Knowledge base

Spammers easily spot pages containing a contact form (contact or feedback for example) that sends an email. They then look for the presence of a flaw: many contact forms do not check the presence of a carriage return in certain fields, in particular in that of the sender's email address to be completed in the forms.

Actions to be carried out

Whatever happens, we act down the line: we filter the carriage returns located in the headers using the PHP mail() function. However you must:

• protect your mail sending scripts with a CAPTCHA system or by inserting an explicit restriction of recipients.
• when sending an email via the PHP mail() command, make sure that the arguments provided have been confirmed prior to their use. The values received from a form must be checked before they are used by the mail() function.
• replace potential carriage returns in each one of the fields that should normally contain an email address (this field is often called $email, $sender or $from):

$EMAIL = str_replace("\n", "", str_replace("\r", "", $EMAIL));

More information

Spammers exploit scripts such as this:

$MESSAGE = $_POST[msg];
$RECIPIENT = "webmaster@votredomaine.com";
$SUBJECT = "Formulaire de contact";
$EMAIL = $_POST[email];

// Sans cette ligne votre script est exploitable !!!!
$EMAIL = str_replace("\n", "", str_replace("\r", "", $EMAIL));

mail($RECIPIENT, $SUBJECT, $MESSAGE, "From: $EMAIL");