PHP Script Abuse
I figured this would be a fun one to post about, since it threw me for a loop as far as server administration goes. We found ourselves listed today on one of the email spam blacklist sites, probably because of a combination of things. In the process of going through to ensure that our mailing list was clean and checking the mail server, our hosting company told me that there were 16,000 or so emails waiting to go out in our outgoing mail server. That is a lot more than there should be, considering there are only a few of us. The first thing I thought of was script abuse.
As all developers know, the reason the net is not terribly secure is because developer's aren't always dotting their i's and crossing their t's. I'm as much to blame as anyone else, so I needed to take a look at the PHP scripts that are sending emails on our website and internal web pages. In order to keep someone from abusing those scripts, such as a robot that figures out the form sends emails, there are a few combinations of things that you can try. I personally recommend doing a few of these, since we are still occasionally getting hit somewhere on the site.
Firstly, you can broadly stop anyone from simply POSTing to your mail form by having the script ensure that the request came from your website, and not en external website. Narrow it a bit by checking the referring page that the request came from. This will deny use of the mail script to anyone that is making the request from an unauthorized. You can also do some other things like passing special codes from your HTML forms that if not present, the script will not mail. Again, try a combination of security tricks because it seems to me that the spammers are VERY fast learners. Plus, it's much simpler than spending a day clearing mail servers and getting off email blacklists.
