What is Form Hijacking?

Form Hijacking is the exploitation of vulnerable web forms to send unauthorized email. It is used predominately to send spam emails and uses the server on which the form is hosted to deliver the spam emails. This effectively makes the domain and server that processes the form the spam source allowing the real spam originator to remain anonymous. This can have serious consequences for the hijacked domain including blacklisting of the domain.

Why are Forms Hijacked?

How is a Form Hijacked?

When you submit a form the form input is processed by a script which processes the form data. This processing often involves sending the form input data to an email address. The location of the script that processes the form is included as the action value of the form tag within the form. For example <form action="http://www.mydomain.com/process.php" method="post">. In this example the form processing script would be http://www.mydomain.com/process.php.

Automated robot scripts crawl the internet looking for web forms, following web page links from site to site. When they identify a web form they test the form processing script to see if it is vulnerable to hijacking. The hijacking robot script attempts to send the form processing script a character combination that will corrupt the headers of the form delivery email, this is known as email injection. These headers are basically the email delivery instructions. They can include To: From: Subject: BCC: and a range of other information applied in delivering the email. If the headers can be corrupted it is possible to set these values and the body of the email. This enables a hijacker to send an email with any subject, with any message, including any attachment, to any email address (usually as a BCC) and it is sent by the hijacked server.

This test probing often results in a form delivery email where most of the form field data is set as a random email address for the domain hosting the form ie xhkjh@mydomain.com. Generally multiple tests will be undertaken on a processing script with each test looking for a vulnerability in a different form field. The form field being tested will include not only the random email address but this will be followed by a line break and then the injected email headers. The injected email headers may include a monitoring email address usually as a BCC (Blind Carbon Copy). This an email address monitored by the form hijacker. If the form is vulnerable to hijacking an email will be sent to this address and the hijacker now knows that this form processing script can be compromised and can send spam emails via the hijacked form.

If you view the source of an email you will be able see the full headers. The headers of a hijack test email may include headers that have been injected via a form field similar to:

Content-Type: multipart/mixed; boundary="===============1992989315==\"
MIME-Version: 1.0
Subject: 4e6f1449
To: pcftt@mydomain.com
Bcc: test@hijacker.com
From: pcftt@mydomain.com

This is a multi-part message in MIME format.

Content-Type: text/plain; charset=ISO-8859-1
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Body message in hijacked form

How I do prevent Form Hijacking?

There are a range of pretentative measures available. The most important is:

Other methods to increase form security include:

You can also use the Human Intelligence Identification Script (Hii) as an additional method in preventing Form Hijacking. Human Intelligence Identification prevents form submissions by automated robots:

As spammers are continually searching for new methods to deliver spam no method should be considered an all time guaranteed solution, however knowledge is power and applying a combination of methods provides a strong level of protection.

Consider the form processing script used for your forms. Most commercially available scripts minimize form hijacking vulnerability, include a range of functional options that can be applied to further increase form security, and undergo continual development to enhance their functionality and security.

If you run a form processing script on your server make sure it minimizes form hijacking vulnerabilities. All Form1 based scripts including Form1 Builder Software, Form1 Builder GoldMine and Form1 Builder MYSQL include a range of form hijacking pretentative measures.

IX Web Hosting
If you do not currently have a hosting company that supports php we use and recommend IX Web Hosting. IX Web Hosting provide a range of reliable and economical hosting packages (from $3.95 / month), all with php support.

One Last Point...

Form hijacking, spam, email address harvesting and associated activities occur predominantly because they generate revenue. So to stop form hijacking and spam...

IX Web Hosting
If you do not currently have a hosting company that supports php we use and recommend IX Web Hosting. IX Web Hosting provide a range of reliable and economical hosting packages (from $3.95 / month), all with php support.

Client Comments

"You guys are fantastick ...excellent service each and every time, without fail."

"This was my first software purchase over the internet. I am very please with the results."

"Whole transaction and result well done."

"Thank you sir for your prompt response and excellent service."

"...you guys were great!"

"Keep up the good work!!"

"Great as usual, Thanks."

"These are practical business tools and the service that you offer for modification and assistance to adapt to practical circumstances is outstanding."

"I really appreciate your time and responsiveness... I'll definitely be back to your site soon."

"I like the simplicity and layout of your product."

"Excellent for the three items."

more.... »