Classic Spam: mailback abuse

One of the features that many folks like to put on their websites is the feedback (or "mailback") form. Simple CGI programs (often Perl scripts) power most such features, which collect messages from website visitors and mail then back to the website proprietor. One of the more popular of these programs is Matt Wright's "Formmail," but there are lots of others out there.

Indeed, for purposes of avoiding spam, the use of a feedback form by a website operator is an excellent idea which I discuss elsewhere. Unfortunately, however, these programs are sometimes vulnerable to being hijacked by spammers, who can use them to bypass the usual hassle of finding open relay hosts. A further advantage for the spammer is that, unlike "regular" e-mails, mailback submissions usually can't be traced back to the submitters in any way (unless the operator of the script has saved the IP address of the user who initiated the mailing).

Here's a typical example of mailback abuse (minus the original mail header):

Below is the result of your feedback form. It was submitted by
( on Tuesday, January 22, 2002 at 03:06:26

: Hello! Want to see LIVE GIRLS on Webcams?! For FREE?! Well then Click HERE! [ ] This site is 100% FREE! Come to our site! [ ] It's FREE so why not?! Have a nice day :-)

This is not SPAM E-mail. Remember, you requested this. I take no responsibility for the content of this E-mail or if you have received this in Error. Someone signed you up for the mailing list. If you would like to be removed, E-mail and you will be removed. 222379029


Although a spammer could very well set up his own mailback script and then proceed to exploit it, I suspect that these scripts most often belong to innocent victims who haven't secured them properly. If you get one of these, you should trace down its origin and inform the administrators responsible for the address that there is a problem with one of their users' feedback form scripts. You may also, of course, report any and all e-mail addresses and website URLs you find in the text.

This particular spam is more amusing than most because it expends more text to explain that it isn't spam than it does to deliver the actual spam message. I also like how the unidentified "I" takes no responsibility for the content of the message that he or she sent. I'm gonna have to try that argument next time I get a speeding ticket ("Your honor, I take no responsibility for driving my car 85mph in a school zone...").

(c) 2003-2006, Richard C. Conner ( )

08843 hits since March 28 2009

Updated: Sat, 06 May 2006