ID #314

My website forms are spamming me with '' or Form Email Injection Attack

Applies to: Grid System

Why is this happening:

This behavior is indicative of an attack by scripted 'robots' submitting your forms to discover vulnerabilities they can exploit to send out spam email. It works by assuming that a field (like "From:" or "Subject:") is passed unchecked to the mail system. The script is able to insert a BCC list and spam message into these unchecked fields.

More details on this crack outlined by the sites found below:
Email Injection

What can I do:

There are two problems caused by this attack.
A - The form submissions themselves. (Which e-mail you gibberish internally)
B - The hijacking of your form to send out spam emails.

The only 100% sure way to stop a robot script from submitting your form is to use CAPTCHA verification or something similar. This usually amounts to user recognition of a graphic that humans can discern easily but computers have great problems with.

Read more about the CAPTCHA project here:

A few scripts that may be easily implemented in your own system may be found below:

To secure your forms against this type of hijack you need to strip all carriage returns and linefeeds out of email fields before submitting them to the mail subsystem. The implementation will depend on what language you are using. Examples in PHP and PERL are listed below:


(for each field used in an email.)
$field = preg_replace( "/[\n\r]+/", " ", $field );


(for each field used in an email.)
$field =~ s/[\n\r]+/ /g;

Last update: 2010-10-05 15:54
Author: FAQ Admin
Revision: 1.3

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 5 (2 Votes)

completely useless 1 2 3 4 5 most valuable

You can comment this FAQ

Comment of Anonymous:
Instead of forms use this simple anti-spam javascript code (you can remove or change the subject= part of course):

function noSpam(user,domain) {
locationstring = "mailto:" + user + "@" + domain + "?subject=Website
window.location = locationstring;

Here is the mailto: hyperlink code:

Email Fred
Added at: 2006-07-28 21:32

Comment of Anonymous:
Another option that is easy to implement and easier on users than standard CAPCHA is

Added at: 2007-11-19 06:54