send email only to me if they contain any injected "bcc:", so nobody else in my company is annoyed. Now I'm seeing a "new round" of emails with "Bcc:".

Regards, Elena

Tom from Boston, MA

I've been seeing similar attacks for a few weeks now. Has anyone else seen that right after the first entry with the mal-formed subject, there's often a second one that only has a single random address in the subject?

Also, I've been in touch with the MA attorny general's office about this, and they seem at least a little interested in digging in further. If people are interested, I'll post as that develops.

And thanks for all the info here--it really helped me figure out what was going on quickly!


Chess from San Diego


Where do you paste the code that you provided. I am trying it just after the <?PHP

I have had no luck in stopping the test emails. I've changed the name of the php file numerous times and I have added a hidden field with a specific parameter. I am hoping that Mathew's code works and that this freak gest his just desserts.

B from Germany

Hmm, Mr. here also coming from, a change from jrubin. I've been getting over 160 of these in the last 3 days...

Lately I've also gotten some mails that are completely empty, every field is blank. These are also script-created (ie don't come from my actual form) and different from the others in that theres always a single email when usually with jrubin there used to be one for each form field. These mails come from different locations (according to ip) like 'HOLIDAY INN SELECT AIRPORT SOUTH' or 'LodgeNet Entertainment Company' or 'XO Communications '. I wonder if this is related?

Matt Bradley from UK

How about this:

This should cause the form to throw a 404 if anybody sends any bcc: headers *anywhere* in the POST data

$sploited = 0;
foreach($_POST as $key=>$value){
if(preg_match("!bcc:.+@!" , $value , $sploit_matches)){
$sploited = 1;

// If the form has been exploited, return a 404

header("HTTP/1.0 404 Not Found");
echo "<h1>404 - Not Found</h1>";




Martijn from holland

Inspired by oryan's post on i've written a little script to prevent spambot attacks on my contactforms.

Place this code just before you start doing something with your formdata.

< ?
foreach ( $_POST as $key => $value ) {
$postVars .= $value;

if(eregi("MIME-Version:",$postVars)) {
die('Your message containts the words
"MIME-Version:" this is considerd as spam!');


Barbara from uk

Javascript checks - no use at all on the form as the form is never processed by the bots. The attack from the bot starts with a POST to wherever your form POSTs to.

Thomas - many thanks for your code. As a non php coder who is using a php script, yours was the first bit of code that I could follow and understand the purpose and order of the checks. What concerns me is that the url you refer has taken down its text, so I am assuming there may be a loophole somewhere in the theory.

My big concern now is that all these checks are assuming ASCII characters. What effect would the checks have against the hacking script have if they are using unicode entities, for example?

Now, another sticky point. Does an ISP have a duty of care if one of its email addresses is being used for illegal purposes. I use AOL as an example here, but this comment applies just as well to any other ISP. There have been multiple posts here about AOL email addresses appearing in the hacked emails. People here are saying that they have tried to report these email addresses but have had little joy in getting them blocked which is resulting in more and more people being subjected to an attack which is bcc:ed to the same email address. Comments made here indicate that these email accounts are both becoming over quota and being emptied to receive more input.

I am guessing here, but I think that anyone who can write a scrip to fool a form is equally likely to be using a script to harvest the emails received by the AOL email address.

I would like to see web businesses being able to claim damages against any ISP who has allowed these email addresses to remain open and used in this way. Including covering any expenses incurred by an IP address (and one IP address can cover thousands of doamins) which suffers because the IP has been associated with spam. Note: you only need to be hosted on the same IP address for this to happen to you.
The other day I sent through an email from one of my domain email addresses - only set up a few weeks ago - and hotmail dumped it into the bulk folder with all the rest of the spam.
If spam filters blocked all the emails you send to clients because your IP address has been associated with spam, how much damages would you be looking at and how much would you want to recover from someone who has not shown due care?

There is too much being done to protect the spammers. Meanwhile, people are now dead because someone was fooled by spammers into buying conterfiet prescription drugs at a cheap price - even warehouses, pharmacies and hospitals are carrying the conterfiets becasue someone in the supply chain wanted to save some money.

Everyone on this blog is doing their part in trying to stop this spammer. Every day we do not get the support from the ISPs, someone somewhere is being hurt by this. Spam kills. I repeat my earlier request for everyone who has been affected by this to report it to their local police - they all have a computer fraud department with specialists who are far better equipped at finding this spammer than we could ever be.

Sorry, once I get going it is hard to get me off my soapbox.

Kirk from Carlisle, PA

OMG ... I'm getting all sorts of attacks now... some with BCC ... over 50 came in just last night ... four of those were stragglers, they each came at a seperate time and IP they were also blank.

Poor Anders sacrificing his blog to a community of victims. Thanks Anders for letting us fill your blog with our questions and complaints about these attacks.

Anyhow, i need a fix ... I'm losing my patience. I'm using an HTML form which posts to a PHP form processor. I know little PHP. I would require express instructions on where to place code.

Any help would be appreciated.

Foddski from UK

I have implemented a few of the above ideas and my own, including the hidden field, email checker and stripslashes and have had no subsequent attacks. As a few people have asked for help implementing the form, here is a short one in it's entirety. Hope it helps.
//Simple email form from
$mydomain = ""; //Change the value of $domain to the domain
//the form will live on e.g
$to = ""; //insert an email address eg

if ($_POST)//Detects a posting
if (!isset($checker)){die("Please contact us via the form");}
$title="Mail Sent";//if posted then this bit displayed and email activated
$announce="Email SENT, Please send another or continue to browse this site<br/>";
$from = stripslashes($_POST['from']); //senders email
if (eregi($mydomain,$from)){die("We do not accept Emails from this Domain");}//Put your domain name here
$subject = stripslashes($_POST['subject']); //email subject
if (eregi("bcc:",$subject) || eregi("To:",$subject) || eregi("Content-Type:",$subject)){die("Invalid Text in Subject Line please click 'back' and try again"); }
$message = $_POST['message']; //text content
$name = stripslashes($_POST['person']); //senders name
if(preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/" , $from)){
list($username,$domain)=split('@',$from); $ip = gethostbyname($domain);
if ($ip!=$domain) {
$headers = "From: $name<$from>";
$message .= "\n\nThis Email was generated by an 'Encrypted Submission Form' from website www.$domain \nThe sender of this email does NOT know your email address. \nResponding to this email will give your details to that person \nThe Email address supplied was $from and the IP was $ip";
mail($to, $subject, $message, $headers); //mail sender
$announce.= ("<br/>IP address ".$ip."<br/>");
$announce.= ("<br/>Valid email address ".$from."<br/>");
} else {
$announce=("Email FAILED<br/>We had trouble resolving your email domain, ".$domain."<br/>Please click 'back' to try again or use your normal email software<br/> and send to $to");
} else {
$announce=("Email FAILED<br/>We had trouble resolving your email address, ".$from."<br/>Please click 'back' to try again or use your normal email software<br/> and send to $to");
} else {
$title="New Mail"; //if no posting then this bit is displayed
$announce="Please Enter Your Message! and click 'Send Email' when ready.";
<style type="text/css">
.hide { display: none;}
<p align="center"><?php echo($announce)?>
<form action="<? $_SERVER['PHP_SELF'] ?>" method="POST" enctype="multipart/form-data" name="">
<table border="0" cellpadding="0" align="center">
<td align="right"> <div align="left">To:</div></td>
<td colspan="2">
<? echo $mydomain; ?> </td>
<td align="right"> <div align="left">Name: </div></td>
<td colspan="2">
<input type="text" name="person" value="" size="30" />
<td align="right"> <div align="left">Email Address:</div></td>
<td colspan="2">
<input type="text" name="from" value="" size="30" />
<td align="right"> <div align="left">Subject:</div></td>
<td colspan="2">
<input type="text" name="subject" value="" size="50" />
<td align="right" valign="top"> <div align="left"><br>
<td colspan="2" valign="top">
<textarea cols="40" rows="3" name="message"></textarea>
<td valign="top" align="right"><input name="checker" type="hidden" id="checker" value="Richinternet">
<td align="left" valign="bottom">
<input type="submit" value="Send Email" name="submit" />
<a href="" target="_blank" class="hide" title="Web submission form from">Web submission form </a></h6> </td>
<td align="right" valign="bottom"><h6></h6></td>
</form> [/code]

Darrel from Chicago, IL

Obviously, these attacks are executed by comprimised bots. In some cases these IP addresses appear to be owned by large companies, as B from Germany (post #296) pointed out.I would think that the owners of the IP addresses would want to know that their equipment was being used improperly and I would expect they would do something about it.

I have been logging all of the IPs and resolved host names from the attacks and each time I receive a test email, I forward it to abuse@<hostname> in hopes that they can cut it off at the source.

O&A from USA was being used to tout a penny stock TOTB.OB. Spam touting stock was distributed Friday/Saturday. Nice pump and dumper is now being used. All eyes on

Looks like "they" are building a new list of sites to drain their sewer into.

jcjaxson from waldwick, nj

regarding my earlier posts #277 & 278 ...

i received a reply from CERT. here it is ...

Hi Jeff,

Thanks for reporting this issue to the CERT/CC. We do not have the capacity to handle this type of incident report. However, we will log the underlying and vulnerability in ASPMail. Does ASPMail have any functionality to prevent such messages from passing through? If so, does it work correctly?

We are tracking this issue as VU#600182. Please include that tracking number in the subject line of all future email regarding this issue.

We'll be in touch when we have any new nformation regarding this issue.


[Jeffrey S. Gennari | CERT/CC | 1.412.268.7090 |]
here was my response ...

Thanks for the response. Actually, there is no inherent vulnerability in ASPMail ... The vulnerability lies in how people code their mail scripts, whether it is cgi, html or whatever flavor of server side programming they use (ASP, PHP, etc).

The vulnerability arises within the form that calls the mail script - if the entries on the form are not validated, and illegal characters are not removed, a hacker has the ability to send email headers to the mail script enabling him to effectively use that script as a relay device.

For the sake of clarity, I believe you should amend your incident report to reflect that this is not an inherent issue with ASPMail since it would not only create an undeserved negative for the program ... It would also give someone a false sense of ease if they were using cgi or PHP. The issue is with the quality of the code.

Thanks again for the response! I am very appreciative that you got back to me!

i'm not sure what if anything my reporting this to CERT might have - or if any of you were to follow up w/a reference to the incident report. i at least wanted to let you all know what my experience was.

and i've yet to hear back from AOL regarding my report to them yesterday ... and i'm now outside the "we'll get back to you within 24 hours" window. interesting, especially since i wasn't reporting the email address of the abuser the way others of you in the thread have - my report was of the fact that the attack actually came from an ip address assigned to AOL!!!


Scott from St. Louis

This page helped tremendously. Take a look at the email it sends. I just check one of the fields to see if it contains the domain that it's being sent from. For example, my form has a phone # field. If the phone number field has my domain name ( then I don't send the email.

I just put it in place, I'll let you know if that helps.

zoob from boulder

Until we determine just how this thing works, these are good but probably guesses.
I think it's been established it tries all fields then is reviewed with a confirmation email to the spammer. He reviews them and see which ones completely worked. I also think it's been established that it spoofs the HTTP_REFERER which is why it uses your domain in it's attempt so that's out.
I'll post the hidden form field below but I think this is more of a bandaid until we established just how this thing works.
It's slightly interesting to me...but lame and time-consuming as it's interrupted my video editing.

Hidden Form Field for PHP mailers:

In your form, add this hidden field anywhere:
<input type="hidden" name="status" value="active">

You can change the name and/or value daily if you're having severe problems. If so, you'll have to change the code in your mailer below, too, of course.

In your PHP mail script, check for your posted name and value before sending any mail.

$status = $_POST["status"];
//your usual code
if ($status == 'active')

Ending this post, I enjoy receiving formatted emails so have added a stripslashes snip. This may actually be the reason they've given up on me and not the simple hidden form field but I can't tell as it's only been 3 days of no spam. Regardless, the hidden form field will, like I mentioned, put a bandaid on this HUGE worldwide mess until a method has been figured out.

Isn't the internet fun? Ugh...

Puuf from Missoula, MT, USA

Hello everybody,

Thanks for information displayed here and in the article. It was really helpfull.

I am constinuously hit by email injection, and while I know that my script is safe I want to stop the test emails.

After reviewing the attacks I saw that a fake email address was provided for each field of the contact form. Do you think that if one stops sending email that contains the character "@" or anything that is an email for fields like "name", "city"... that will solve the problem?

Thanks for your answers.

Eric from atlanta, GA

For anyone else interested in a cgi solution, I found this one that looks good:

June from Haverhill, Ma

I am curious if any knows the answer to this? If the injection happens anywhere besides the headers such as Name, Address, City etc...Does the spam still go or does it only go if it is injected into the headers To:, From:, Subject: etc...

Kirk from Carlisle, PA

Pulled this script from as mentioned by Dave Post#292

if (preg_match(' /[\r\n,;\'"]/ ', $_POST['email'])) {
exit('Invalid email address');
else {
//code to send the mail

Where do I post this code? Every line of my form processor begins with $ and ends with ;

Juan from buenos aires, argentina

I suffered the same attack, made some modifications, but my concern is how that affects mi domain now.

Does that means spammers might be sending email using my domain?

My hosting support doesn't help me at all. Moving to another hosting company can help? I mean is my domain compromissed or the server where my site is?
How can I mantain my email accounts out of danger and not be blacklisted?

Jo from Sydney, Australia

I am seeing a new spam email after all those jrubin ones: bcc: is new. (Oh, just saw another post with the same address. Oh well)

What I do is check all form fields for a content-type multipart/mixed, which immediately gets the spam flag set:
if (preg_match('/Content-Type/i', $all_mail_fields)) { $spamflag = 'on'; #log spam info or simply drop} else { #send email }

I then can either sanitize the whole email and still send it to me, or simply drop it. Works very well, however, the probes still haven't stopped yet, after a week of bombardment of about 80 mails per day the stupid bot is still probing.

The more form fields you have the more emails you'll get! So one way to reduce the spam is simply to shorten your forms... but definitely keep them secure with all those methods described above!

Have you guys found that the (spoofed?) IP address the bot uses in each attack is really totally random or could that be from websites which showed a vulnerability. The reason I'm asking is that I looked at a few of these sites and found feedback forms on all of them. Coincidence? Because it would be rather scary if the emails are only the visible part of something far more serious, a possible execution of arbitrary code on vulnerable servers....

Just wondering.

Barbara from uk

I have given up on my form for the time being.
I have replaced the mail code in the php code with a simple text link back to my form page. The bot is enjoying hitting this page - from around midnight to 2pm UK time - and then nothing until the next day.

My form page now POSTs to a php script which just tells any real visitors that the form is not working and directing them back to the page with the physical contact info on it. Long live the phone.

Here is an idea for those who really want to keep their customers contacting them - set up a Yahoo instant messenger account. Its free and now has a voice option. It also has on option to permanently block anyone who spams you. Do a search for other options too. Skype is only voice and again it is free. I am sure that there are many more options out there too. Happy hunting.

Who needs forms?

lozeone from NJ

I have tried my hidden field suggestion, (post #281) and it seems to be stopping them, I have it sending me an email notice when the values don't match up and it appears to be catching them.

Here is what I did.

I have a hidden field in my html form named "spamcheck"

on the php script which processes the form I check if $_post['spamcheck'] is equal to a hardcoded value in the processing script (something hard to guess like a password).

since the bot is submitting all the post vars as something like, $_post['spamcheck'] wont equal the hardcoded value any longer.
and if thats the case, I don't let the form email go out, and I email myself a notice that this was detected.

The Javascript bit may not be necessary, but the reason I suggested it is so on the main form the value of the hidden field isn't visible in the value="" attribute if you simply view the source.
so on click of the submit button this value is set with javascript.
You could use some sort of encryption algorithm in the javascript so the value isn't legible there. (Although someone determined could possibly figure it out)
But since its not set until a human clicks submit, sending post vars to the processing script wont send anything.

this entire technique my be unnecessary, or not fool proof, (as im not a solid programmer, I just learn as I go) but this seems to be working, and makes sense to me.

zoob from boulder

To Juan:

"Does that means spammers might be sending email using my domain?"

Yes, exactly...probably porn or something weird that can't be sent legitimately. If left unchecked, don't be surprised if your host contacts you with a termination of account for "sending bulk emails". Everybody is at risk.

"Moving to another hosting company can help?"

No. This is a brand new exploit which most haven't even heard about yet....especially hosting companies. I contacted mine, for example, and they told me my code I had written was all wrong. Nuff said...

You'll just have to try some codes here and other forums. Sooner or later, someone will figure out what it's doing which actually should be done first to better understand this whole mess.

O&A from USA

Correction: make that TOTG.OB (not totB.ob as mentioned earlier)

See also:

The sightings show what they are pushing through broken web forms, as reported by individuals that caught the spam on the other end.

Juan from bs as, argentine

Are sites that make "blacklists" aware of this? We are in great danger!

Greg from Canada

This thing is starting to look and feel like the War of the Worlds. Can we beat the damned thing?

Ok, seriously, others have helped me so here is my time to help.

For those of you using PHP, here is my code (taken and adapted from others). Just place it AT THE TOP of all the pages that process all your forms (the pages to which your HTML pages post the user-collected information). You need to personalize your code by changing variable1, variable2 etc... with the names of each of the field variables in your form. You'll find those in the feeding HTML pages. All the variables sent to your form must be processed, so add a line like "$variable1 = BlockSpamFunction($variable1);" for each one of your variable (without the quotes).
So it goes like this:

function BlockSpamFunction($string) {
if (stristr($string,"Bcc")) {
die("Spam alert");
} else {
return mysql_real_escape_string($string);

$variable1 = BlockSpamFunction($variable1);
$variable2 = BlockSpamFunction($variable2);
$variable3 = BlockSpamFunction($variable3);

Important: This code has to come BEFORE the "mail" function that e-mails you the data.

By adding this to my site, I stopped receiving 60 or so e-mails with the hijacked fields. I still receive a few e-mails that contains either empty fields or fields all with a bogus e-mail address containing my site address. My best guess is that those are failed attempts to hijack my form, but as they fail the bot can't send any e-mail using my site. It just checks for vulnerability several times a day.

Interestingly, I've got many forms on my website, but only the two containing the word "contact" are targeted. I found this weird. The other ones send e-mails too, though.

Ok let's organize the resistance. We'll beat this thing, if our immune system doesn't kill it before that.

Barbara from uk

Hi folks
I just want to say a big thank you to everyone who is working away here and there to stop this spammer.
Either my ISP has surpassed itself (highly unlikely from past performance) or this join effort is killing off the spammer. In 3 days my 2 email accounts which are usually almost all spam have not received a single message. :D

Anybody else noticing a drop in the amount of spam?

My thoughts on hidden fields: the spammer has read the url containing the form - this is showing as the referrer url in the POST call, the field names and the url to which the form is POSTed.
It will only be a matter of time before the bot calls on your form again to find the hidden field and its content and add that too to its database.

The only secure idea is the text image which needs to be typed into a field. The text does not need to be hard to read. I can also see no reason why you should not include the characters that make up the word (separated by spaces or &) in the ALT attribute so that the browser reader software can enable the hard of sight to complete the form without any trouble.

Use javascript to rotate the image - not a problem if javascript is disabled. This then just leaves you to check an OR on a few variables in your form.

Another observation:

From looking at my logs there are at least 2 bot (or 2 databases) involved. The form which was hacked is on my home page. The referre url is shown as either http://www.domain.tld/ or http://www.domain.tld/index.html

Has anybody got any offerings to explain what the hacker is trying to achieve with the NULL emails?

Peter C from Loughborough, UK

I've been getting this on my website's contact page. The pattern tends to be four messages at a time, each with code injected into different parts of the message (message body, 'from' email address, 'from' email name), as well as individual 'empty' emails (ie. no message) at various times.

I've dealt with it by checking for the various common factors: if there is no message, or if the email or name contains line breaks, or if there is suspicious content in the message body (my domain name, or 'Content-type' etc.), then I get an email alert, and the actual message details and content are logged in a text file which I can review to check that my script isn't rejecting innocent messages.

I've been getting this for quite some time, before the sudden sickening realisation that this could be a spam relay attempt. I don't have access to mailserver logs on my hosting account, but I'm pretty sure I'd know if my account was being used as a spam relay (sudden termination of account, or a thousand angry spamees beating at my website's front door). I have yet to see any mention, in this discussion or on other pages which deal with this 'attack', of anyone who has actually had their mail account hijacked for spamming, yet this person has been doing what s/he has been doing for at least a couple of months now, long enough for plenty of people to get wise to the 'attack' and find ways of preventing it.


1) Maybe we should be grateful that this security vulnerability in our scripts is being highlighted - rather by someone who seemingly has yet to exploit it for relaying spam than by an aggressive spammer/spammers

2) Maybe it has nothing to do with mass email relay at all, maybe it's a mailbombing campaign against the various (single) email addresses appearing in the bcc: field in the headers - getting a thousand mail servers to repeatedly email poor old jrubin3456 and his friends, who may be innocent parties in all this? I did, at one point, get bcc'ed mail returned by AOL because jrubin3456's mailbox was full (that was the point at which I took notice....)

Incidentally, a new email address appeared the other day (so my script-generated text file tells me) -

Any thoughts on this?

Bendy from UK

Hi all, I am also getting these random bot test messages to the account I forward my form-email to.

As I don't run my own server, I cannot see what else is happening on the server as it only hosts my files (i.e. is any spam being sent using my script? dunno?)

I use asp and CDONTS I believe. (Though I am not really very technical)

Here is my asp (which is driven by a html form)

DIM strEmail, strName, strSurname, strSubject, strComments, mail, reply, objMail
strEmail = request.form("Email")
strName = request.form("FirstName")
strSurname = request.form("LastName")
strSubject = request.form("Subject")
strComments = request.form("Comments")

mail = ""
reply = request.form("Email")
Set objMail = Server.CreateObject("CDONTS.NewMail")
objMail.From = reply
objMail.Subject = "Email from website:" & strSubject
objMail.To = mail
objMail.Body = "Email: " & strEmail & vbCrLf & _
"Name: " & strName & " " & strSurname & vbCrLf & _
"Comments: " & vbCrLf & strComments

Set objMail = nothing
strName = request.form("FirstName")
Response.Write strName
<P>Thank you for emailing me.</P>
<a href=""><<<b> Return</b></a>

Do you think I am vulnerable to being relayed?
Is there a lot of spam going out that I don't see? How could I tell?

Many thanks if you can help.

Darrel from Chicago, IL

I notified most of the IP owners I could find, as noted in post #302, and I received my first personal response.

thanks a lot for the information. We have informed our customer to take
of the problem. If you have trouble with one of our servers
don't hesitate to contact us again.

Sorry for the problems.

Best regards

Arno Pirner

Hetzner Online AG

Kirk from Carlisle, PA

I managed to break my form processor ... {*sweet silence*} ... and am not too quickly going to fix it ... take that you evil little spammer dweeb.

K from USA

It's been 4 days now after I started requiring any using my form to type in a new field that requires a word to be validated on my PHP form. Still no Spam!

This is probably the easiest solution!

