WP Contact Form Spam Attack!

I’ve gotten some unusual emails through the contact form lately, so I’ve disabled it until I can determine whether it’s truly spammer-proof.

There are two things I’m concerned about:

  • Worry # 1: My true contact email gets “harvested” by a web-crawling robot, and is added to a spam list. This is why I’m using WP-ContactForm, which theoretically hides the email address by using PHP to send email on my behalf. However, this leads to…

  • Worry # 2: My contact form being used by spammers to send other people SPAM. This is known as having an “open relay”, which means anyone can send email to anyone through it. That would be very bad.

<

p>The kind of funny email I’ve been getting looks like an automated probe to see if WP Contact Form can be used as an open relay. Since I haven’t looked closely at the WPCF source code, nor do I really know a lot about the low-level email protocol, I’m not sure. So I’ve submitted a ticket to the confusing WordPress Plugin Repository System (or at least, I think I have, though it doesn’t show up). And I’ve taken down the contact form. Sorry for the inconvenience.

UPDATE:

Looks like I’m not alone in this email contact form attack! Based on that discussion, I added the following lines to my version of WP Contact Form, in function wpcf_callback(), just before the $headers = ... assignments:

// Strip r and n from the email address $email = stripslashes($email); $email = preg_replace(“/r/”, “”, $email); $email = preg_replace(“/n/”, “”, $email);

// Remove injected headers $find = array(“/bcc:/i”,”/Content-Type:/i”,”/cc:/i”,”/to:/i”); $email = preg_replace($find, “bogus header removed“, $email); $msg = preg_replace($find, “bogus header removed“, $msg);

The version of WP-Contact I’m using (1.1) appears to use the form input as-is. The code above should fix that. I am not sure that it actually is even necessary, but I feel a bit better about it. I would have to write my own exploit bot to test it.