is this a hacking attempt?

[stef25]

i have a contact form a website that does not have a captcha, so it gets the usual amount of spam sent through it. i also get empty messages from "root@localhost" – this seems a bit worrying to me.

there's JS validation on the form and when i turn off JS and submit the form, i get an email from "unknown sender" with all the fields listed as having no value (= normal). so this is still a different scenario from the root@locahost emails im getting (these have no body text at all)

does anyone know how these root@localhost messages may be getting through? i dont mind the spam so much as i would suspected hacking attempts.

thanks
stef

[decowski]

It's hard to tell unless we know how the contact form works. Where does the From header's value come from?

[stef25]

i think this is what you're asking?

From: Root User <root@localhost>

we dont store anything in a db (dont even have one on the site) so i guess someone's trying to use the form as a spamming gateway?

[decowski]

From: Root User <root@localhost>

Yes, but I'm asking where it comes from. After all it's your contact form, your script processes it and your script sends the email so you need to know where the value comes from.

[stef25]

usually its something like "From: aiorwxsg <vjcymd@zouaed.com>" which is the "name" and "email" fields in the contact form.

its like they are using the php mailer script without touching the contact form. NOT just bypassing JS validation cause then it shows up as "From: " - blank value

phpmailer also sets the same subject for each mail, which is present in normal submissions, but from these root@localhost ones the subject in gmail shows up as "no subject" ...

[decowski]

phpmailer also sets the same subject for each mail, which is present in normal submissions, but from these root@localhost ones the subject in gmail shows up as "no subject" ...

Well this tells me these emails don't come from the contact form. How do you know they aren't sent to your email address directly?

[stef25]

they are sent to the client and im in bcc. this bcc is only set in the phpmailer script. and in the headers it mentions the path:

X-PHP-Script: www.replaced.co.uk/non_flash/mailer.php for 213.163.XX.XX -> this is the url of the contact form

[Sam Millington]

My other site also facing from hacking problem. Can anyone suggest me.

[gregor171]

I'd suggest you to put php mailer out of the web access directory. One level under the root!
;-)