There are two problems here.
You get your "To" header from
$_POST["visitormail"]
, which is the e-mail address typed by your visitor in the form and processed by your PHP code without any validation.
First, how do you know that was a valid and existing address? If this address is wrong, no wonder you have that error.
There is more important and dangerous thing. You approach (I mean lack of proper validation and filtering) is way too dangerous.
Attention! A big security flaw is explained here!
I will explain schematically what some people do to find an exploit for their malicious activity.
Imagine you have in your input:
myInnocentEmailAccount@MyPerfectlyLegalDomain.com
[new line]
BCC: [a million of addresses to spam]
This is the way to inject a BCC header line. Trivial, isn't it? You would not even see how
your host is turned into a zombie sending spam, or something like that.
You can tell that you provide only one input line using a text box (
input
element with the type
text
), so entering the new line characters is not possible.
OK, great, your form knows about it, but HTML "post" method does not know about your form. :-)
Are you getting it?
Of course, this is not possible with the manual operation with the form. But programmatically,
I would fake your form in few minutes and implement the hack I explained before. If you use AJAX, I would fake your AJAX as well. I
actually did something like that to
test my own Web site and some of our company Web sites for security holes. It was easy. Each and every action performed
on the client side can be more or less
easily faked.
So, you should do simple thing: inspect all the headers for any deviation from the expected pattern. You should also check up the referral of the post and do some other relevant checks. Internally, report the attempts of any suspected malicious activity.
Investigate such cases. I did that and caught such attempts from time to time. This is the ugly fact of our life.
—SA