ISP closes php form because of spam abuse

Posted on 2006-04-03
Last Modified: 2013-12-13
Hi experts, my ISP says that my simple php script that handles a simple contact form is abused by spammers. What may I do to redeem this?

The script recides in a separate file from the form:
$email = $HTTP_POST_VARS[email];
$mailto = "";
$mailsubj = "Response from $name";
$mailhead = "From: $email\n";
reset ($HTTP_POST_VARS);
$mailbody = "This is a message from $name:\n";
while (list ($key, $val) = each ($HTTP_POST_VARS)) { $mailbody .= "$key : $val\n"; }
if (!eregi("\n",$HTTP_POST_VARS[email])) { mail($mailto, $mailsubj, $mailbody, $mailhead); }



Question by:Sparkle101
    LVL 40

    Expert Comment

    A quick lesson.


    Here end'th the lesson.

    Personally, I would take a look at

    LVL 9

    Accepted Solution

    If I put a form on my website that posts to yours, your script will send out emails for me.
    All I'd have to do is supply the 'email' variable and put extra header information in it too, like cc or bcc.

    You should detect where your post is coming from and validate all entries, before sending anything out.

    To ensure people use your form and not just submit from somewhere else, you could also set a session variable with a random value when creating the form, including it in a hidden value, and when its submitted match them up.

    Although most of these can be faked, good validation should be enough to prevent spammers sending out emails via your site.
    LVL 2

    Author Comment

    Yes, I found out this too. I finally ended up with this script that detects cc and bcc and other and sends an error:


    $error = "";

    // get all the email form data

    $ems = "";

    // stop email server hacks
    $ems .= $name;
    $ems .= $email;
    $ems .= $message;

    if ( stristr( $ems, "content-type" ) || stristr( $ems, "multipart/mixed" ) || stristr( $ems, "boundary" ) || stristr( $ems, "cc:" ) || stristr( $ems, "multi-part message in mime format" ) || stristr( $ems, 'to:' ) || eregi( "(%[a-f0-9])", $ems ) || stristr( $ems, "0x" ))
    // the last two are in case they try using hex or other non standard characters
    $error .= "<p>Behave!!</p>";

    if ( $error )
    echo $error;

    $name = stripslashes($name);
    $email = stripslashes($email);
    $subject = stripslashes("Responce from my form");
    $text = stripslashes($message);
    mail('',$subject,$text,"From: $name <$email>");

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
    Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
    The viewer will learn how to dynamically set the form action using jQuery.
    The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now