After receiving a bunch of weird bounced email messages earlier today that looked like they were coming out of our Contact form. It turns out that some spammers had figured out a new way of sending their spam through our server.
The long and the short of it is that we figured out how they were doing it, and we’ve plugged the hole that was allowing them to send emails using our server.
Our appologies to anyone who received spam. We have never, and will never, send out spam. We can’t stand the stuff.
What was the problem? The PHP code we use to power our mail script was not checking for malicious keywords. The spammers were submitting a contact us message that included a bcc: list of email addresses. The script was passing this along to the mail server which interpreted it as a legitimate list of BCC addresses and thus sent out the email to everyone on the list.
This was not a problem we had seen before, and we took immediate action to close the security hole. Once again I’d like to offer my appology to anyone who received one of these messages.