So I use PHP and have a contact form on my website.
Once users fill up the form and submit, it will shoot an email to me.
I have been receiving junk input from bot, I assume, like below.
This is the result of print_r($_REQUEST)
. I removed some parameter for simplicity.
Array
(
[name] => rycpufrwq
[email] => raaszg@fqhzdm.com
[company] => naCuklaLMab
[website] => http://ujpbfhazkpzv.com/
[message] => cBimwx <a href=\"http://pxlahgqmdrhs.com/\">pxlahgqmdrhs</a>, [url=http://sjmbrhkycvbz.com/]sjmbrhkycvbz[/url], [link=http://rddqwgzwvrhv.com/]rddqwgzwvrhv[/link], http://csohvhsvdisc.com/
)
On such request, I don't write to db or anything. I only send an email by calling mail()
.
Specifically, mail($to,$subject,$body,$headers)
where $headers is:
$headers="From:$email_from\r\nBcc:$email_bcc\r\nReply-To:$name<$email>\r\n";
$name is $_REQUEST['name'] and $email is $_REQUEST['email'], but I strip out all "\r" and "\n" if any because they can put "\r\nCc:<a list of emails>"
and they would be able to send spam emails using my domain.
However, for an input I mentioned above, I don't see 'newline' under 'email' field. Hence, I assume it is a different kind of attack. Is there something I should be aware of?