Published 19 years 4 months ago • Last updated March 22, 2025 • ⏱️ 4 min read
First of all you need to understand how the attackers are using your web site against you. They deploy bot nets of robots to crawl the net looking for certain keywords in sites that have form submissions. This is bad because even if you block a specific IP address, they could just use another one. You could report the IP address being used to send spam but this would only reduce the spammers bot net (if successful).
Because PHP is widely used across the net, spammers also take advantage of poorly written PHP scripts by injecting email headers before a email is sent through the script. To understand this you need to know how to use the PHP mail() function works. See the example below:-
$to = 'homer@simpsons.spring';
$subject = 'the subject';
$message = 'hello';
$headers = 'From: webmaster@powerplant.spring' . "\r\n" .
'Reply-To: webmaster@powerplant.spring' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
The above code will send a email to [Blocked Link] with the subject "the subject" and the message "hello" from [Blocked Link]. You may have noticed the $headers variable which sends email headers to the SMTP program. The headers sent are: From:, Reply-To:, X-Mailer:, "From" displays who the email is from to the email client, "Reply-to" enables you to set a different reply address than the one sending the email. "X-Mailer" is not used by any email client but just identifies which program was used to send the email.
You may have noticed the \r\n separating the headers, this means a new line in PHP and is used to let the SMTP server know you are sending another header. Now the problem occurs when you use a form to send the mail() function headers like subject for example:
$to = 'homer@simpsons.spring';
$subject = $_POST['subject'];
$message = 'hello';
$headers = 'From: webmaster@powerplant.spring' . "\r\n" .
'Reply-To: webmaster@powerplant.spring' . "\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
Here the subject is set by the $_POST['subject'] which comes from the form field subject in your form which would look something like this:
<input type="text" name="subject" />
What a spammer does is take advantage of this form field by suppling an unexpected value, usually in the form of an email header like:
<input type="text" name="subject" value="\r\nTo: pooruser@sendspamhere.spam" />
The attacker then has full control of what headers to send to your script because it is not secured when it is sending the email. To secure your scripts you need to make sure that any information supplied by the user does not contain anything that is unexpected. You can do this many ways but I shall give you an easy example which will provide strong protection from this type of attack.
$subject = '';
$subject = ereg_replace("[^[:alnum:][:space:]]", "", $_POST['subject']);
So if you remember the previous example the subject header could be injected with other headers by supplying \r\n, what the above code does is remove any characters that do not match [^ alpha numeric characters [:alnum:] or spaces [:space:] and replace them with nothing. Those aren't typos by the way I'm just trying to explain the code section by section.
There are ways you can help reduce the number of attacks on your servers by using less logical names for form fields, so for example instead of calling your field "Contact Email" you could call it "s12" or if your script is called "send_mail.php" rename it to "x.php" this would make it much harder for a spammer to identify that you are sending email. Of course this causes problems managing sites as it is harder to identify which scripts do what etc.