My system emails on my linux server have been getting “message undelivered” emails which appear to be sent from the Contact Form 7 widget I have on my website.
The odd thing is, there is no “to:” field in the widget – just “from” and “message”. And yet the “undelivered messages” include random to:addresses.
I have Akismet set up, and I have tested that it works successfully (I get the spam failure message when I test with their test-spam-email address).
Clearly, they are somehow highjacking some sort of php mailer (don’t know what contact form 7 uses – built in wp_mail?). How do I stop it?
I’ve contacted my host but they are unable to help me, other than to say “Disable Contact Form 7”.
Email message below. The bottom bits were bits I added to my contact form in my WordPress installation, which is the only reason I figured out it was coming from my Contact Form 7 widget:
From: Mail Delivery System To: email@example.com Subject: Undelivered Mail Returned to Sender Date: Sun, 16 Jan 2011 02:13:01 -0800 (PST) Message-Id: [-- Attachment #1: Notification --] [-- Type: text/plain, Encoding: 7bit, Size: 0.6K --] This is the Postfix program at host pants.dreamhost.com. I'm sorry to have to inform you that your message could not be be delivered to one or more recipients. It's attached below. For further assistance, please send mail to If you do so, please include this problem report. You can delete your own text from the attached returned message. The Postfix program : host e.mx.mail.yahoo.com[22.214.171.124] said: 554 delivery error: dd This user doesn't have a yahoo.com account (firstname.lastname@example.org) [-5] - mta1038.mail.ac4.yahoo.com (in reply to end of DATA command) [-- Attachment #2: Delivery report --] [-- Type: message/delivery-status, Encoding: 7bit, Size: 0.5K --] Reporting-MTA: dns; pants.dreamhost.com X-Postfix-Queue-ID: DBA1514C005 X-Postfix-Sender: rfc822; email@example.com Arrival-Date: Sun, 16 Jan 2011 02:12:56 -0800 (PST) Final-Recipient: rfc822; firstname.lastname@example.org Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; host e.mx.mail.yahoo.com[126.96.36.199] said: 554 delivery error: dd This user doesn't have a yahoo.com account (email@example.com) [-5] - mta1038.mail.ac4.yahoo.com (in reply to end of DATA command) [-- Attachment #3: Undelivered Message --] [-- Type: message/rfc822, Encoding: 8bit, Size: 1.5K --] From: floppyk2011 To: firstname.lastname@example.org Subject: [Out In Africa] Date: Sun, 16 Jan 2011 10:12:57 +0000 Message-ID: X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version 2.0.4] Message body: �èñòåìà àêòèâíîé ðåêëàìû. �àðàáîòàòü â ñåòè. �ïëàòà çà ÷òåíèå ïèñåì è êëèêè. �àñêðóòêà ñàéòîâ - óâåëè÷åíèå ïîñåùàåìîñòè, íèçêèå öåíû äëÿ ðåêëàìîäàòåëåé!he system of active advertising. Earn online. Payment +for reading emails and clicks. Site promotion - increase attendance, lower prices for advertisers!ôëóïèê.ðô -- This mail is sent via contact form on Out In Africa (www.oia.co.za), from IP address: 188.8.131.52
It seems Contact Form 7 allows you to specify the recipient via a select dropdown. This means that the recipient e-mail address is stored in the form and sent to the server, which then just reads it. Unless the server then verifies the recipient address was one of the options you specified, this can be a “security hole” to send spam to other e-mail addresses.
It would work like this: the server is prepared to read the
recipient select field, in case you specified one. But even if you did not specify one, the spambot can send a
recipient field value to the server, tricking it into thinking it came from a real HTML dropdown. This allows it to specify any value it wants there.
It is possible that Contact Form 7 prevents this kind of attack, but you should check this yourself, I have no further experience with Contact Form 7.