Just require 1 new field on your php form to be validated. Create an image of a word (it does not need to be distorted, but I did just in case it could read the image somehow). Put the image of the word in your form and require it to be validated.
Make sure you have your form validate every way it could be spelled just in case. If they enter the word incorrectly, have the form dump out to an error page telling them just to email you.

It really does work, and took me all of 5 minutes to do. I saw someone above said they tried this too and it works. This spam program cannot type in this word because it has no idea what it is. I do not even think you need to rotate it. I just have 1 word and has worked so far for 4 days staright.

Give it a try!

Anders from RTP

Everyone, we're pushing over 300 posts here. For the sake of our new readers, I respectfully ask that you post only if you have something to report that moves the cause forward. I realize many people are frustrated by these attacks but I don't want to have to ask my moderators to start denying posts on the merits of content. Thanks to all who have contributed and made this a much more valuable resource. I could never have guessed the level of interest in the community and am in your debt for all the help that has been published on this page.

Thank you.

Michel from Holland

I guess i blocked the emailinjection. I blocked the bbc and so on. I coded the pages of my clients in a way that when someone fills in the same data in all fields, the mail will be forwarded to me. Now i'm wondering, how long will i still receive the mails. Does it stop or does it continue. Does the sender see that the mailform is protected?

Thanks to everybody for sharing the solutions.

Kind regards

Nigel from

Hi, just read your article on stripping headers. It was very helpful, but (being unfamiliar with preg & regex) it took me some time to spot the error in your code (as it appears on that page), which is missing the forward slashes in the pattern strings. It could also be simplified to the following:

$_POST['email'] = preg_replace(array("/\r/","/\n/"), "", $_POST['email']);

Barbara from uk

Bendy - whoever your hosts are, they should be able to supply you with all the info that you need about the server logs. They are only saving themselves a little bit of work by not making them available to you in the first place.

The real indicator of whether or not anything is happening is peaks on bandwidth. Again, your host should have all the information needed.

The more I read on this, the more I realise that there is not a simple answer. The best bit of advice I have heard so far is that any input on a form must be taken to be an attempt to hack into the server or do something malicious. For this reason, anything a visitor to you site does to interact with your site must be treated with maximum suspicion and coded for accordingly.

Perhaps we could have foreseen all this happening with the attempts to get in through php coded forums. Then, they found a much weaker target.

Maybe now the scripting tutorials and books will be rewritten. The info we are all starting to use is available already - just not emphasised as important.

Nigel from Switzerland

Sorry, I must seem terribly rude. I also wanted to thank you for your article and the resources. I hope my little edit suggestion helps you.

zoob from boulder

I think it's been determined that you must check every field. A lot of people don't want to use the image method of have the user type a password of sorts. I think higher up, it was mentioned that the preg_replace or match isn't always effective. As I mentioned, the hidden field in the form is just a temporary patch and not permanent.

I found this which the user is claiming success and checks all fields...



Chuck from Chicago

I used Martijn's suggestion and it seems to be working well.
foreach ( $_POST as $key => $value ) {
$postVars .= $value;

if(eregi("MIME-Version:",$postVars)) {
mail("", "Form Hijack Attempt", "A spam relay was attempted from the Web site and was blocked.", "From:SpamMonitor");
mail script here

If the message contains the string"mime-version:", it never runs the mail script. I just sends me one letting me know that an attempt to spam was made. Of course, I'll be taking that out very soon as getting 20 of these is just as annoying :). Just making sure it keeps working for a day or two.

June from Haverhill

Just to let everyone know I have been bombed again the last two days from I tried to send an email to tell the person that they have been reported and to stay away from my site and this is what happened.


Your e-mail is being returned to you because there was a problem with its
delivery. The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered. The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail

--AOL Postmaster

----- The following addresses had permanent fatal errors -----

----- Transcript of session follows -----
... while talking to
>>> RCPT To:<>
550 <>... User unknown

So even though the bot is still going around is now a closed account.

Just wanted to let everyone know.

Carl Colijn from Netherlands

Hi all, to come back on my post #273, I have written some texts and a test form to hopefully help some of you out.
Since a lot of people here are a bit unsure about what is going on and about whether the modifications they made to their script are good enough, I have added some pages to my site. The first is a form which you can use to test your own web form to check whether it's (still) vulnerable, the other is a more detailed technical explanation of what is going on.

The form test page can be found at:
and the explanation can be found at:

If you have any suggestions about the testing form, you can contact me at carl_colijn - at - hotmail - dot - com.

Hope this helps anyone!

digs from nyc

fake namebot with mysite entered in join email field
with an attempted messsage send and "" as bcc again.

Eva from Sweden

Hi everyone!
I have a contact form on my site which is coded in ASP and to avoid the test mails from the spammer, I check the data for identical input in the fields and for the words: Bcc: and Cc:
If any of it is found I do a redirect to another page where I explain why these words are banned and ask my visitors to either avoid those words or contact my by phone.

MrKicks from Los Angeles

This mornings is from
I did a quick search and it looks like several sites post to their site directly from the form that was targeted. Poorguys!

MrKicks from Los Angeles

A quick question...
Are all of the forms that have been violated named 'contact' ?
If so an immediate fix would be to rename the form to something more obscure.

Liam from Boston

My website is getting attacked by someone with the following address:

The form on my website has all fields filled in with fake email address as well as the following.

Business Name:
Best way to contact
Content-Type: multipart/mixed; boundary="===============0524391374=="
MIME-Version: 1.0
Subject: 3b248386

This is a multi-part message in MIME format.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit


What is this person trying to do? Is it harmfull or just anoying?

Thanks for your help

Alex from Cairns, QLD, Australia

I've just had 3 websites on my webserver attacked, would it be possible just to insert code to say if 'MIME-Version:' get typed into any field then don't send the email? I can't see that anyone has mensioned it in this forum so that makes me wonder if it would work or not?? i was thinking something like

if $message <> '*MIME-Version:*'
// then redirect to some other page

(i'm new to php, could someone let me know if this would work?)



For Exp. We have a Form with Fields :

Name :
Adress :
Telephone :

After We get these results like :


We generate a string of the whole fields together.

<% FormString=name+adress+telephone %>

We query the string with the critical content :


if InStr(FormString, "MIME-Version:") = 0 or InStr(test, "@") < 3 then

CDONTS or CDOSYS Component comes here

else ' leave it after the component codes.
end if


This is a simple solution to stop receiving this Form Mail Spammer.

Webby from

I got one of these last night with a BBC to
I just happened to be online at that time and checked my who's on log and recorded the following IP
That traces to the following....

Final results obtained from
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% for more details.
% Rights restricted by copyright.
% See

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag

% Information related to ' -'

inetnum: -
netname: FR-CEGETEL-20010925
descr: CEGETEL Entreprises
descr: Provider Local Internet Registry
country: FR
admin-c: AG1801-RIPE
admin-c: NST1-RIPE
tech-c: NST1-RIPE
source: RIPE # Filtered

organisation: ORG-CE1-RIPE
org-name: CEGETEL Entreprises
org-type: LIR
address: Tour Cedre
7 allee d'Arche
address: 92667
address: Courbevoie Cedex
address: France
phone: +33 1 55 23 99 24
fax-no: +33 1 71 77 18 91
admin-c: AG1801-RIPE
admin-c: SE1669-RIPE
admin-c: NST1-RIPE
admin-c: GJ477-RIPE
admin-c: PS9706-RIPE
admin-c: OL811-RIPE
admin-c: OM520-RIPE
admin-c: BB1276-RIPE
admin-c: PR2742-RIPE
admin-c: BP1450-RIPE
mnt-ref: RIPE-NCC-HM-MNT
source: RIPE # Filtered

role: Network Support Team
address: Cegetel SAS - Direction Reseaux
address: 7 Allee de l'Arche
address: 92677 Courbevoie Cedex
phone: +33 1 71070707
admin-c: NST1-RIPE
tech-c: SP4332-RIPE
tech-c: JS25366-RIPE
tech-c: SD6299-RIPE
tech-c: PR2742-RIPE
tech-c: GJ477-RIPE
nic-hdl: NST1-RIPE
source: RIPE # Filtered

person: Alain GADEK
address: Tour Cedre
address: 7, allee de l'arche
address: 92677 Courbevoie Cedex
phone: +33 1 55 68 14 60
nic-hdl: AG1801-RIPE
source: RIPE # Filtered

% Information related to ''

descr: CEGETEL E. CIDR Block 3
origin: AS8228
source: RIPE # Filtered

Chess from San Diego

Thought you all might like to know that 'Forms To Go' just released an update the looks like it will address the problems of the sort that we have all been having. You can find it at:


Bill W from Indiana USA

I have several of my sites that use a webform and it is maddening when you get someone doing this and paying customers calling to ask why they're getting e-mails that don't make sense. It really made me unhappy.
Aftre trying to think of really elegant solutions, I finally settled on loking at all of the incoming data for elements that would be a signature of this injection attack (%0A is the LF character [I think] and MIME and BCC are also used in the injection attempts) . As the script iterates through the field, it runs the following code (in PERL):

if ($content =~ /\n|\r|\%0A|MIME|BCC\:|bcc\:/)

I have a counter which prevents execution of the sendmail code if the counter is a non-zero value and outputs a brief html page advising that illegal content has been entered. If the counter is 0, I execute the sendmail.

I have used the actual input strings from this attack and it seems to work. I am going to roll it out on all of my sites and see if the probes stop (I should never see them if sendmail doesnt run).

I used a lot of diagnostic code to get an idea of what was happening with the e-mail forms and what the input looked like.

O&A from USA new arrival.

Content-Type: multipart/mixed; boundary="===============XXX=="
MIME-Version: 1.0
Subject: test 9997

This is a multi-part message in MIME format.

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Content-Type: text/html; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit


Alex from Cairns, QLD, Australia

Here is the PHP code to block these email attacker guys!


$strmsg = 'name: ' & $name &' <br>
email: ' & $email & ' <br>
etc etc etc ';

$text = $strmsg;
// The word we want to replace
$oldWord = "MIME-Version:";
// The new word we want in place of the old one
$newWord = " ";
// Run through the text and replaces all occurrences of $oldText
$text = str_replace($oldWord , $newWord , $text);
//If text has not been changed
if ($text == $strmsg)
//send email
//redirect to error page


This is really simple to use and easy to install, i havn't tested it online yet but i'm sure it will work :D

Dan M from Boston MA

I came back from July 4th weekend to find 100's of bounced
emails (imagine how many went thru) from this guy exploiting
one of our formmail scripts. I rewrote the script so he couldnt use it to send bcc mails. But, it looks like he managed to find another way around the checks I put in (I had never written in perl before this) so its back to making more script mods. Im dumping all the variables to a file and I dont even see how he's doing it this time...

Uwe Alex from Germany

my form2mail-script is now attacked for several weeks. i replace all "\r" and "\n" and ":" in the values to other symbols to look the script. i saw at the log files that this bot screening my webpages and sending the attack to the form is waiting for the response. so i let him wait a while to slow him down when i see "wrong" falues in the form-fields!

Carl Colijn from Netherlands

As Uwe Alex suggested in post #347, it might be even better to not only block the spam mails from being sent, but to also never return an answer to the spam bot when a spam mail is detected; just wait for, say, 2 minutes before returning anything (is it possible to even just stop returning anything at all?). This way, we will not only stop the spam relays, but make the process of finding vulnerable forms even more unattrractive for the spammers.

A from TX

Until (he also uses jrubin3456) stops his antics, I'm signing him up for every spammer, junk mailer, and required form I come across.

Ineffectual and adolescent, I know. But it makes me feel better.

O&A from USA

The attacks are coming through open proxy servers. Grab the IP from your access logs and google it, with the word "proxy"

for instance:

I haven't found a single entry not listed as an open proxy server.

