Email attacks on websites

I’ve been lucky, in 10 years of web development I’ve only had two sites using phpmailer attacked by a spammer using an email injection attack.

The first site used the “To” address in the email form and substituted their own text.

The second was more devious and attacked through the subject line of the email. I had email verification on the form so they bluehost优惠码 couldn’t use a malformed email address but I did substitute a hidden form variable into the subject line and they attacked this.

Here is the how they did it (I have changed some of the email addresses to protect the site owners)

Return-path: 23423423
Envelope-to: 234234
Delivery-date: Sat, 27 Aug 20xx 05:19:55 +0100
Received: from 3423423424234
by with esmtp (Exim 4.32)
id 1E8sAd-000C9n-9v
for 234234234; Sat, 27 Aug 20xx 05:19:55 +0100
Received: from 234234234
by 2323423423324)
id 1E8sAT-000OE6-0P
for 234234324; Sat, 27 Aug 20xx 05:19:45 +0100
Received: (qmail 37339 invoked by uid 2527); 27 Aug 20xx 03:21:20 -0000
To: 234234
Subject: A new user has signed up for the
Content-Type: multipart/mixed; boundary=”===============0960820620==”
MIME-Version: 1.0 Subject: e6e85f17 To: bcc:
From:   This is a multi-part
message in MIME format.  –===============0960820620== Content-Type:
text/plain; charset=”us-ascii” MIME-Version: 1.0 Content-Transfer-Encoding:
7bit  pkamjstswf –===============0960820620==–  area
Date: Sat, 27 Aug 20xx 04:21:20 +0100
From: 2342342332
X-Priority: 3
X-Mailer: PHPMailer [version 1.72]
MIME-Version: 1.0
Content-Type: multipart/alternative;
Delivered-To: 42342342234234

Note the extended Subject:

For anybody using mail() in PHP I would suggest that you don’t use form variables which alter the email’s subject line as this can be a method of attack.

I would suggest that the next version of phpmailer does not allow anyone to set a new line in either the email “To” field or the email subject line. I would suggest that references to $this->Subject

are replaced by a method call

$this->getSubject() which then allows the class to strip out new lines and restrict the length of the subject.

Recruitment emails

Like many IT professionals, I’m on the radar of recruitment companies. I don’t mind, sometimes I get some interesting work through this route. I’m less keen on the recruitment companies who bombard me with emails about roles I’m not really suited for, it shows that they haven’t really done their homework.


A while ago, I got this email. It must be the ultimate catch all email.

Dear Kevin

We are currently searching for a JOB TITLE to work in CITY, COUNTRY for DURATION plus extensions. This is a fantastic contract opportunity for a large multi-national client.

The ideal candidate must have the following skills: SHORT JOB DESCRIPTION.

If you are interested in this position, please respond within 24 hours with a short motivation letter and your CV in Word format so MBA can contact you.

MBA do have a policy to fulfill job requests within 24 hours therefore a quick response is important.

Alternatively, you can call us on the number below.

MBA does apologise when this job does not match your profile. However, if you have any colleagues who may be interested in this contract opportunity; please forward this email to them. If they are successfully placed at our client site, we will award you with £150.00 (180 Euros).

Thank you for your time and we hope to hear from you soon,

It made feel all warm and fuzzy inside to know that the recruiter had actually read my CV and then sent me a carefully targeted position.


Which is faster? Java or PHP

I’ve written web sites in both PHP (around 50 sites) and Java (around 20 sites) for the last 7 years and I don’t think there’s much difference in terms of speed. It’s not true that one is faster than the other for heavy database use or that one will withstand a lot of site hits. If you write your app correctly and optimize for speed using strategies appropriate to that language then there’s very little difference.

I’ve found my Java apps easier to maintain (because you have to do OOP with Java) whereas the PHP apps tend to gradually disintegrate into a big ball of mud (too easy to hack loads of dodgy code together)

I’ve found Java much harder to run on shared servers (here in the UK most hosting companies will refuse to set up Tomcat because they don’t know how to do it) and I’ve also found that Java apps eat more memory than equivalent PHP apps. For most of my Java sites, I’ve ended up setting up the server myself whereas with all the PHP apps I’ve used off the shelf hosting.

Java is much easier to code because IDEs like Intellij, NetBeans or Eclipse are around 10 times easier than trying to use Dreamweaver or PHP Eclipse. I find that I can write Java a little quicker than PHP but there’s very little difference and anyway, you don’t have to write
as many lines of code in PHP.

I think that it depends on your preferences, your experience, your client’s preferences and budget.

Unless the site is a really small one, I prefer using Java. I’d definitely use Java if there are complex server side things to do (like bulk image processing or running Flash XML servers)