I have this mailer on most of my sites for contact purpose: http://www.cheesy-movies.com/vhs_memories/submit.shtml - It was supplied by thesitewizard.com Now, I'm not a forms and php person by any chalk and don't know how it all works together too well. Recently I had a few weird emails from the form - on a daily basis. I figured out it must be some kind of robot - so I worked out how to add an extra dropdown to the form and php mailer and that seems to have cured it on one site - I'd forgotten about it. Today I've had several attempts through another site with the same version of the mailer. The header comes in like this: From: <gtx@cheesy-movies.com> Reply-To: , To: , njpm@cheesy-movies.com Date: Oct 14, 2005 11:06 AM Subject: VHS Memories From Cheesy Movies.Com And I get a blank attachment with no comments as per the PHP mailer form text layout for the email. Now I'm confused. If I send a mail normally through the form, the header looks like this: From: Dio <myemail@hotmail.com> Reply-To: Dio <myemail@hotmail.com> To: Date: Oct 14, 2005 11:18 AM Subject: VHS Memories From Cheesy Movies.Com The To address is just mine, but in the first case, there are 2 To email addresses, one of which is right and the other is at my domain. I have no idea what is going on - are they able to intercept the second email address at the domain? Is my mailer being used to propigate spam? All unrouted mail on my domains goes to :blackhole: If anyone can shed light on this and what they're trying to achieve, I'd be grateful. I'm guessing it may be some kind of PHP inject as one was sent to: From: " <"> which looks very cooky to me.
I didn't actually try breaking it, but the feedback script on thesitewizard.com (I'm assuming it's the same one you're using) looks like you could fairly easily inject email addresses into the header. I'm guessing the php mail function ignores new addresses in the header and doesn't actually send the mail to them, but I could be wrong. I'd suggest finding a new feedback script. Spammers are always trying to exploit scripts like that to send out SPAM, so it's better to be safe than sorry.