Pieter from Netherlands

An attack from Canada yesterday ( with a bcc to

This made /me feel better:

- block
- block all AOL MX netblocks
- block some more netblocks such as
- putting a sleep of 4 minutes in my scripts
- insult them after those 4 minutes

C Knight from London, UK

Have had users complaining about email injection in relation to 'Jack's Formmail' (DT Formmail 5.0) PHP script. Like Foddski & Stu from New Zealand, it's worth adding extra checks.

This is what I've implemented for Jack's Formmail, but it should help with other PHP mailers too:

Most of the probing of the form I've been seeing bcc: themselves to jrubin3546 or The following patch should block what I've seen:

// the recipient should be defined by this script, but spambots can still
// send values that attempt to insinuate themselves into the header.
// In the best case this results in spam to the named recipient only.
// We'll try to exclude this based on various characteristics.
function check_exploit($postvars) {
if (!strcmp($postvars["first"], $postvars["email"]) && strpos($postvars["email"],'@'))
print_error("First name should not be email.");
while (list($key, $val) = each($postvars)) {
if (eregi('^(bcc$|content-type|mime-version|--)',$key))
print_error("Field names indicate exploit.");
if (preg_match('/[\n\r]+(bcc:|to:|cc:|content-type|mime-version|--)/i',$val))
print_error("Field value indicates exploit.");
if ((!strcmp ($key, "Submit") || !strcmp ($key, "reset")) && strpos($val,'@'))
print_error("Button has odd value.");

// put the following line early in the script :

I think it will work; $email already cannot contain whitespace the way the script is at the moment, but it's possible the [\n\r] check is too strict and it should work on any whitespace.

See also

Uwe Alex from Germany

Hello C Knight,
i'm not fitt with php but you dont need to look for bcc: and so on, then you have to look for Bcc: and BCc: and BCC: and so on. Just look for : . The : must not bee in name not in email .

Barbara from uk

This may be an answer for all those who have been asking what this is all about. It may also give us the source of all our grief.

Sorry that this post is so long. It probably does not contain anything that you all have observed too at some time or other.

Today, after complaining to a free email service about spam I was receiving, that email address sent itself an email. Coincidence? This is not an address which has previously been spoofed for sending spam. Previously I have had one email address on my server send to another email address on my server - not valid email addresses mind - an email, but this is the first time I have seen an email address send itself an email (other than our friendly hacker).

There is one common factor to all these emails and that is the address:
PO Box 1259 , Seattle , WA 98101 - USA

This address is used on the whois data for multiple websites, alll of which contain the same content. All offering a little program that you can run on your own computer that will search out the internet for valid email addresses that you can send your message to. As it runs on your own computer, acting as a server, your ISP details are not included within the email headers.( It is a while since I last looked at one of the sites, so details may be a little short on the finer detail.)

The HSPs would be doing us all a favour if they cancelled the registration of every domain that has this address as part of their whois data.

OK, so maybe I am a sad soul for trying to trace the source of spam. But, when they spoof my domains, my email addresses and try to hack my website, I start to take this all personally.

It does not matter how much the spammers try to hide, they are traceable. If you receive emails like those below, forward them with headers to the computer fraud section of your local police. The more evidence they have, the easier it becomes to trace the spammers and the easier to convict.

Today they are claiming to be S P A M I S - identified by name if you do a search , to quote
- [ Public Service Announcement Brought To You By S P A M I S ]
- [ Strategic Partnership Against Microsoft Illegal Spam ]

----- ---- --- -- - -


Thanks to Individual and Server Contributions, S P A M I S is Now
"FULLY READY" to Begin Increasing Microsoft Public Service
Announcement Emails to 20 Times the Amount of Internet Email
Users by 25 Times the Current Sending Rate & Speed When a
Certain Activity Transpires to "ANY" Past, Present or Future
S P A M I S Member(s) and/or "ANY" S P A M I S Affiliate(s).

[ S P A M I S / PO Box 1259 , Seattle , WA 98101 - USA ]

Earlier emails have contained this text, to quote
Content-Type: multipart/alternative;
X-UIDL: *<C!!UT%"!bab!!O;&"!

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

CHARITY CONTACT: your web site to 6,500,000+ opt-in email addresses for free...

please note that the above emailing is only free if you
are a non-profit organization and/or charity and registered
as one in your specific region and/or country of origin.

at our web site above, simply contact us by mail at the
address supplied on our web site with full details relating
to your non-profit organization, and paperwork indicating
proof of your status as a non-profit organization and/or
charity for full details on how to receive your free opt-in

the primary purpose of this email is sent to gain attention
to non-profit organizations looking for immediate exposure
via opt-in email to assist in worldwide causes. this is not
a commercial email and we make absolutely no commercial profit
on this beneficial service.

countless non-profit organizations worldwide have already
taken advantage of our free emailings and we look forward
to benefiting many more in the future for years to come.

if you have received this email in accident and/or are not a
non-profit organization interested in our non-commercial,
non-profit email notifications that benefit various causes:

please immediately unsubscribe at:

this email originates from:
newport corporation, po box 1259, seattle, wa 98111, usa
contact us by phone or fax anytime at: (206)260-2409

our corporation has operated for over ten years and in this
time period have provided countless non-profit charities
and non-profit organizations in dire need of resources and
financial support.

for 2005, the owner of newport corporation, as well as newport
corporation the company has donated to the following charities
for the following causes listed:

adventist development & relief agency intl: basic education
child help usa: treatment and prevention of child abuse
direct relief international: health care in developing countries doctors without borders: vaccinations for fifty infected people episcopal relief and development: iraqi conflict international medical corps: chad and sudan crisis mercy corps: child survival operation usa: asia tsunami relief fund salvation army northwest division: food security and hunger washington state red cross chapter: general local relief -------------------------------------------- note: please note that this is a non-commercial email and thus is not to be considered commercial email or restricted by any government commercial email regulations of any kind in regards to the commercial offering of any product, service, or offer of any kind for sale, lease, trade or for any other commercial nature cause of any kind. ----19811359133308183-- >>

O&A from USA -- another one.

For about the past week or so, I've observed abuse, but no spam attempts to relay through forms. Saturday morning, they began spamming, again, with penny stock "TOTG.OB" to hundreds of AOL addresses from the following "proxy servers".

Consider reporting abuse to AOL and notifying the source (proxy server provider) and request the originating IP address. With any luck a white hat provider might reveal the who is relaying through their proxy server. Never hurts to ask.

Juan from Argentina

Does anybody have a php form code that actually works without being spammed we can test in our websites? (If have a captacha still better)
I tried several modifications on my own and still get empty fields coming from my forms what tells me something is not ok...

Spam Links from here

I have added some of the links mentioned in these comments to a page about web application spam relay vulnerabilities at <>. You can see from this page that this class of vulnerability is nothing new: Ulf Härnhammar has been going on about this issue since at least the end of 2002!

Dan from

Form2Email is now secure against these attacks, I've been using it for a couple of weeks now and none has got through.

jcjaxson from waldwick, nj

The attacks seem to have abated. I have not received any notification of a hack attempt since last Friday the 23rd. Is anyone else trying to track attempts (rather than simply stopping them from generating an email)? If so, can you confirm from your end that you've also seen a decline?

O&A from USA

I haven't seen anything either since they launched their penny stock spam. The site linked below ran a story about the form spammer. I'm 100% certain it was the same spammer that's been tinkering with everyones forms in the past couple months.

Before they started hacking the PHP and ASP forms, they hit our site for a week or two, left and came back a few weeks later. The spam runs usually started around the end of the month and lasted through the first week of the month (around the time most people get paid).

They'll be back.

rn from Jerusalem, Israel just tried my site. He mailed several mails from the same IP:

I will write to AOL, hope it makes a difference.

The way I check it:
if (eregi("\r",$from) || eregi("\n",$from))
//something is wrong with the emal, do something

MrKicks from Los Angeles just tried one of my domains.

FoTo50 from Austria

For those having lots of clients on their server and even more forms that are maintained by a different person, there's still also the possibility to block at least those known email addresses server wide (assuming you have root access to the server).
Unfortunately I have no experience with Win-Servers, but e.g. on Linux with Postfix you could add lines to /etc/postfix/transport like: error:no mails for will be delivered error:no mails for will be delivered

... and of course do a postmap /etc/postfix/transport after the changes.

Of course I know this is not really a satisfying solution since there turn up always more different email addresses but it will block emails to at least those known ones and is a fast way to block them if you dont have the possibility/time to look after each clients form.

My PHP spamcheck function at is not updated frequently but from time to time (like now) with the known email addresses that are used for this exploit. I hope this can help.

Uwe Alex from germany

New Mailadress:
Spider has a timeoutdetection and stopp his several tryals after he detects the trapp
Open proxys are listeted here
AOL dont respond.

Cedric Knight from London, UK

Hi Uwe

I agree that if there is a ':' or a line break in a submitted email address, it can safely be rejected. But my intention was to stop the *site owner* getting *any* failed spam or 'backscatter' from failed attempts to exploit the script.

Sometimes the fake MIME header/email is *not* injected into the 'email' or 'from' fields. Instead it can be injected into 'first' or 'last' fields, presumably targetting some script that includes these somewhere in the subject or from: lines, and even into the 'submit' button field.

Now it may be that *most* scripts don't include them in the header, so can't be exploited for sending spam to arbitrary addresses. But that doesn't stop the spammer from trying out your form in case it is one of those that are vulnerable. The spammer often can't even tell what form you're running, and doesn't really care. So just checking the email field (whether as submitted via HTTP, or as later forwarded on via SMTP) doesn't necessarily stop a useless and incomprehensible email being sent to the site owner. To do that, we have to check *every* input field in the POST or GET, whether on our form it's intended to be a one-line email address, or a text area.

OK, some site owners may not care that they are getting email from failed attempts to probe the form; they may even be interested that someone is trying it. But a lot of form recipients aren't very technical, and it really irritates them to get an urgent application for something that turns out to be garbage.

By the way all the checks in my code were case-insensitive, so that's not a problem. The two lines that may well be redundant were the first two in the loop

if (eregi('^(bcc$|content-type|mime-version|--)',$key))
print_error("Field names indicate exploit.");

Very few scripts are likely to put every field from the form straight into the mail header, and of some old insecure forms may have a bcc field.

Hope that makes sense. Apologies to Anders that this page is getting so long, but his is perhaps the most complete description of the attempted crack on the web!

Uwe Alex from Germany

I replace all \r \n and : in *every* get & put field by other symbols. (only the used should be ok to)

Im planing to change the .htaccess file by my form2mail-script when it see an agressor.

Somthing like

if ... bcc: .. on wrong place... write
"Deny from IPadress" in .htaccess
(attacker often use same open proxy)

Maybe i put some trap-forms sooner in his path to break him down earlier.


We say:"Heiliger Sankt Florian, verschon´ mein Haus, zünd' and´re an!" In English "Holy St Florian, dont burn my House burn the others Houses"
When i kick them from my page they have more time for weaker hp-owner. A real solution would be better. When COLT did start the production of their PEACEMAKER they made the comercial: "God created man, but COLT made them equal" sometimes (well not realy) i wish to have such an equalizer

Pete from UK

My company has had the same problem with one of our customer's PHP form. Here's what we have done to try and stop the problem.

When the form is posted we perform this check :

// Check all the fields for bcc: (Just 2 here to demonstrate)
if (str_contains($name,'bcc:') || str_contains($phonenumber,'bcc:')) {
// Log attack into database and stop dead using exit();
} else {
// Carry on processing the form and send e-mail

Here is the function :

function str_contains($haystack, $needle, $ignoreCase = true) {
if ($ignoreCase) {
$haystack = strtolower($haystack);
$needle = strtolower($needle);
$needlePos = strpos($haystack, $needle);
return ($needlePos === false ? false : ($needlePos+1));

We have also had an attack from the e-mail address It looks like a combination of lower case L's and upper case i's with an O and a zero thrown in for good measure.

