I have a CentOS virtual dedicated server with a half a dozen websites. Only one of which has had an email form so visitors can send me email. I thought I did what was needed to keep bots form exploiting the form. Among other things this (php) email form would exit if any newlines or carriage returns were found in the POST widget for the From address.
But I recently started to get email like the following, which is a strange mixture of valid ascii and gibberish:
mailTo: plkQrWAQiNJ
anXfY0 <a href="http://kehxmcnnvkra.com/">kehxmcnnvkra</a>,
cqggnpeutoir,
[link=http://ltrggpuqdlks.com/]ltrggpuqdlks[/link],
http://upjonkwnbyqs.com/
I replaced the form with codes that simply display a jpeg image of my email address and the gibberish email stopped. So the above seems to be the result of hacker attempts to exploit my form. Did they succeed? Why does the above email header like text include gibberish and well formated ascii?
What follows was my meagre attempt at a secure email form:
<?php ......
function exitOnSuspicious() {
$flag=0;
if (strlen($_POST['message']) > 1024)
exit;
if ($_SESSION['spam'] != 'didUseForm')
exit;
if (strlen($_POST['toName']) > 32 || strstr($_POST['toName'], '\n') || strstr($_POST['toName'], '\r'))
exit;
if (strlen($_POST['fromname']) > 32 || strstr($_POST['fromname'], '\n') || strstr($_POST['fromname'], '\r'))
exit;
// the following--an @ in the toName--is not what could from the mkToSelect function,
// which suggests a hackign attempt.
//
if (@preg_match_all('@', $_POST['toName']) > 1)
exit;
if (strstr($_POST['message'], 'href=') || strstr($_POST['message'], 'url=') || strstr($_POST['message'], 'link='))
$flag=1;
if($flag == 1)
{
header("location: http://nsa.gov");
}
exit;
}