Weird Injections in my Contact Forms
Thursday, May 13th, 2010On one of my sites I have some standard contact us forms. These use the PHP mail() function to send the submitted information to a general purpose email account so that it can be handled correctly. Lately though I have been having something weird. On occasion instead of the mail being sent to the general purpose account it is sent to another account, one that is aliased to my user. At first I thought this was just spam that was posting straight to the PHP mail() function, but then I got some legitimate emails on it also. I have no idea how it is happening.
So my question to everyone is twofold. How are these people doing this and how do I stop it? I am baffled.