Hope this helps someone,


LaPingvino from Nederlando

I got that @%$&$ spammer in my shoutbox... ;) He was thus not able to do any harm...

herbert from old europe

hi there, thanks for the information on sendmail - attacks. got some kind of nervous, didn't get the "how did he", so i parsed the form for sender's mailadress - until now the same as the attacked domain - and got rid of the mails (simply die).
but your solution is better - basic, no workaround.
ps: i want the spammer shot!

Matt from UK

Hi, am i correct to assume that the ASP CDONTS component is not suceptable to this type of attack?

As far as I can see it won't actually relay any mail if the to:,bcc:,from: or subject fields contain the 'Content-Type: multipart/mixed; ' etc text.

As far as i have been able to test, if the cdo object receives this text as an input to the to,from fields etc, it simply causes the script to fall over rather than relay any mail?

Filtering the form inputs is still a good idea to stop the script from crashing.

Mike from US

A client of ours just got hit with this yesterday. I doesn't appear to have worked.

Has anyone, especially those of you who got a run-around by AOL, tried contacting a news group, i.e. ZDNet. I'm sure there are plenty of people who would like to hear about AOL's new "Security" measures.

O&A from USA

Confirming post #364
New address:
Sent from opened proxy server.
Another spam run started
Touting penny stock: UPDA.OB

Matt from UK

New Bcc Confirm address used

zoob from boulder

Obviously AOL doesn't care...He's probably reading this thread right now. I think the email bombing above made it impossible for him to see which attacks were successful.

tor from uk

The attempted spam is unsuccesfull on my site but of course i got annoyed with the multiple emails received.
The following is what i have put in place on my site and no more of those emails have come through;
-I limited the number of characters allowed in certain fields.
-I added one of those images with squigly letters to type into a box.

For those who do not compete the letters correctly they are given an email address to write to.

alan from north carolina

Thanks for the tips. I implemented the cr and new line filtering as well as the detection of bcc etc. However I also renamed the form processing files as well and had only one more visit from the spammer. After receiving 404 error on old file names no more returns. It's still good to add the filtering to prevent further attacks. I also look for null in the reply to box now to block form submit mistakes by visitors.

adrian from wellington new zealand

heh this is not such a clever script - its hitting my login form with an attempt to bcc

Like - dude - my login form doesn't send email *grin*

great forum - sooo much info

O&A from USA

new sighting:

rodney from NC, USA

alan, the 404 stopping the attempts is apparently true. When I implemented my filter, I included two actions if spam was detected. First I send me an email alerting me that a spam attack was attempted, then I serve the attacker with a 404 heading to let him know he got caught/ the attempt failed.

Manuel from TX, USA

Try Forms To Go

it filters our all new line characters from any field value used in the email header (subject, from, etc)

also halts script execution if any "stop words" is found

this had solved all my customers complains

Alex from Venezuela

Two attempts today with

Just added the two lines of Perl code to remove the linefeeds/returns.

BTW, in my opinion not much use presenting a 404 error as a deterrent, spammers don't even look at a screen when sending the spam. It's all automated. They just check if the message gets to the BCC.

Alex from Venezuela

Three more attempts this evening using <> as the BCC address.

FoTo50 from Austria

A new email sighted:

Jens from Hannover / Germany


I had a avisit from, too. What can I do against this? I just wanted to offer a newsletter-subscribe-formular?

What kind of code I have to block?


Kasimir from Europe


you could read the comments on this page, there are many ways to prevent this problem. I know, it is a long list, and it's so much easier not to read them, but hope somebody puts the answer on your plate.

One thing I decided to do is that when my script detects an exploit attempt, it sends as a response 100MB of random characters ;-) Interesting to see what kind of effect, if any, it has.

Anders from RTP

Another from

Dan from

Kasimir, interesting idea......

After a month or two silent, they're at it again with attempts on my site.

O&A from USA

Considering they are using random, hijacked proxy servers to spam through, replying with large data blocks only consumes your bandwidth and does nothing to stop the abuse. If you can afford the bandwidth, you might be able to DoS the proxy server for a few mins, but attempting to work with the open proxy server admins might get you closer to the spammer. Check your logs and run a whois on the connecting abuser ... and other sites can get you in contact with the open proxy admins.

We fixed our script, but renamed it to something else. We converted the abused script into a spam trap to monitor the exploit attempts. Monitoring allows the ability to report the abuse. If you are being targetted, 100s of others are too. Its your voice that helps stop the abuse when reporting.

p.s. confirming #386 sighting

Alex from Venezuela

Send the 100mb response to their BCC address!!

O&A from USA

The largest piece of e-mail that an AOL member can accept from or send to the Internet is 16 megabytes. This includes the message text, headers and the attachment combined.

John S. from Erie, PA, USA

Little punks are trying to get me, too. Although it was a pain to do all this work to prevent a spammer from phishing my web site, I think it is definitely well worth it. I wrote a few PHP scripts that it is well worth it. Before any email is sent out on my web site, my scripts now check the message for "bcc:". If it is found, all of the submitted information is captured into my database and the script that is supposed to run promptly ends. Instead, a different script is called to check the number of times that this IP address has attempted to phish for email addresses. If this number is greater than 2, my .htaccess file is modified (automatically, of course!) to deny the ip address. Also, by doing a whois search ( of their IP addresses, I noticed that most of these idiots are located in the Middle East. C'mon, Dubya, hit the button!

Alex from Venezuela

New email address sighting:

Mike from Tennessee

I've spent weeks on this stuff and the more I read the more I am sure we've been missing something. We go around banning IP addresses to detour this VIRUS? I am coming to the conslustion that that is just what the designers of this VIRUS are trying to do. If he can get us to build walls around ourselves he can effectively distroy our internet community. It is the old divide and conquer thing. I've been banning IP addresses too. That ends today. Let's all find scripts to use that detect and kill the enemy's efforts NOT our businesses one IP at a time being prevented from enjoying our services, ideas and products.

Terry Johnson from Chatham, ON, Canada

I've found the best way to stop them is to redisplay the form with "_at_" subsituted into any email address that isn't where is should be. This blocks all anoying probes from reaching your sales / customer service message queues.

Meanwhile, someone else on the same ISP as me just got their form owned by this spammer :-(

John Panos from Athens, Greece

Most readers here mentioned that a safe procedure is to remove new line and carriage return characters from the form fields.

But what I cannot figure out is that when you pipe in to the mail program you have to introduce new line character (\n).

The line below shows this in Perl.

print MAIL "To: $recipient\n";
print MAIL "Subject: $subject\n";

So what is the benefit of removing these characters form the form fields when you have to re-introduce them?

Jerk from France

same problem : bcc:
the solution :
$sujet = str_replace("\r","",$_POST["sujet"]);
semm not ti work with textarea...

Vamp from Mexico

I got hit also and with your guys help I think I fixed it....can someone confirm

FROM - $headers = "From: $from\r\n";
TO - $headers = "From: $from";

I also left this as this ok?

$headers = "From: $from_adress_mail";
$headers .= "MIME-Version: 1.0\r\n";

$headers .= "Content-Type: multipart/alternative" .
"; boundary = $boundary\r\n";

O&A from USA

Re: #395
"So what is the benefit of removing these characters form the form fields when you have to re-introduce them?"

if the script has detected tainted data, then its probably safe to process no further or perhaps just log the abuse.

foreach $form_field (@form ){
if( &data_tainted($form_field) ) {

more advanced:
If you are careful, redefine the headers so only the spammer's email is listed. They continue to think they are pushing their spam through your site, while you are silently recording all their abuse, which is useful for reporting. Most of their addresses are listed here, so it's easy to identify them and adjust the headers accordingly.

After tainted data has been adjusted, re-introducing a newline shouldn't cause problems.

Vamp from Mexico

I got rid of all \r\n except in this snippet because of the formatting of the mail...can I get advice on this piece of code and what i need to do?
$html_message .= "<body>";

$html_message .= "</body>";
$html_message .= "</html>";
$headers = "From: $from_adress_mail\r\n\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$boundary = uniqid("HTMLDEMO");

$headers .= "Content-Type: multipart/alternative" .
"; boundary = $boundary\r\n\r\n";

$headers .= "This is a MIME encoded message.\r\n\r\n";

//plain text version of message
$headers .= "--$boundary\r\n" .
"Content-Type: text/plain; charset=ISO-8859-1\r\n" .
"Content-Transfer-Encoding: base64\r\n\r\n";
$headers .= chunk_split(base64_encode($html_message));

//HTML version of message
$headers .= "--$boundary\r\n" .
"Content-Type: text/html; charset=ISO-8859-1\r\n" .
"Content-Transfer-Encoding: base64\r\n\r\n";
$headers .= chunk_split(base64_encode($html_message));

//send HTML message
mail($from_adress_mail, "New Member Registration", "", $headers);

Anders from RTP

Seeing more attempts from today.

Jonathan from UK

seeing quite a few like these. Am using secure php me thinks and so hopefully no spam going out.


JayB from UK

Getting probes on two different sites from and
I've mailed AOL with no real result.

One form was compromised and sent spam out. First I knew was when I got a message titled "REMOVE". I got them to forward me the mail they received. Content was:

Current price: .47
Projected Short Term Growth: 1.00+
Rating: 10 out of 10


Universal Property Development & Acquisition Benchmark Coverage To Be Initiated By Investrend Research

NEW YORK--(BUSINESS WIRE)--Nov. 14, 2005--(Investrend Research Syndicate) Universal Property Development & Acquistion Corp. (OTCBB: UPDA - News) has enrolled in the unique shareholder empowerment platform administered by Investrend Communications, Inc., a provider of financial intelligence programs. Benchmark research coverage will be initiated by an Investrend Research analyst to be assigned in the next few days.


HOUSTON--(BUSINESS WIRE)-- Canyon Creek Oil & Gas Inc. (a joint venture of Universal Property Development (OTCBB:UPDA - News) and USProduction & Exploration, LLC., a privately held Company, announced today that during October it sold 170.73 barrels of oil and 988 mcfg from 4 wells located on its Hagler leases. Canyon Creek representatives said they were very pleased with these initial results since they represent only a partial month of production from only 4 of the 12 producers at the Hagler site.

Universal Property Development and Acquisition Corporation focuses on the acquisition and development of proven oil and natural gas reserves and other energy opportunities through the creation of joint ventures with under-funded owners of mineral leases and cutting-edge technologies. Based on all factors involved including current instability and the growing demand of oil and gas as populations rise, and the current price of UPDA being substantially lower than it should be, we believe this stock has EXTREME potential to rise.

Statements contained in this press release that are not based upon current or historical fact are forward-looking in nature. Such forward-looking statements reflect the current views of management with respect to future events and are subject to certain risks, uncertainties, and assumptions. Should one or more of these risks or uncertainties materialize or should underlying assumptions prove incorrect, actual results may vary materially from those described herein as anticipated, believed, estimated, expected, or described pursuant to similar expressions.

42509a7fb0cc3fff120000a442d1c3d3 .

Corker from NY

I've been following this thread for a few months now, being a target (unsuccessful, so far) of this creep. Just a word for my fellow PHP developers: run out to your local bookstore TODAY and pick up a copy of "Essential PHP Security" by Chris Shiflett (pub: O'Reilly). Just released this month and a must-have for PHP devs. And no, I'm not a shill for them. I bought my copy last week, read it straight through (only about 100 pages), but excellent code snippets and examples for how to deal with many common injection attempts and other types of attacks -- this one included.

By the way, the solution I've been using is just stripping out the \r and \n from any fields that will be in an e-mail header, as well as stripping out BCC (case insensitive). I've had the e-mails sent to me (hardcoded my address into the TO field) because I want to see what's going on in the idiot's attempts. Now that I have enough data to be fairly confident of his methods, I'll just be logging the attempts to a data file and exiting the script without mailing when an attack attempt is determined.

Quinti from Spain

my solution in form php:

i had:
if ( (!empty($name)) && (!empty($message)) && (!empty($email)) )
$name = stripslashes($name);
$message = stripslashes($message);
$headers = 'From: '.$email.'';
//This is where the email is sent using your values from above. Be sure to update this if you change any fields in contact.php
mail("$youremail", "$subject","
Name: $name
Email: $email
Phone: $phone
Department: $department
Message: $message


i replace, and solution (muchísimas gracias Ian :)), :


if ( (!empty($name)) && (!empty($message)) && (!empty($email)) )
$name = stripslashes($name);
$message = stripslashes($message);
$headers .= "From: " . $email . "\r\n\r\n";

//This is where the email is sent using your values from above. Be sure to update this if you change any fields in contact.php
mail("$youremail", "$subject","
Name: $name
Email: $email
Phone: $phone
Department: $department
Message: $message

// Strip \r and \n from the email address

$_POST['email'] = preg_replace("\r", "", $_POST['email']);
$_POST['email'] = preg_replace("\n", "", $_POST['email']);

// Remove injected headers

$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");

$_POST['email'] = preg_replace($find, "", $_POST['email']);
$message = preg_replace($find, "", message);


thanks all

Josef from UK

After having just been hit by this spam, have spent the entire day investigating and re-coding around this problem. Most useful information found on this site and in all the posts on this page, many thanks.

My problem is that I'd like to test my fixes by reproducing what the spammer does, but I can't work out how they actually do it? I have put in code in my php script to check for and remove \r\n chars and a few other bits and pieces in the 'email' field that previously was used unvalidated in the From: and Reply-To: fields in a fairly standard php mail sending script. Hopefully we should now be ok, but I can't be entirely sure as I can't seem to reproduce what the spammer obviously has been successful in doing?

I appreciate that it would not be a good idea to publish here exactly how to reproduce this, has anyone got any ideas ?

many thanks.

Josef from UK

Update to the above - I've worked it out now, just took a night's sleep and some more reading :-). If anyone wants to know how to reproduce it (and it wasn't difficult) - please post here and I shall make the information available.

thanks again


Robert from London


I have been forced to work on this problem too and would be interested in any ideas that you have formulated. I myself have gone down the route of testing for absolutely everything I can spot in the spam emails, bcc etc. MIME-Type etc, and protecting all variables used in the script. I would be happy to exchange ideas with anyone so as to create a secure script for future use and also for the benefit of others.

all the best


Quinti from spain

problem again :(

my code php is:
if ( (!empty($name)) && (!empty($message)) && (!empty($email)) )
$name = stripslashes($name);
$message = stripslashes($message);
$headers .= "From: " . $email . "\r\n\r\n";

mail("$youremail", "$subject","
Name: $name
Email: $email
Phone: $phone
Department: $department
Message: $message

// Strip \r and \n from the email address

$_POST['email'] = preg_replace("\r", "", $_POST['email']);
$_POST['email'] = preg_replace("\n", "", $_POST['email']);

// Remove injected headers

$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i");

$_POST['email'] = preg_replace($find, "", $_POST['email']);
$message = preg_replace($find, "", message);


waht i need do now?
thanks very much

Stuart from UK

Two things.

Filtration is fine but consider this, the whole reason these spam attempts are working is because the bot script is able to post data to your sites without using the form on your site.

In PHP a token approach can stop data being posted if it didn't originate from your site.

Set up a hidden field with a token and and write that token to the session. On the page that processes the POST check that the posted token matches the token in the session. If it doesn't match then just bin the data.

$secret = 'ssshhitsasecret';
$token = md5(rand(1, 1000).$secret);
$_SESSION['token'] = $token;

<input type="hidden" name="token" value="<?=$token? >" />

Secondly in my experience most of the junk in these mails is stuck in the email field. If the email validation is done properly then putting any data after the email address will not validate.

Hope this helps.

Quinti from spain

i probe all combinations putting that code in contact.php and in gracias.php...and problem persist...

put me an example please?

i don't know what more do

Quinti from spain

hi, interesting page:


hilary from Ireland

Wow.. I am currently being attacked by and previously jrubin and some other email too... it's driving me mad, today I blocked ips, partial email addresses, and included two functions to kill them... the first should stop them posting to a page and the second to my and others emails... what a pain in the behind! I really hope this code works... thanks for letting us post here, this code and responses are really helpful! :)

Josef from UK

Robert - please email me at josef at justmail dot me dot uk for mutually beneficial exchange of ideas :-)

Stuart - yes you are absolutely correct in that in most cases you can only abuse the script by submitting data to it by a different and modified form hosted elsewhere or without a form altogether. Problem is, I think most people are calling the formmail PHP script from a plain old html form, use no other scripting on their sites and are not PHP programmers. For those your solution (although I'm sure it works) may appear too ambitious.

As well as filtering the incoming data in the email field we also added a filter to check that the form was submitted from the same domain as the script resides on by using the HTTP_REFERER field, however after just now reading up on this in the PHP documentation it happily admits that this is not reliable and can easily be spoofed. Would there another way of adding code within the same script that reliably checks where the data submitted came from?


Dan from

Does anyone have any .htaccess code to block blank user-agents?

Hilary from Ireland

Hi Joseph... would a hidden field work?

justin from Ireland

Looks like they are pushing penny share stock - pump and dump scheme. got one in today that was bcc'ed to hundreds of aol addresses , pushing a "VMT Scientific"

thats interesting - my previous mails didnt have spam content - looked like "testing"...

JayB from UK

More probes, this time responding to Have AOL finally killed off the old addresses?

If it's any help for those using HTML forms and needing a backend to process check out Forms To Go. Can the guys who have been testing check it out also to see if they can get through it?

Quinti, are you sure the spam is still getting through? What you may be receiving is the result of failed attempts. I have two different processors running at the moment. One traps and dumps, the other traps and sends the results so I can track the IPs.

JayB from UK

Justin, if it has content are you sure it's not a successful attempt? Normally the probes contain nothing but characters as far as I can tell.

Whilst I'm here, if you guys are serious about spam can I suggest you go take a look at the Project HoneyPot site and help out there by adding a trap to your sites. These guys are doing their utmost to bring the harvesters down.

Dan from

Ignore code request above, found some RewriteEngine htaccess that works a treat, the spammers now get redirected to a contact form on another spammers site. Hopefully this could create a spammers attacking spammers situation and they'll all implode.

Jeremy from IL

I've just been attacked by this guy:
I run OS commerce and thought that I had fixed the email injection problem.

Lou from Canada

Here is a compiled list of emails from this forum and from probes on my site:

Note that some of the emails are quite similar.

Hope this helps.

Nigel Patience from UK

Been having similar problems - the script was fairly safe before (I think) but have added the strip out on CR & LF as a precaution (can you be too safe? Probably not.)
I had numerous attempts within a short time frame; they had BCCs on them to
Because of the time proximity I think they may be the same person.

I have contacted AOL who were not dismissive and invited me to write to cosnotify at aol dot com which I have done... It will be interesting to see if I get a response.

When it first happened I did write to abuse at, but have yet to hear back from them.

alan from north carolina

I posted with results of cr, lf filters etc back in oct. Noted then that changing form processing file names seemed to stop the bot. Since then the bot has discovered the renamed files. However I also implemented a check for a simple hidden variable constant sent through the posted form and that also stopped the bot since as mentioned elsewhere the bot directly accesses the form processing files. I might try the more elegant session variable approach from Stuart of UK if I still have problems. For now the bot hasn't returned.

Anders from RTP

Killing cr / lf characters stops the attacks from being successful, but doesn't stop the attacks. Now on pages with forms, I have the server pick a random number and throw that into a hidden field and the session. On a form submit, I check to see if the hidden field matches the random number in the session. If so, I continue with the logic, else I stop there. Every page load incurs a new random number, so chances of a bot following through this more sophisticated hoop are slim to none.

Of course we could further obfuscate this by accepting form posts through AJAX, but that's a bit of overkill and may not work on all browsers.

pbhj from Wales, UK

I have also receive attempts to probe my php mailer with a bcc of ... some of the IP's were reported as,,,,


J from finland

hm, didn't know about this one, on monday i recieved a complaint from a security specialist from an internet company telling us that our SMTP is being used. a huge amount of work, i have to check dozens of forms : ( ..spam mail has to be the stupidest way to spend your time working on. i mean.. who's ever bought viagra or penny stock just because they got a mail telling them they should? : )

also, i couldn't get any of the above perl scripts to work as is - i'm pretty confused with all the different versions out there, are there differences in the syntax as well? the current sendmail is using the variables like so:

my $mail_to = "address\";
my $mail_from = "address2\";
my $subject = param('subject');

so what's up with the "$field =~ s/\r/ /g;"? and especially =~ , could not get that one to work?

thanks a bunch if anyones still reading this.

Dan from

Just pointing out to Josef that http_referer checking wont work since when the spammers hit your actual cgi/php script they fake the referer as your homepage. When probing other pages though they don't leave a referer address.

Dan from

In addition to above, you're better off checking the user-agent which will be blank. I now have blank user-agent blocking on my site but the sneaky spammer sent one single request using a Java1.4.2_03 user-agent which got through but then the cgi script stopped the attempt. But after that one altered attempt he/they are back to blank user-agent attempts and 403 pages from my site.

Frank from South Africa

Hello Guys

It seems that I managed to resolve the problem but after a complaint from AOL it's clear that there is still some forms that's not fixed yet.

(Have over 200 sites on the server)

Anyone have perhaps an idea how can I find those still unsecure forms please?

Dan from

Frank, your best bet is to pay close attention to your server logs to see which forms are being hit.

alan from north carolina

You are right Anders, My field checking just blocks the sending of the email from the bot. I checked my logs more carefully and notice that in december the attacks accelerated esp. now with daily probes. I am so glad I fixed my forms since the inital probes were less frequent. I would be very embarassed now with dozens of daily junk emails sent out from my system if I still had the original unchecked form. I feel sorry for those administering large shared hosts.

Frank from South Africa

Thanks Dan

I traced it at least down to a single domain and terminated the whole domain for now. (anyway one of my own domains and it can stay down for a while until I fixed the problem)

Thanks again

Frank from South Africa

Is it possible to block ANY email address to AOL to leave a linux server?

I am in South Africa none of my clients have AOL addresses.

Might also perhaps be an idea if we all started to block AOL with a message that AOL is a heaven for spammers or such people.

Roman from UA

We're also under constant attempts to exploit the scripts. During 5 days we've got 58 unique IPs trying to bcc This seems to be a widespread intelligent spam system (i changed the url of the script and it was contacted in 2 hours) or some infected systems because the ip range is very broad. The most addresses are assigned by DHCP, so blocking them will not permit legitimate users to use the scripts.

John from UK

Very useful reading here - thanks to all those with good ideas
I have had a number of attacks from several AOL addressess recently (last 3 weeks really).
I now check the User_agent and bin it if less that 15 characters and stripslashes from their input fields from the form..
The meail addresses used are:

Dan from

I agree with John, user-agent blocking is the only thing that will stop them dead at the moment. They'll adapt no doubt but for the time being this blocks them even from scanning your contact pages.

John from UK

I also have added a 'character' picture that needs to be input by the user on any form that has anything to do with mailing anything anywhere. The check field is then verified by a separate script - any mismatch and I record the IP address etc in a database for further investigation as well as presenting a bad script / 403 response page. I have only used 6 characters and letters - but since these (and the earlier) changes I have had no further attacks.

David V from St. Louis, MO, USA

Hello all,

Heh, I've had an interesting morning. I've been getting these odd ads through my music clearance form at the site of my net radio station. I finally this morning decided to track it all down. Eventually I found this page.

I'm using FormMail, but when I look at the message source, I'm not seeing any Bcc: fields at all. Perhaps the version I'm using (or the way I have it configured) disallows this field or already has the \r and \n removal filters in it. I only get them occasionally (perhaps a dozen in the last six months) but this article certainly explains why I've been getting them. They've been probing my form and have been unsuccessful at finding least that's how I'm interpreting what I'm seeing.

David V

JonUK from UK

I noticed this email script header injection attack on one of my sites very recently. I've now put a fix in place to ensure these spam emails aren't sent anymore. In the process, I've modified my script to email me the exact details of an attemped attack. I've then been forwarding these reports to AOL as it's aways been their members performing these attacks. As yet I haven't back from them.

If we continue to email AOL about these issues they will have to act on them at some point? An example of the emails I've sent to AOL follows:

I am contacting you because one of your member?s ? is attempting to hijack an email mailing script on my website and send out unsolicited spam emails. I previously wasn?t aware of this kind of attack and your member ? successfully sent a large number of unsolicited emails in this way. I have since employed a developer to implement extra security to stop these ?email header injection? attacks.

I now receive an email each time someone attempts to abuse my email script. Today (30th Dec 2005), one of your members ? has attempted to send unsolicited spam emails on 15 occasions between 06:05 ? 09:01 GMT. Attached to this email are 15 reports detailing the exact nature of these attempted hacks by your member ?

From reading your Terms of Service, the behaviour of your member ? is in direct violation.

I take this matter very seriously and if there is any more information you wish me to provide on these attacks, please don?t hesitate to contact me.


My Name

I have been sending these emails to "" & "".

O&A from USA

confirming #439


John from UK

If you want to get your own back at the spammer then send them back to their own address (normally a public proxy server). The following 2 lines of php show the way ...

$Remaddr = $_ENV['REMOTE_ADDR'];
header( "Location: http://$Remaddr" );

J from

i took my perl forms off the web a month back, as nothing seemed to work, mails just kept going out. now i put up a small & simple PHP script that uses

"MIME-Version: 1.0
Content-type: text/plain; charset=iso-8859-1\r \n";

am i correct in assuming that plaintext message headers are NOT vulnerable to these attacks? as multipart messaging is not supported, the header just ends and the message begins, so all BCC's and such would just go as a part of the text message?

there's also a checkbox as the first variable to be passed from the form and a textarea after that, does this affect the behaviour?

Anders from RTP

No, weither or not there is a milti-part line in the header is irrelivant. You are still vulnerable to the attack. To kill 100% of successfull exploits you should eliminate every \r and \n in fields used in an email header. Attempt emails will still come through but you won't be sending any spam out.

Alex from united states

Badly with scripts. Not the convenient interface. And so a site interesting and useful. Has come, was surprised with quantity of the information. Has added in the selected works, and I suggest you to exchange references. In advance thanks, write

JT from VA

Shocking to see that the same addresses have been used for months now and that AOL has not taken action. A "honeypot" form that I have set up is catching form abuse attempts which use the same AOL email addresses as identified above:, and Wake up AOL! AOL needs to do it's part to track down the users of these AOL email accounts and shut them down, take them to court, whatever. I've reported to AOL; I hope others have done the same.

Quinti from Sarria / Lugo / Spain

please, please, please...
i can't more...
somebody can tell me what's the problem in this code?
2 files, contact.php and gracias.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "">
<html xmlns="" xml:lang="es" >

echo "<script type=\"text/javascript\">\n";
echo "<!--\n";
echo "function validar(form1) {\n";
echo "if ( < 2) {\n";
echo "alert('";
echo "Inserte el nombre";;
echo "')\n";
echo ";\n";
echo "return (false);}\n";
echo "var checkOK = \"ABCDEFGHIJKLMNÑOPQRSTUVWXYZÁÉÍÓÚ\" + \"abcdefghijklmnñopqrstuvwxyzáéíóú \";\n";
echo "var checkStr =;\n";
echo "var allValid = true;\n";
echo "var uword = hex_md5(document.getElementById('uword').value)\n";
echo "for (i = 0; i < checkStr.length; i++) {";
echo "ch = checkStr.charAt(i);\n";
echo "for (j = 0; j < checkOK.length; j++)\n";
echo "if (ch == checkOK.charAt(j))\n";
echo "break;\n";
echo "if (j == checkOK.length) {\n";
echo "allValid = false;\n";
echo "break;";
echo "}}\n";
echo "if (!allValid) {\n";
echo "alert('";
echo "inserte el nombre";
echo "');\n";
echo ";\n";
echo "return (false);}\n";
echo "if (( ('@', 0) == -1)||( < 9) || ('.', 0)== -1 ){\n";
echo "alert('";
echo "inserte el email";
echo "');\n";
echo ";";
echo "return (false);}\n";
echo "if (form1.message.value.length < 7) {\n";
echo "alert('";
echo "inserte el mensaje";
echo "');\n";
echo "form1.message.focus();";
echo "return (false);}\n";

echo "if (uword==cword[anum-1]) {\n";
echo "return true;}\n";
echo "else {\n";
echo "alert('";
echo "inserte el código de la imagen";
echo "');\n";
echo "document.getElementById('uword').focus();\n";
echo "return false;}\n";
echo "return (true);}\n";
echo "-->\n";
echo "</script>\n";
<script type="text/javascript" src="md5.js"></script>
<script type="text/javascript" src="jcap.js"></script>
<form method="post" onsubmit="return validar(this)" id="form1" action="gracias.php">
<input type="hidden" name="token" value="<?=$token?>" />
Nombre:*<input name="name" type="text" value="" />
E-mail:* <input name="email" type="text" value="" />
Asunto: <input name="phone" type="text" value="" />
Mensaje:* <br />
<textarea name="message" cols="30" rows="5"></textarea>
Inserte el código de la imagen siguiente* (para evitar el Spam)</p>

<input type="text" name="uword" id="uword" value="" />
<br />
<script type="text/javascript">cimg()</script> </p>
<input type="submit" value="enviar" />
campos con * son obligatorios.
finnnish code
and the other file, gracias.php gracias.php code: <? @import_request_variables("gpc");//importamos las variables $youremail = "tudirección de email "; //tu mail $subject = "el título del tema "; // por ejemplo, titulo de tu pag - contacto $redirect = "contacto.php";//url a la que se redirijirá cuando se envíe el formulario $secs = "5"; $secret = 'ssshhitsasecret'; // tiempo en segundos que tardará en //redirigirse la página $token = md5(rand(1, 1000).$secret); $_SESSION['token'] = $token; ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" ""> <html xmlns="" xml:lang="es" > <head> </head> <body> <? //a partir de aqui hay una serie de variables que impiden que los spammers usen nuestro formulario como lanzadera de su spam $name = stripslashes($name); $message = stripslashes($message); $headers .= "From: " . $email . "\r\n\r\n"; //This is where the email is sent using your values from above. Be sure to update this if you change any fields in contact.php mail("$youremail", "$subject"," Name: $name Email: $email Phone: $phone Message: $message ",$headers); // Strip \r and \n from the email address $_POST['email'] = preg_replace("\r", "", $_POST['email']); $_POST['email'] = preg_replace("\n", "", $_POST['email']); $_SESSION['token'] = $token; $token = md5(rand(1, 1000).$secret); $secret = 'ssshhitsasecret'; $field = preg_replace( "/[\n\r]+/", " ", $field ); // Remove injected headers $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i"); $_POST['email'] = preg_replace($find, "", $_POST['email']); $message = preg_replace($find, "", message); $email=str_replace("\r","\n",$email); $name=str_replace("\r","\n",$name); $message=str_replace("\r","\n",$message); $phone=str_replace("\r","\n",$phone); ?> <meta http-equiv="refresh" content="<?=$secs;?>;URL=<?=$redirect;?>"> <p>Gracias, el formulario se ha enviado con éxito, le contestaremos en menos de 24 h. En 5 segundos será redirigido a la página principal.</p> </body> </html> finnish code thank y very very much

Quinti from Sarria / Lugo / Spain


my spam email providen to:

etc etc etc always

and the subject, of the form, · - Contacto" + "hi" or similar,
but, how is posiible?, i think my page is good and secure
look please:

the code is my the code of my last message

this is is as a torture....real.

Steve from Atlanta, GA USA

Insert into gracias.php:

if(eregi("$", $email)) {
echo("$youremail", "Message Killed", "$message", "From: $name <$email>");
exit("Message killed. <a href='contacto.php'>Try again?</a>");

Quinti from Sarria, Lugo, Galicia

here my spam mails type:



Email: them

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: still


and here, the headers of the message:

O&A from USA

The, and morphs spent the weekend pumping penny stock SGWV.PK.

quinti from Sarria, Lugo, Galicia

"Steve from Atlanta, GA USA
#448 | Sun, Feb 5, 2006 11:27 PM
Insert into gracias.php:

if(eregi("$", $email)) {
echo("$youremail", "Message Killed", "$message", "From: $name <$email>");
exit("Message killed. <a href='contacto.php'>Try again?</a>");

no run...., when i put that function, the code in gracias.php only shows <html></html>....

Stephen Hiraoka from Atlanta, GA USA

Just got a test set from

if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)) {
mail("$youremail", "Message Killed", "$message", "From: $name <$email>");
exit("Message killed. <a href='contacto.php'>Try again?</a>");

quinti from Sarria, Lugo, Galicia

Thank u very much, now yes. :) Stephen

Stony from Munich Germany

I just included the following code. maybe it will scare somebody ;)

foreach($_POST as $key => $value){
if(strtolower($key)=="bcc"){//anti spammer :)
foreach($spammer as $spamme){
mail($spamme,"Big Brother is watching you","Do NOT mess with the wrong people!");
$message.=$key.": ".$value."\n";

the to-address where the form sends to is hardcoded and i don't use any headers, so i don't really care about the spammers attention on my site...
was just curious because i was getting some of these hits from, thats how i found this site.

Stephen Hiraoka from Atlanta, GA USA

Confirming hits including Bcc:

One of my site's error reports are showing hijacking attempts at regular intervals (over 200 per 24hrs) on a processing script page I removed months ago.

An important point is that the form is not being hijacked; the script page which processes the form is being hit. The attempts show no referer and no user agent (browser). That means form validation/sanitization on the form page (such as maxlength="" in the <input> tags and scipt-based checks on form input) has no effect unless the form posts to itself, and hijacking must be handled on the form processing script page.

Another important point is that the bot used to hijack the scripts cannot determine whether the script is there, and will continue attempts to hijack even if the script page has been renamed, removed or moved. So an immediate but temporary fix for hijacking is to simply moveor rename the script page, making sure to delete the page being hijacked from the server.

The method of attack from and other aliases accessing the script directly is header injection which has predictable elements such as the text "MIME-Version:", "Content-Type", and, in these common cases, "Bcc:".

