We’ve been tracking this for awhile and it seems to be getting worse. Contact forms on your website that accept information without doing any checks for malicious data are a great way for spammers to use your site for their work. If you are receiving email through your forms that have addresses like someword@yourdomain.com, a spambot may be phishing for valid email addresses. Also, these bots may include an address from the following list (or similar) as a way to let it know if your form is vulnerable to hacking.

Here’s a list of the addresses we have seen:
Bcc: Hollowiog1503@Aol.Com
Bcc: Frekiforbes@Aol.Com
Bcc: Voiettag@Aol.Com
Bcc: jrubin3546@aol.com
Bcc: mkoch321@aol.com
Bcc: wnacyiplay@aol.com
Bcc: kshmng@aol.com
Bcc: homeiragtime@aol.com
Bcc: bergkoch8@aol.com
Bcc: tlccooperfamlly@aol.com
Bcc: tlcc00perfamily@aol.com
Bcc: jmpatton2OOO@aol.com
Bcc: bajfIa@aol.com
Bcc: bajfIa@aol.com
Bcc: bajfla3@aol.com
Bcc: bajfla1@aol.com
Bcc: bajfla2@aol.com
Bcc: hellothere@ToughGuy.net
Bcc: Markt8@ToughGuy.net
Bcc: punk65@PunkAss.com
Bcc: magnetic54@SexMagnet.com
Bcc: andagain@GameBox.net
Bcc: Montana88@GameBox.net
Bcc: india901@HotPop.com
Bcc: onemoreaddress@hotpop.com
Bcc: esau908@BonBon.net
Bcc: battsl1005@aol.com

This technique is called email header injection. In many programming languages, especially PHP, it is very easy to take the contents from a form submission and email them. If programmers don’t plan ahead, these scripts are easily hacked by sending the script extra email header information in one of the form fields. This extra header information can override your intended To:, From:, and Subject: fields, siezing control of your contact form’s email output.

To determine if you being spammed, look at the raw source for one of the bounced emails you are receiving. Search for a line that says Bcc: followed by an email address at AOL or one of several domain names like ToughGuy.net, PunkAss.com, SexMagnet.com, or GameBox.net. If your email contains this line, it is a product of one of these spam attempts. You will probably then see one of the above-listed email addresses after Bcc:. This is an attempt for the spambot to send itself an email through your form.

There are many potential solutions to injection attacks. Doing some field validation on your form fields to verify they only contain basic characters, no linefeeds, and no email headers like content-type:, mime-type:, bcc: or subject: is a great start. Some bots may submit information directly to your script page, bypassing your form entirely, so limiting your script to accept only submissions from your website (referrer validation) would also help.

Not only is it annoying for you to receive all this bounced mail in your Inbox, but if the bots are successful in spamming other websites or email addresses through your site, you could be held liable. If you are one of the many companies, small business website owners or hobbyists being hit with a deluge of contact form spam, contact us for a free consultation. We can rewrite your form scripts and protect your site.

Tags: Contact form, spambot, hacking, email header injection, email header, injection attacks, field validation, referrer validation, spamming, contact form spam