I Am A Spammer
October 25th, 2006 Ryan Jones
Ok, well not really. I’ve never once intentionally sent any spam emails before, and none of my websites collect emails or even send any out…. or so I thought that’s what they were doing.
Years ago (we’re talking 1999 here) I headed over to hotscripts and grabbed a generic form email script. This particular script was written by Dennis of DarkMix.net (which no longer exists anymore, so I assume Dennis had the same problem)
The problem was with the following lines of code that I just seemingly noticed:
$headers = "From: $Name <$Email> \n";
$headers .= "Reply-To: $Email\n";
$headers .= "X-Mailer: Darkmix Mail Sender\n";
$headers .= "X-Mailer-Version: 1.1";
I’m sure many of you can spot the problem. It’s very easy to add whatever I want to that header by entering a creative email address. Worse, this code didn’t use the $_POST or $_GET variables either. It relied on register globals.
Anyway, I caught this problem well over 6 months ago, and the site it was on isn’t even on the internet anymore. I was just reminded of it while perusing some old legacy code at my company and remembered that I’d forgotten to blog about this. All in all it only sent a few emails before I noticed something was funny. No harm no foul I suppose.
Let this be a lesson to those who release free code on hotscripts, as well as to those who blindly use code found from such repositories.
Entry Filed under: Uncategorized