Salted.

I've had two separate clients experiencing this like crazy since the last two weeks. The attacker is trying to take advantage of lazy field value checking, in that they are trying to slip in a carriage return in the email field (which is in the email headers) and thereby can hack the entire email to their whim.

If you look closely at some of those junk emails your client is receiving, you will see a bcc field. Google on that email and you will find lots of info, like:
http://www.google.com/search?q=+jrubin3546%40aol.com

As of yesterday, I modified all my clients contact forms to remove any carriage return/line-feed characters. I'm still seeing lots of spam, but I'm hoping it will stop soon. This stuff really pisses me off because the idiot that is doing this (or idiots) probably thinks they're doing the world good by showing people their contact forms are vulnerable to attacks.

Justin P.
September 12, 2005 5:47 PM

Yes, it looks like most contact form spam is being done by injecting newlines on key email fields.

So it may help you and others if you put this PHP code on the script that process submitted contact forms:

// NB: You show check $_GET if you contact form
// uses GET method. Also, you should use the
// actual field names on the test below.
if ( ereg("[\n\r]", $_POST['to']
                    . $_POST['from']
                    . $_POST['subject']) )
{
   sleep(rand(2, 5)); // delay spammers a bit
   header("Location: http://127.0.0.1/"); //
   print "Mail send successfully... :-)";
   exit(1);
}

This code will not only protect you from form spam, but it will also delay spammers trying to use this trick. If everyone delay the spammers, they'll have a hard time trying to send out their crap.

p.s.: Adapting the code above for other languages is left as an exercise.

WMECO
November 15, 2005 4:50 AM

I've never really had a problem with spam, though I've always had some form of protection. I think these solutions, especially when combined work wonders:

1.) Always use regular expressions to validate content. Simple ereg() check's in PHP take an extra 2 minutes to code and save you a bundle of time in the future. Always make sure you don't allow things other than harmless letters, numbers, and punctuation.

2.) Validate the user's email address by sending them an email with a link to a script that will send an email already in a database. All your contact form should do then is generate a random id, and insert it into the database before sending the "from" email address a link with this random id.

3.) For websites that get targeted especially from hackers flooding the script accepting data, this one will have them stumped: When a user visits your contact form, have it submit a unique hash of their IP to your a database. When they submit the form, your receiving script should look for this hash in the database. If it isn't found, simply spit out a message saying that you don't appreciate hackers. If it is found, then go ahead with checking the data sent to you.

4.) Using a visual verification is always a good way to deter would-be or wanna-be hackers. While most people it's impossible for a machine to read these images, they fail to realize there is software out there that can turn my sloppy handwritting into nice neat text. These programs can be run from a batch and given the image sent to the browser to turn into text. Bottom line, an advanced hacker could easily bypass this security.

As with any website, you would need to evaluate your needs for these security measures. Obviously implementing all of these for a personal website visited by 100-200 visitors monthly is a bit overkill.

In response to WMECO, who posted above: The usage of sleep() is not recommended for this purpose. By using such a function you really put yourself at risk of a DDoS attack because each connection is going to last a minimum of 2 seconds. A single user on a 56k modem could open up enough concurrent connections to the server to flood it. Also, by sending a Location header, you redirect the user and your "Mail sent succesfully" message is never actually executed or sent to the user for that matter. By perhaps checking for valid characters and notifying the user of an error when one occurs you can keep from pissing off a lot of people.

Corey Ward
February 27, 2006 9:04 PM

I have many enquire forms that submit to many customers. these form mails are just basic enquirey form where the visitor can contact the customer direct.
Im fine about the e-mail address being hidden the problem I have is that idiots in america and Russia are filling out the forms with websites that are either porn or other rubbish.

how can I stop these idiots from submitting the forms with their rubbish

Frankie
June 26, 2006 10:07 PM

I'm getting this sort of spam through one of our online forms. Surprisingly it is only on one of our forms, we have another form that has recieved no spams. With our form we ask for the applicants country, all of the spams have been marked as coming from mexico. I don't know if this piece of intelligence is useful. Started late OCtober 2006.

paul
January 9, 2007 1:51 AM

I just had an issue with a spammer trying to do the same, unfrotunately for him the form only sends to one person and on top of that i added a field checker in the asp coding instead of using javascript. That stopped him for a day or two.

He figured out what i had done, then changed his script to submit the correct forms, so i then implemented a script that encrypts the date, ip address and a random character string, puts it in a session and expires the session in 10 minutes. So if the page isnt loaded each time he comes, it will error.

The next step will be to use the little image checker that everyone else seems to be using. This is soo stupid..

Deep
March 17, 2007 10:38 PM