Spammers, the dregs of the internet, are now using automated bots to explore form security.
The bot completes the form to test for possible usage as a spam relay, attempting to inject extra headers which, if successful, will send the response to the bot owner.
To counter their tactics, fields like the mailto, from and subject fields can be checked server side (all user input should be checked server side).
eg.
mailto:
$to=$mailTo;
if ($to !== "")
{
die("Getawoollyoneupyah, spammer!");
}
from and subject fields:
if ((preg_match(' /[rn,;'"]/ ', $_POST['Email'])) || (preg_match(' /[rn,;'"]/ ', $mailSubject)))
{
die("Go away, spammer!");
}
Then, to prevent the bot filling in the form at all, the contact name field for example, can be checked as the bot attempts to fill in all fields with an email address.
elseif (eregi("[^-a-z ]", $_POST[Name]))
{
echo "Characters in name field are invalid.";
$_POST[Name] ="";
}
More information about the relevant email injection exploit can be found here:
http://computerbookshelf.com/email_injection/
http://securephp.damonkohler.com/index.php/Email_Injection
There’s a form testing script linked here as well as an explanation re asp scripts:
http://www.twologs.com/en/services/test/spamrelay.asp
and a script to ban known spam bots here: