Knowledge base
1000 FAQs, 500 tutorials and explanatory videos. Here, there are only solutions!
Knowledge base
Avoiding that a contact form (formmail.pl or other) be exploited for sending out spam
Avoiding that a contact form (formmail.pl or other) be exploited for sending out spam
Actions to be carried out
Whatever happens, we act down the line: we filter the carriage returns located in the headers using the PHP mail() function. However you must:
- protect your mail sending scripts with a CAPTCHA system or by inserting an explicit restriction of recipients.
- when sending an email via the PHP mail() command, make sure that the arguments provided have been confirmed prior to their use. The values received from a form must be checked before they are used by the mail() function.
- replace potential carriage returns in each one of the fields that should normally contain an email address (this field is often called $email, $sender or $from):
$EMAIL = str_replace("\n", "", str_replace("\r", "", $EMAIL));
More information
Spammers exploit scripts such as this:
$MESSAGE = $_POST[msg];
$RECIPIENT = "webmaster@votredomaine.com";
$SUBJECT = "Formulaire de contact";
$EMAIL = $_POST[email];
// Sans cette ligne votre script est exploitable !!!!
$EMAIL = str_replace("\n", "", str_replace("\r", "", $EMAIL));
mail($RECIPIENT, $SUBJECT, $MESSAGE, "From: $EMAIL");
Link to this FAQ: