Topic awaiting preservation: weird website spam (Page 1 of 1)

hi,
on one of my clients website i use a "normal" contact form.
it has two inputs: name and email
one textarea: some text
and one submit button.

once the user fills out all fields and hits submit the form is submitted using POST and on the next page the contents are sent to my client (and myself) using the php->mail function.

this has been workin now for years without any problem.

but since a couple of weeks, exactly every six hours we get four emails with kinda strange content.

• the first one has the same values in all three form elements, and looks like eight random characters + @ + the domainname.
  
  example: xhrtj8iuz@mydomain.com
• the second one has this in its body:
  
  This is a multi-part message in MIME format.
  
  
  
  --===============1217498244==
  
  Content-Type: text/plain; charset=\"us-ascii\"
  
  MIME-Version: 1.0
  
  Content-Transfer-Encoding: 7bit
  
  
  
  pnkdyoq
  
  --===============1217498244==--
• the third one is the most strangest of all cause it contains nothing but still the size of the email is about 1800bytes. this is strange cause the form usually does not allow empty content to be sent.
• the fourth one is a mixture of the first and the second. it has the same values for the three fields but additionally in the content field it has the multi-part thing as in the second version. it looks like this:
  
  
  
  hujrkdeo@mydomain.com
  
  Content-Type: multipart/mixed; boundary=\"===============1526510514==\"
  
  MIME-Version: 1.0
  
  Subject: 9605bb75
  
  To: hujrkdeo@mydomain.com
  
  bcc: PeiCanteenMc@aol.com
  
  From: hujrkdeo@mydomain.com
  
  
  
  This is a multi-part message in MIME format.
  
  
  
  --===============1526510514==
  
  Content-Type: text/plain; charset=\"us-ascii\"
  
  MIME-Version: 1.0
  
  Content-Transfer-Encoding: 7bit
  
  
  
  mgeeid
  
  --===============1526510514==--

ok, as i said we get these four mails exactly every six hours, each time from a different ip. if i traceroute the ip it points to a random mailserver of companies here in my country.
the guy is obviously trying to send attachments, probably virii.
any hints on how to stop him?
thanks.



edit: hmmm the ulist tag here seems to add extra lines to the list items.

(Edited by GRUMBLE on 09-16-2005 15:38)

Check SecurePHP : Email Injection



(Edited by poi on 09-16-2005 16:17)

thank you poi, that is an interesting article.
indeed i used
"Reply-To: $email"
as the string for my headers, which is very convenient since you can just hit reply in your emailclient to write back.

I removed it for now, lets see how the next four emails will look like.

I'll probably have to find another solution though since the Reply-To feature is too nice to drop it.



(Edited by GRUMBLE on 09-16-2005 16:39)

At the end of the article, they give some simple ideas to detect the attempt to pass a MIME header in the form fields.