PHP mail form is being abused

I'm nowhere near a PHP expert, but I have dabbled a bit. I can make things work just fine, but I am terrible at figuring out what is wrong. I was informed by our server admin that we have a mail script that is being abused, and I am unsure of how to remedy the issue.

I am looking for help to see how someone is using this form to send out spam mail. The issue is that we got a bounce-back email sent from an address that doesn't exist to a hotmail address using this form. As far as I know, this form ONLY sends email to the $recipient which is neither this non-existent email or this Hotmail. I am trying to figure out a way to secure this form so that individuals cannot abuse this form and send mail to others through it.

// error message in here, removed for SE as unrelated to problem

This is the message my server admin sent me:

`-----Original Message-----
From: MAILER-DAEMON@ss2.site-hosts.com
[mailto:MAILER-DAEMON@ss2.site-hosts.com]
Sent: Monday, August 04, 2014 2:47 PM
To: anonymous@ssasi.site-hosts.com
Subject: failure notice

Hi. This is the qmail-send program at ss2.site-hosts.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

:
65.55.37.104 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable Giving up on 65.55.37.104.

--- Below this line is a copy of the message.

Return-Path:
Received: (qmail 6348 invoked by uid 2523); 4 Aug 2014 14:47:01 -0500
X-Qmail-Scanner-Diagnostics: from
199.192.201.219.rdns.continuumdatacenters.com by ss2.site-hosts.com (envelope-from , uid 2020) with qmail-scanner-2.10st
(clamdscan: 0.98.4/19261. mhr: 1.0. spamassassin: 3.3.2. perlscan:
2.10st.
Clear:RC:1(199.192.201.219):.
Processed in 0.024127 secs); 04 Aug 2014 19:47:01 -0000
Received: from 199.192.201.219.rdns.continuumdatacenters.com (HELO
ssasi.site-hosts.com) (199.192.201.219)
by ss2.site-hosts.com with ESMTPA; 4

Your script is vulnerable to a header-splitting attack. Due to the poor design of PHP's mail() function, it is actually quite easy to introduce that kind of security hole.

In summary, if…

• any part of the mail headers consists of user-supplied input,

• and you didn't make any effort to prohibit newlines or escape that input,

then you will have a program that can send mail to any recipient of the attacker's choice.
Validation problems

As @EmanuelePaolini points out, you do make an attempt to validate $_POST['email']:

$email = check_input($_POST['email'],"Email address is required.");
# …

if (!preg_match("/([\w\-]+\@[\w\-]+.[\w\-]+)/",$email))
{
    show_error("E-mail address is not valid.");
}

However, the regular expression is not anchored with ^ and $ at each end. Therefore, the code confirms that $_POST['email'] contains an e-mail address, but it fails to enforce that it contains nothing but a single e-mail address.

On the other hand, the regular expression is also too strict: it rejects many valid characters that can legally appear in an e-mail address. Read RFC 5322 Sec 3.4 for the specification, or this summary of the older RFC 822 standard.

StackExchange Code Review Q#59130, answer score: 27