WP Contact Form Spam Attack!

WP Contact Form Spam Attack!

I’ve gotten some unusual emails through the contact form lately, so I’ve disabled it until I can determine whether it’s truly spammer-proof.

There are two things I’m concerned about:

  • Worry # 1: My true contact email gets “harvested” by a web-crawling robot, and is added to a spam list. This is why I’m using WP-ContactForm, which theoretically hides the email address by using PHP to send email on my behalf. However, this leads to…

  • Worry # 2: My contact form being used by spammers to send other people SPAM. This is known as having an “open relay”, which means anyone can send email to anyone through it. That would be very bad.


p>The kind of funny email I’ve been getting looks like an automated probe to see if WP Contact Form can be used as an open relay. Since I haven’t looked closely at the WPCF source code, nor do I really know a lot about the low-level email protocol, I’m not sure. So I’ve submitted a ticket to the confusing WordPress Plugin Repository System (or at least, I think I have, though it doesn’t show up). And I’ve taken down the contact form. Sorry for the inconvenience.


Looks like I’m not alone in this email contact form attack! Based on that discussion, I added the following lines to my version of WP Contact Form, in function wpcf_callback(), just before the $headers = ... assignments:

// Strip r and n from the email address $email = stripslashes($email); $email = preg_replace(“/r/”, “”, $email); $email = preg_replace(“/n/”, “”, $email);

// Remove injected headers $find = array(“/bcc:/i”,”/Content-Type:/i”,”/cc:/i”,”/to:/i”); $email = preg_replace($find, “bogus header removed“, $email); $msg = preg_replace($find, “bogus header removed“, $msg);

The version of WP-Contact I’m using (1.1) appears to use the form input as-is. The code above should fix that. I am not sure that it actually is even necessary, but I feel a bit better about it. I would have to write my own exploit bot to test it.


  1. Christophernicus 18 years ago

    You might try a less elegant but more effective method I’ve been using.  Go to http://shurl.org/advanced, set a link for http://shurl.org/maildavid to refer to mailto:you@yourdomain.com?Subject=Mail from Contact Form

    It will limit your users’ mail options to their own mail clients, but it will block out the spam and you’ll know where the mail is coming from by the subject you specify.

  2. Dave 18 years ago

    Thanks Christophernicus, that’s a cool idea! I just tried it out, and it seems to solve the email harvesting problem, though it doesn’t hide the email address completely, as it appears in the email client’s TO: field. Which again exposes the email address, though it would take a manual action to reveal it. But all it takes is one focused person looking for online prospects to click the URL, add it to their database, and then sell it. Frickin’ Macromedia seems to have done that or lost control of their list at some point when they shared it with their partners…. Can’t trust anyone these days :/

  3. Dave 18 years ago

    Yay, there is a new version of WP-Contact Form! Version 1.3 is Ryan’s update to combat the spam.

  4. JT 18 years ago

    Since the spammers are not filling in the fields that have options, I’ve found a neat way to have fun with them. In my case, the spammers are leaving these fields blank. If the script notices that the field(s) are blank it does send out an email, but only to the BCC address and with a virus. It looks like they can only fill in the fields that have input fields. example –

    The fields they leave blank are like these.
    Selection 1
    Selection 2
    Selection 3

    //////////My Fix That worked/////////////////
    If ($Subjects111 == “”){
    //Send them a nice virus//
    $success = @MAIL(“info@myemailaddress.com”, $subject, $message, “From:”);

  5. Dave 18 years ago

    That doesn’t quite make sense without knowing what these “fields with options” are, but it’s an interesting idea.

  6. JT 18 years ago

    I actually put them in, but this script here automatically edited it. No biggie.

    These hackers can’t fill in fields with drop-down menus. Especially ones that don’t have a default selection. If I put in a drop-down menu and force the user to pick one, the hacker has no use for my script. But, you have to make sure you check that the user selected an option from the drop-down before you allow the script to email it. That can be done easily with an if statement – Similar to the one up top. This also applies for CGI, Perl, ASP, etc… This is the main reason why “Shout-Outs” and “Contact Us” pages are so heavily attacked and not lead generating forms.

  7. John 18 years ago

    I’ve been getting jibberish lately through my contact form – does any of the messages you have received look like this?

    courtesy9575@***.com wrote:
    Subject: lake there are several islands

    childher, in th afthernoon a whirl over th green wathers iv th bay in me goold
    an ivory yacht, at night a few leads

    Website: courtesy9575@***.com

  8. Dave Seah 18 years ago

    John: I sometimes get that kind of crap in my form, but the anti-spam measures I’m using appear to prevent the bulk of them. Bad Behavior, for example, stops bots from even seeing your website.

  9. Chris Nielsen 18 years ago

    I picked up a few useful things and wanted to contribute a little.

    If you are getting hit by form spammers that use a return email address at AOL and they are a repeat offender, what I did was use the mail re-direct option that is part of our hosting control panel to re-direct any email with the spammer’s email address to TOSreports@aol.com. A single email to them doesn’t seem to work, but when you direct all of the spam to them it goes away in a couple of days. I know this because of the 7-8 sites that were getting hit, I only re-directed about 3-4 and noticed the spam stopped on the others.