It seems there is an overzealous spammer (or spammers) out there and a lot of webmasters are going through a lot of grief as a result.

A few weeks ago, I started to receive weird messages in my website contact form. The email address the sender used was an address on my domain that didn’t exist and the body was filled with what appeared to be gibberish.

———[START SPAM ATTEMPT]———-
Submitted on Saturday September 10, 2005 at 11:24am
===========
Name: nrqxvkqcu@telidesign.com
Content-Type: multipart/mixed; boundary=�===============0511923761==�
MIME-Version: 1.0
Subject: 7d2259cf
To: nrqxvkqcu@telidesign.com
bcc: jrubin3546@aol.com
From: nrqxvkqcu@telidesign.com

This is a multi-part message in MIME format.

–===============0511923761==
Content-Type: text/plain; charset=�us-ascii�
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

wykbig
–===============0511923761==–

Email: nrqxvkqcu@telidesign.com
Re: nrqxvkqcu@telidesign.com
Message: nrqxvkqcu@telidesign.com
———-[END SPAM ATTEMPT]———-

Closer inspection of the message showed it wasn’t really gibberish at all. Because their servers and IP addresses are being blacklisted at breakneck speeds, the spammers are attempting to obfuscate their own identities and whereabouts by exploiting weaknesses in the scripts of innocent webmasters.

The flag was seeing “Content-Type: multipart/mixed;� and the huge red flag was seeing “bcc: jrubin3546@aol.com� - the spammer attempting to rewrite the headers in order to blind carbon copy the message to his throw away email drop box.

Once a message was delivered, he would then have a list of compromised scripts he could use to send out his mass mailings and the innocent webmaster and host would be left to catch all the blame and sort through the blacklisted red tape.

This spammer is not only trying to exploit contact form scripts, but also guestbooks, forums, and even blog comment forms. And it’s not limited to just one programming language, CGI, PHP, even ASP forms are being exploited.

Doing a quick search for the email drop box will reveal that quite a few people have already fallen prey to this phishing attempt.

The best solution that I have come across so far, is simply not allowing any carriage returns or new line characters (\r\n) or the phrase “Content-Type:� to be entered into any of your webform fields. In 99% of situations, there is no valid reason for a visitor needing to use them in a contact form.

An ounce of prevention is worth a pound of cure. If you are using a script on your site, especially for contact form purposes, it’s a good idea to check for any security updates or patches. If you wrote the script or understand the scripting language, you should take the initiative to update the script yourself.

As an added update to this is that the spammer is also attempting to exploit email subscription forms as well. I only found this out when I decided to clean out the unconfirmed subscribers from my newsletter/email notification lists and found I had hundreds of crack attempts to weed through.

If you are using the WordPress email notification plugin, it’s a good idea to add a failsafe to check for a valid email address or at least to make sure they are not inserting any extra characters mentioned above.