Spammers are trying to abuse your contact form for sending spam mails with e-mail injection? Check out the code to secure your e-mail form.
The Problem – E-mail injection:
Spammers try to “inject” in your form fields some extra – header information via bots to use your webserver as spam server. One solution is to scan the submitted values of your form fields for malicious content before sending the e-mail.
// formcheck, filters out spamming attempts $errormsg = ''; $emailstr = ''; $emailstr .= $formfield1; $emailstr .= $formfield1; $emailstr .= $formfield3; if ( stristr($emailstr, 'content-type:' ) || stristr($emailstr, 'multipart/mixed' ) || stristr($emailstr, 'boundary="' ) || stristr($emailstr, 'cc:' ) || stristr($emailstr, 'multi-part message in mime format' ) || stristr($emailstr, 'to:' ) || eregi( "(%[a-f0-9])", $emailstr) || stristr($emailstr, '0x' )) // the last two are in case of hex or non-standard chars { $errormsg .= " Ups - bad boy "; } if (strlen($errormsg > 1)) { ... do not send ... } else { ... your normal e-mail handling ...}