Email Contact Form Spamming

Mon, Feb 13, 2006

Server, Web

My company has been experiencing a large amount of email contact form spams recently which is on the second wave af attack. The first wave was sometime mid-2005.

What these hacking people are doing are simply adding some email headers in the email form, like:

Content-Type: multipart/mixed;
MIME-Version: 1.0
From: random@whateverdomain.com
bcc: spammed@email1.com, spammed@email2.com, spammed@email3.com

The can probably try to add this in the From field or at the beginning of a message. Assuming your contact form has no To field and Subject since the contact form should go probably only to one place without a changing subject. With this code, the spammer is trying to in some email headers so that the server will process this and send out copies of the email to other people.

What is the bad part of this:

  • Since the emails are sent via machine, so many can be sent in a few seconds. Your email box can be filled with thousands of emails in just a few minutes.
  • For every email you recieve, this can be multiplied by a factor of 2 or higher for other email addresses that received the same email. Depending on how many emails they placed in the bcc list.
  • The recipient of the email sees you are the source of the email. Gives you a bad reputation as a spammer.
  • Slows down the server with a large mail queue.
  • Several people can mark you as spam and have you listed in anti-spam company’s banned IP address list.

Email Contact Form

Email Contact Form Spam

Clearer images can be found on the news page of YDS Web Solution.

Avoiding it can be done by:

  • To not make the From field of the email the actual email address submitted by the sender. And just use something like mywebsite@mydomain.com and place the submitted email in the content of the message. So email headers cannot be added there.
  • Place a few lines in the beginning of the message content before sending.
  • Do not allow emails to be sent when the words content-type, mime-version and bcc are found.
  • Adding some kind of captcha. Try adding a comment to this post to see captcha in action of read this post: http://blog.actiononline.biz/2006/02/03/avoiding-comment-spam-on-wordpress/

Good luck to other people that get attacked.

Related Links:
Preventing Comment Spam on MikeLopez.info

This post was written by:

Benj Arriola - who has written 139 posts on action online.

Started a career as a chemist. Worked in the industry and academe and pursued a master's degree in chemistry. Then one day, here I go, start a computer shop, then web company in 1999, won a few awards and just started a web career working on websites of various companies and making sure the websites work for them.

Contact the author

1 Comments For This Post

  1. Preventing Contact Form Spamming Says:
    February 13th, 2006 at 4:58 am

    Related link - http://www.mikelopez.info/2006/02/13/preventing-contact-form-spamming/

Leave a Reply