loader

Preventing hackers sending spam using my domain Print

  • 1

I have been notified that hackers are sending spam using the php mail() function on my domain. expiry.com administrators tell me: "Your scripts should not be able to send unsolicited emails from third persons. For example one of the SPAM emails is send by your feedback form."

Any suggestions how to prevent my scripts from sending spam?

You should check if the form fields, used to input feedback data are well escaped. For example one can "inject" additional fields( e.g. CC:, BCC:) in your "From:" field. Also if you are acquiring email "To:" field from a form it can be easily used to send SPAM.

It is best to filter all user data, you include in your message using regular expressions.
Follow the instructions on the following link and note that all of the fields you include in your mail function are vulnerable.
Email Injection

The forms that you can install from installatron aren't secure enough to keep these dudes out. The only real way that is safe without a lot of custom coding is to remove all forms and simply create hyperlinks that will launch their favorite email program and pre-fill in the fields.
Links mailto:[email protected]  work very well.
You can also stuff the subject and the initial content into the url as well.Copy this html into your contact page and remove the x from the xhref to make it work. I added the x to allow you to see the code without it actually working in this example page.
<a xhref="mailto: [email protected] ?subject=replace this subject text with your own&body=this is the body text to pre-stuff the email body area with some statement">
                                this is the text your site visitors see - replace this text with whatever you want it to say</a>

some examples of how to do this even better with SPAM blockers are as follows

Was this answer helpful?

« Back