Lately, it happens more often that there is abuse of standard contact forms. An example:
A contact consists of the fields:
Name (1 line)
Email address (1 line)
Subject (1 line)
Message (multiline).
The "Subject" field will appear in the subject. An example of a PHP command to send mail from this form may look like this:
mail ("info@mywebsite.com", $subject, $message);
The headers of this email will then look like this:
To: info@mywebsite.com
Subject: $subject
With spam form injection the subject is introduced as follows:
subject=This is the subject \\nbcc: test@test.com
The headers will then look like this:
To: info@mywebsite.com
Subject: This is the subject
bcc: test@test.com
This email is then sent not only to info@mywebsite.com but also to test@test.com and possibly multiple addresses entered.
We would therefore ask everyone to make sure to protect their contact form. A good plan to use this counter is to check the characters \\n and \\r when the field should not consist of more than one line.
Example:
$subject = str_replace ("\\r\\n '','''', $_POST [''subject'']);