Knowledgebase

Contact forms are often abused by spammers. Since most webmasters carefully hardcode the recipient's email address into the contact form of their web application, one might think this sets a limit to the way this kind of script can be exploited (but this is not the case).

It is possible to inject headers into the form causing the message to be sent to to other people. There are numerous additional fields that can be specified in the mail headers. For example 'Cc' (Carbon Copy), which sends a copy of the message to the email addresses given as arguments. Another choice is to use the 'Bcc' (Blind Carbon Copy) which sends a carbon copy of the message just like with the 'Cc' header, except that the recipiends email addresses given as arguments are not shown to the multiple recipients' headers.

How can you prevent contact forms from being abused?
You should filter user data, using regular expressions or string functions.
See http://regexlib.com/default.aspx for regex patterns that you can use.

You can also use the Zend_Mail component as your mail sender class. It provides protection to this problem by default, no action is required from the programmer. You can view information about this class here: http://framework.zend.com/manual/en/zend.mail.html

For more detailed information regarding email injection, see:
http://www.securephpwiki.com/index.php/Email_Injection

Add to Favourites

Print this Article