I set up a contact form on a client's website that collects info for a newsletter. The form data does not go into a database, it is just emailed to the client and they manually record the data in their own files(by request).

The contact form does auto-send a confirmation email to the new user.

They have received 5 emails from this form in the last couple days with fields filled in "ZOVYzQEhigusRhMytvp" or other random text etc. All information is run through RegExp for email address, phone numbers, etc. So they are taking the time to make sure that input is in the right "format".

Is this how a typical email injection attack looks?

What is your best method for guard against these attacks?

Should I just take off the auto respond confirm email part for safety?

More than likely in is some wienie posting with some super-duper spam machine that he bought with "master resale rights".

I just delete them if I get them. Usually I get a notice that a contact form was submitted and I never see the actual form (different script).

Not sure what

Quote:

Should I just take off the auto respond confirm email part for safety?

this means. If you are auto replying that their message was received, turn it off. If you mean the confirmation that it was sent with no identifying information, it does not matter.

That's kind of what I thought.

Yes, I typed that like an idiot now looking back at it "auto respond confirm email". Ha!

I meant that I had a typical "Thank you for signing up....blah, blah" email that was sent to the user after they submitted the form.

Is the only way you know if they are ever successful(in sending mass amounts of email) when you get cut off or a notice from your host? Or will the contact form come back to you with some "mime" or injection type data?

And, thank you very much - btw!

If the input data is properly sanitized the only person they can send to is the address in the config file or the script (the webmaster).

I have never experienced a problem. I have heard that poorly written scripts can be exploited though I can't tell you how.



As I said in my initial post, the script I use sends me a notice each time the form is used. The meassage is sent seperately from that. If I got a slew of notices and no mail, I would investigate. I doubt I get more than one notice with no meassage a week from multiple sites.

If they are trying some exploit, it must not be working to their satisfaction.