Nobody wants to be spammed - and spam is a growing problem, with 14.5 billion spam emails being sent every single day. In fact, 45% of all sent emails are spam, making it the most annoying form of communication. Starting way back on USENET in the early 90s , even improved spam filters do not completely prevent spam (and can sometimes block legitimate emails, causing frustrated users to turn them off).
Because of spam filters, it is cheaper for spammers to infect a machine with malware, send spam from it for a while, then switch when it is blocked - the DNSBL database will block the IP of an infected machine after a while. This results in the extra annoyance of your customers receiving spam that appears to be from you. It can also result in your server being blacklisted and your own email being blocked as spam. Sending spam is made even easier by standard SMTP protocol not requiring verification of the sender.
Protecting Your Website
How can you prevent your website from becoming a source of spam? Generally, spammers abuse your website by making use of the PHP interpreter's API, specifically the mail() function - this works as follows:
$to = ' spamtarget@customedomainname[.]com ' ;
$subject = 'Spam email title' ;
$message = 'Spam email body' ;
$headers = 'From: email@example.com ' . "\r\n"
. 'Reply-To: firstname.lastname@example.org ' . "\r\n"
. 'X-Mailer: PHP/' . phpversion();
mail($to, $subject, $message, $headers);
You can see how easy it is to insert this code into a hijacked sight. If you use PHPMailer or another mail sending library, that can also be hijacked, similar to the following:
$mail = new PHPMailer ;
//Set who the message is to be sent from
$mail -> setFrom( ' email@example.com ' , 'First Last' );
//Set an alternative reply-to address
$mail -> addReplyTo( ' firstname.lastname@example.org ' , 'First Last' );
//Set who the message is to be sent to
$mail -> addAddress( ' email@example.com ' , 'John Doe' );
//Set the subject line
$mail -> Subject = 'PHPMailer mail() test' ;
//Read an HTML message body from an external file, convert referenced images to embedded,
//convert HTML into a basic plain-text alternative body
$mail -> msgHTML( file_get_contents ( 'contents.html' ), __DIR__ );
//Replace the plain text body with one created manually
$mail -> AltBody = 'This is a plain-text message body' ;
//Attach an image file
$mail -> addAttachment( 'images/phpmailer_mini.png' );
$mail -> send();
As most websites are PHP based, hackers can write one or two scripts and use them to hijack thousands of sites. So, what can you do about it?
How to Prevent Hackers
1. Disable the mail() function
You can do this in .htaccess by setting php_value disable_functions "mail,..." or in php.ini with disable_functions=mail. Obviously, this won't work if you have a legitimate use for the mail() function, which is sometimes used by contact forms and similar. However, if you do not use mail(), you should disable it. If you are using a custom mailer that does not rely on mail(), disable it and check what security functions can be enabled with the custom mailer. For other kinds of CMS, check the user manual for how to disable the mail function if you are not using it.
2. Run anti-malware software on your website
Proper security monitoring scans your website periodically and checka for the hostile code, including malicious PHP mailers. Some monitoring services also handle the cleanup for you, which is worth considering for smaller companies that lack dedicated IT staff. You should choose a service that gives you immediate notification of problems by email and which provides a security seal to help improve user confidence.
Running a proper website firewall blocks malicious and suspicious HTTP requests, meaning that while the hackers might have inserted the code they will not be able to activate it. Most WAFs are cloud-based and cost a small subscription fee. (Older WAFs required dedicated software that is often beyond the reach of small businesses, but there is little excuse for this at this point). Leading anti-malware services also include a WAF subscription, as it makes both your and their lives easier.
4. Learn how to locate a bad script
You can code a WordPress site to log all mail requests sent to it, so you can quickly see which page of your site is sending out the spam. This is particularly useful if you need your website to be able to send emails and thus do not want to disable the mail function. A good website security company negates the need to do this yourself, but if you are having problems it might be worth doing.
5. Enable secure connection
Always set up your site so all visitors are coming over https, and keep your security certificates up to date. Some visitors may not stay on a site that is not https.
6. Check regularly to see if you have been added to the Relay Black Lists
This is a symptom of somebody using your website to send spam, and you can then apply to have your website marked as spam-free. Before doing so you should find and remove any offending scripts, change passwords, and scan your devices for malware. Being on the blacklist can cost you 90% of your web traffic, though, so you should try to get off it as soon as possible. (Being on the RBL will cause a "this site may be compromised" notice to be shown to all of your visitors. Some browsers will not even allow your customers to risk it and click through anyway).
Like burglars, hackers go for easy targets, so think about the following:
- Make sure that you and your employees use strong passwords, with passphrases being the best, and change them regularly.
- Keep all software up to date.
- Add robots_txt to the admin pages of your site so they are not indexed by search engines.
- If using WordPress, change the default database prefix to something which does not include the letters 'wp' and is hard to guess. This will disable many hacking scripts on its own. Rename admin and login pages as well, choosing innocuous sounding names and not telling anyone what they are unless they need to know.
- Store uploaded files outside the root directory - talk to your web host about setting this up.
- Scan all network devices, including phones, for malware regularly.
- Set your forms up so they can't be auto-filled - many malware scripts abuse this function. However, don't disable right click - all that does is annoy your legitimate users.
Are You Getting Spoofed?
As a note, if you are sure there are no security problems on your website and people are still saying they are getting spam from you-you are probably being spoofed. Spam that appears to come from your own domain is more likely to be spoofed than the result of a compromised server. Spoofing is actually harder to deal with, in some ways, than an attack. Spoofing is relatively easy and can be done using simple tools. Any mailer that allows manual editing of the From: address allows spoofing and mail programs differ in how well they can detect it. One way to know if one of your addresses is being spoofed is if you start getting failed bounces of messages you didn't send. If you can, then file DMARC records. This makes it a lot harder for people to spoof you. Other than that, there is not much you can do other than educate your customers, if possible, on how to detect spoofed messages.
Protect Yourself and Your Website
The best thing you can do to avoid being a source of spam, though, is to monitor your website for malware insertion and practice good cyber hygiene in general. Try not to be the easy target that spammers go after - protect yourself and your customers by keeping your website secure and if you do have a spam problem, deal with it as quickly as you can.