Webmail Hack Attempt


Last night someone tried to send mail from my contact form. I received several emails with a spoofed address at my domain. I checked the access log and someone had sent it from the contact page. I use a static index.html page with an HTML form using . The $mailto = ‘email@mydomain.com’ ; is in the PHP file (not in the index.html page). They sent out several emails, one with a bcc to someone at aol.com (no surprise there) all with a spoofed email address @mydomain.com.

I have taken down the form but wonder if someone would please fill me in how this person was able to do this. When I try to send from the command line nothing happens and it automatically reloads the contact/index.html page. What can I do to prevent someone from doing this? Obviously, I’m a bit upset since I thought PHP was the way to go with forms these days.



Someone else might be more knowledgeable then myself, but were the mails all sent to the address you have specified in the $mailto = ‘email@mydomain.com’ line?

Usually you can limit the form to one of more recipients to avoid having an open relay, but mail will always go through to those allowed recipients.

You’re not using an old script, (i.e. vulnerable version of Matt’s FormMail script, (but this is perl)) or something are you? http://www.linuxexposed.com/Articles/Hacking/The-FormMail-Hack-Explained-2.html

edit: have you read: http://formmail.dreamhost.com/?

edit2 VV: I don’t know, but will be interested to see if someone does. good luck


Hi hcbb,

No, the emails came to the spoofed email names at my domain.

No, I’m using a PHP file to avoid problems like those found with Matt’s FormMail because I thought PHP was more secure. Hopefully, someone here on the forum can enlighten me as to how this person did this and/or how to prevent this.

Yes, but I was under the impression that PHP forms were more secure.




Having not seen your access logs, and without any further information regarding the nature or content of the emails sent to the spoofed addresses at your domain, I may be way off base here but it seems to my that what you are describing is a lot like the recent rash of virus emails generated from zombie machine that happen to have an email address with your domain as part of it in their address book.

I notice that you said someone tried to send email from the form. Could it be that that attempt is coincidental to your receipt of zombie generated “blanket spam”?

Are you absolutely sure that the emails sent to ramdom addresses at your domain were generated from your form?

Please understand I am not intending to question your expertise in this area. It just sounds sooo much like “blanket” spam.



Hi rlparker,

At exactly the same time as I received the emails (I was working so I knew when the mail had arrived) the log file showed an IP address had appeared on the site, immediately went to the contact page in the contact directory, accessed the form and/or script several times - not sure in what way - following that went to the links page and disappeared. I received no other email from the site except from this person so that coupled with the time it happened, matching the time in the logs, it has to be that person. I do think they sent a virus because when I log into squirrel and look at that email there is an attachment. Any email sent from the site is forwarded to my personal email plus there’s the copy in the squirrel account as well. My host for my personal email (not DH) has virus protection on the server so the attachment was never sent to my personal address. Anyway, I hope that clarifies things. Thanks for your response.

I’m still looking forward to hearing from someone about how a person can do this with a PHP form. Curiousor and curiousor…



That’s a bad assumption. The use of PHP (or any other langauge) does not in itself make for a secure script. The major thing is what the script does with the input that it is given. Creating e-mail messages is one of those things that is very easy to do it the “wrong way” if you haven’t done your research.

The headers of an e-mail message control how the message is processed. So one must be very careful and “scrub” all input from untrusted sources before placing any part of it in a message header. This means removing unsafe characters such as low ASCII as well as altering the input if it would otherwise interfere with the format of a message header.

The problem with the Matt’s Formmail scripts is not that they were written in Perl - but that they were written by someone who did not have the knowledge and experience to do it right the first time… or second time…

:cool: Perl / MySQL / HTML+CSS


Thanks, Atropos7. The feedback script that I’m using is from thesitewizard.com. I am not sure what you mean by scrubbing input and removing unsafe characters. How can I check this in the script I’m using? I am quite new to PHP and any help would be most appreciated.



It’s pretty simple.

Your script is converted data from one format to another. The input looks like this:

name=John Doe&email=nobody@example.com&subject=hello thereThe output is supposed to look like this:

From: "John Doe" <nobody@example.com>^CR^LF Subject: hello there^CR^LFNow guess what happens if someone starts putting quotes, angle brackets, and ^CR and ^LF in their name and email address and subject? Yup, the output is screwed up. And if they do it just right, this screwed up output results in your script sending out messages that you never intended it to send, such as spam.

E-mail messages have a certain format to follow and you need to read its specification carefully as well as read up on known exploits.

Here is a detailed summary of the problems with the old formmail script from Matt’s archive:

:cool: Perl / MySQL / HTML+CSS