Spotted an interesting hack attempt on a couple of my sites today.
Seems that someone is testing contact forms to see if they can add to the headers they use to cause the form contents to be BCCd to additional addresses. Presumably they then use the forms to relay truck loads of spam to unsuspecting net users.
The forms are all sent from random addresses at the same domain as the form is hosted on. For example, www.sitons.com has been targeted and I have been getting mails from nzk@, hvfdd@ and similar random addresses. The contents is just jibberish, but looking at the headers they are trying to BCC the form to some other addresses, primarily jrubin3546@aol.com .
I don’t think that any of the forms that I have seen targeted have been breached, but it would appear to be a fairly easy attempt to prevent. Simply stripping line breaks and carriage returns from any forms used in the headers would appear to be enough. For example (if you use an field called email):
$email = str_replace(”\r”,”",str_replace(”\n”,”",$_POST["email"]));
In case this isn’t enough I have added a log to the targeted forms so that IPs and message details are being stored in a flat text file. This should enable me to see if the forms have been breached and are being used for nefarious purposes.