Counter the attacks with methods such as this PHP code ($userName, $userEmail and $userMessage must be changed to the names of your form input tags):

// Test for known injection strings.
$arBadStr = array("Content-Type:", "MIME-Version:", "Content-Transfer-Encoding:", "bcc:", "cc:");
foreach($_POST as $tName => $tVal){
foreach($arBadStr as $tStr){
if(eregi($tStr, $tVal)){
$fSub = "Failed: Header Injection.";
reportError($fSub); }}}

// Passed test, send mail.
mail( "", "Message Subject", $userMessage, "From: $userName <$userEmail>");

// Report error function called when test detects hijacking. Mails report to webmaster and kills process.
function reportError($fSub) {
while(list($name, $value) = each($_POST)) {
$eBody .= "$name : $value \n\r"; }
mail( "", $fSub, $eBody, "From: Webmaster <>");
exit(header("Location:")); }

Phil from London

New sighting:

quinti from Sarria, Lugo, Galicia


all members of here, can download my contact form for free, without link to me, all what you want do, cause here i find my solution. thanks to all, specially to anders to do this important board

anyway, if somebody see bugs or mistakes, tell me please. :)) ji

this is for/from all you

really, i dont know is perfect correct, but with this, i only recive one atack, from "SpamMonitor", no 100 from diverses maisl, type: hi@domainserver, lahasj@domainserver

repat, all member of here, can download for free without any link
is for u regards

Phil from London

New sighting:

O&A from USA

Confirming #458. Additional sightings: and

Vg-Greece from greece - athens

the problem is massive !!
i followed the codes you people wrote and i managed to stop email forwarding but
the bot (or people) still sends email form , just to me from the form. Is there any one that knows any particular code for not sending at all the mail. I think that a "total solution" will be if somone discover exactly the same programm that they are using for spamming so we will be able to know the limitations of it.

sorry fo my bad english

Noetic from Wakefield, UK

I reported, and last week and haven't had a single attempt since Friday. Can't quite believe it yet...

Stefan from united states

Site informative and useful, has liked it, shall come back very often.

Anton Aleksandrov from Riga, Latvia

Hello everyone!
I would like to share simple and elegant script, that can be used to terminate spammers' attempts to send mail through your mail forms. This is server-wide solution. For us it helped to stop spam on all our servers and that's why I would like to share it will everyone. You can get it here: You comments are very welcome.

Anton Aleksandrov.

Jonathan Nichols from Anderson, IN, USA

A website that I maintain ( has recently been "captured" by this exploit. Luckily, my co-worker found this website and we at least had a foothold on what to do. One solution we came up with was to have the page with the form on it create another page with a random filename to post to. This is all in ASP by the way, sorry. After it does the post the page redirects to a "success" page and then deletes the random page. Leaving nothing for the exploiting program to actually latch onto. The random page is generated by a function in ASP that will just generate a random 5 character string then i just create a file with that string and the extension.asp and use the filesystem object to write all the lines to send the mail. This method is still being test so don't hold me to it if it fails, but it seems slightly failproof in my cocksure young mind. Hopefully this helps.


O&A from USA

Re: #464 ... the exploit is caused by not running sanity checks on the data passed to the form. If a form can be posted to, however obsecure it may be, without ensuring the data didn't get loaded with \n, \r, or misc other header data, then it will likely remain exploitable.

Noetic from Wakefield, UK

After almost a week without a single attempt, we're now getting (unsuccessful, of course) hits from the following E-Mail addresses:,
and most frequently:

Jonathan Nichols from Anderson, IN, USA

Re: #465. The logs on my site show that all data was passed directly to the post page that actually processes and sends the email, in my case it was suppmail.asp. Not to a form. Therefore by randomly generating a page titled 9FED7.asp or some other combination of characters that the form will post to then redirect from the posting page to a "success" page that then deletes the posting page there's not need to strip users of their ability to format an email the way that they want. In addition to this it also keeps there from beging a permanent static file that the program can just keep posting too. Make sense? No need to test incoming data or anything, because, as I said, in my experience the form doesn't matter. It's the page that's being posted to that matters. Maybe I'm wrong. Maybe it does matter. I did think of a problem last night whereby a user goes to the email page and a page is generated for posting to, but the user closes out or goes to another page then that randomly generated page is left behind. I am working on a way to keep this from happening, unfortunately, it looks like it might come down to having a program run that cleans up the files. If anyone has suggestions I'm open to them. Or feel free to pass me an email thchipmunk at gmail dot com.

Noetic from Wakefield, UK

Re # 467: Yes it goes directly to the page that processes the script, so your solution should work.

Although I don't know whether the random page creation etc. isn't more work than just catching and logging the attempts! Especially since personally, I prefer to know what's been going on with my sites, so I prefer logging the information when the attack is stopped.

Alex from Canada

Some new sightings for today:

Ted from NJ

Got these on March 7 as well:

That's 2 days after I put a form on my site for the first time. Impressive huh?

Lkw from Netherlands

They bothered me with 200 attempts this night:

Could someone bomb aol?
It isn't a coincidence aol is in charge again and again, right?

Alex from Canada

A brand spankin new probe address:

If nobody actually cares about keeping track of these (and/or using them to filter outbound), please let me know and i'll stop posting em :)

Alex from Canada


O&A from USA

Keep posting. People googling the probes for specific names are likely finding a lot of useful information here, as are others.

Noetic from Wakefield, UK

Got ONE attempt from all last week... Must be doing something right, though to my shame I must admit I actually feel strangely satisfied when I trap such attempts so I'm getting a bit bored ;)

Christian from Germany

I do receive nearly every day spam attempts, too, from:

AOL home of unwanted CD-ROMs and home of spammers... Nice company...

Alex from Canada

a new, non-AOL sighting:

Noetic from Wakefield, UK

First non-AOL ones for me as well...

Noetic from Wakefield, UK

Little word of warning, these attempts are getting more sophisticated - I have had numerous attempts from that followed a different pattern to the hacks, creating spoof email addresses from the domain they attack and then injecting the header text and spoof mail text into all available fields (so the only way to catch them out that I've found to work 100% is to eliminate all mail that contains 'CC:' or 'BCC:' (since our mail form does NOT use these and there is no reason for them to be in the mail headers or body other than a hack attempt).

Noetic from Wakefield, UK

The following are all addresses, which I have now reported to

O&A from USA

A few others:

cp47 from belgium

new spam tests at our servers at 21/04/2006
with 2 adresses already listed here:
and 2 new (I think)

O&A from USA

Spammer now encoding messages in base64. If you get one of these, you can google 'base64 decoding' and find a site to decode the messages.

Additional sightings ( the first one mentioned in #466 ):

Gary from Vancouver, BC, Canada

regarding form-spam ...

I'm a webmaster and I manage several websites that are currently plagued by form-spam. These days, we're getting a lot of URL's being inserted repeatedly into our input fields.

I'm not a server-side programmer, but it would be extremely helpful to me if someone could program a form-mail script that has an array of "disallowed strings" (in my case, anything containing "http" or "www"); php could not only refuse the form contents, but could keep a list of offending IP numbers and block future attempts to spam. Seems to me that this would not be hard for programmers to do. Example of "disallowed" text strings in array might be "viagara", "cialis", "casino", "adultxxx", stuff like that.

Or maybe just apply some hacks to some popular form-mail scripts, like Matt's form-mail written in Perl.

Gavin Vincent from Falmouth, Cornwall, UK

Thanks for the info, this happened to me recently, the final score was about 1000 undelivered mail messages in about 12 hours! I stripped out \r\n as you suggested and also refuse to send mail with "Content-type:" in the subject field, and it works a treat. I put a link to your article from my blog. Thanks for the help.

O&A from USA

Latest abuse:

FiLiUsEvAe from Netherlands

Watching the thread, my site has been "visited" as well. I can't give you more information than the things already posted here. If you do a google search on one of the bcc email accounts you'll see quite some results of sites it has been hitting.

One extra email account it is using I have to add.

Gary from vancouve bc canada

As far as "guestbook spam" goes, I did arrive at a solution. Had to pay $100 to two PHP scipters, but I've got a workable PHP form-mail processor that can be programmed to reject input based on "banned words" and create a blacklist of offending IP numbers and ban them permanently.

It's not a totally "perfect" solution, but as "perfect" as the internet gets! I haven't had a single spam form-return since I installed the script!

cp47 from Belgium

recently, we have been receiving chinese messages in our forms by, I think, another spammer

it has addresses like:

sometimes there are urls in the chinese message, most of those urls seem to be chinese company websites, like:

the way the spammer works is the same: submitting to a web-form (so the protection we use is the same), but because I think it's another spammer(s), I would like to know if other people also suffer from this problem and/or know more about it

If you want more addresses from this/these spammers, just ask, I 've got lots of more of them

cp47 from Belgium

new addresses:

Alex from Canada

some new ones:

Alex from Canada

O&A from USA

Spam from these guys were formatted differently from the AOL spammer and targetted non-AOL adresses, hawking diplomas:

cp47 from Belgium

it has been quiet for a while, but recently there has been some activity; beside the chinese spammers who are also trying to exploit our forms from time to time to spamvertise,
the attacker to whom this page is 'dedicated to' has been doing some overwork this weekend,
using these 2 new and 1 already known email adresses:

Russell Robinson from Melbourne, Vic, Australia

Matt's and other FormMails were written by enthusiastic amateurs at a time when spam really didn't exist (or certainly wasn't sophisticated).

Dean from Australia (see above) has already mentioned my FormMail script.

I just wanted to point out that if you design a script *from the beginning* to avoid security problems, then you won't have any (or many)!

Even as a 27 year veteran programmer and software designer, I stil make plenty of mistakes. So, it's no wonder that there are a lot of poorly written, security flawed scripts out there written by enthusiastic amateurs.

Everyone is welcome to use Tectite FormMail - I've provided it free to every webmaster.

Also, AFAIK, it's the only one under constant improvement.

We don't provide free support, but the Configuration Wizard makes getting started really easy.

Russell Robinson
Author of Tectite FormMail

Tony Isse from TWebMan

I have had to put several layers of protection in my perl scripts, including a timer that won't allow the same IP to post within a certain time. Unfortunately there are now extra installation steps but they have been effective so far. Too much to list, see at

Finally I just made a no-mail form. It doesn't send mail so it can't be hijacked. It still replaces headers with nothing, then dumps the 'message' into a db field. A cron script runs, checks the db (timestamp field) and THAT script (outside of web space) sends an email to the website owner of any new messages. The page the owner visits, in a secured directory, allows for replying or deleting messages.

mcgdog mcgdogm from newport, NC

can someone give me a idea how i can build a no mail form ? whats the safest way of running a business online ?

Anders from RTP

You might be interested in trying out which is a free hosted service that gives you an Image Verification system similar to the one on this page. It's nice because it doesn't require any server-side code.

Oleg from Russian

Even without hijacking, contact form spam is irritating. One of the simplest solutions is to install Advanced Textual Confirmation:

Advanced Textual Confirmation is an universal antispam for forums, blogs, contact forms, and others. It is a smart textual CAPTCHA, which challenges site visitors only once, and then disappears. To install, no database required, no graphical libraries required, just insert one line into your script.

O&A from USA

Someone said the formmail spammer(s) mentioned on this site pleaded guilty to securities fraud recently. no joke.

Xiara from Belgium

I think I have found a solution that does not need a captcha. I described it on my blog

Anders from RTP

Xiara: Yeah, I already did that. Spam bots will eventually figure that out because they can execute JavaScript these days.

Rene from Camarillo/CA/USA

I use formmail.php and I've been getting some weird forms for the past 2 months. To fight the spammers I limited the email field to 50 characters and this seems to have done the trick. Is this solution too simplistic? I'm not a programmer so I don't know.

Leave a Comment

Location: (city / state / country)
Email: (not published / no spam)

No HTML is allowed. Cookies must be enabled to post. Your comment will appear on this page after a moderator OKs it. Offensive content will not be published.

Click the puppy to submit your comment.

To create links in comments:
[link:] becomes
[link:|] becomes
Notice there is no rel="nofollow" in these hrefs. Links in comments will carry page rank from this site so only link to things worthy of people's attention.