Unsecured contact form on website built with PHP uses sendmail to send out spam

Symptoms

• Plesk > Tools & Settings > Outgoing Mail Control reports outgoing spam attempts after a hard limit for outgoing messages is set and mail is disabled for the domain example.com
• Log entries similar to the following are visible within /var/log/maillog:

  # cat /var/log/maillog | grep example.com Jan 20 13:16:38 webhost plesk-sendmail[6990]: S6990: from=<randomemail@example.org> to=<info@example.com>,<randomemail@example.org>
  Jan 20 13:16:38 webhost plesk-sendmail[6991]: S6990: add-from: stderr: SKIP
  Jan 20 13:16:38 webhost plesk-sendmail[6991]: S6990: py-limit-out: stderr: INFO:__main__:REJECT message as system user is not allowed to use sendmail
  Jan 20 13:16:38 webhost plesk-sendmail[6991]: S6990: py-limit-out: stderr: DATA REPLY:554:5.7.0 The message could not be sent. You are not allowed to use sendmail utility.
  Jan 20 13:16:38 webhost plesk-sendmail[6991]: S6990: py-limit-out: stderr: REJECT

• The global PHP error logs contain errors similar to the following:

  # egrep -Ri sendmail /var/log/plesk-php*-fpm/error.log
  /var/log/plesk-php80-fpm/error.log:[20-Jan-2023 12:42:15] WARNING: [pool example.com] child 10090 said into stderr: "Mail handler 'limit-out' said: REPLY:554:5.7.0 The message could not be sent. You are not allowed to use sendmail utility."

• /var/www/vhosts/example.com/logs/access_log contains many entries suggesting regular access to the contact form on the website:

  203.0.113.2 - - [20/Jan/2023:13:56:52 -0500] "GET /contact HTTP/1.0" 200 5431 "http://www.example.com/contact" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
  203.0.113.2 - - [20/Jan/2023:13:56:52 -0500] "POST /contact/send_mail HTTP/1.0" 200 2787 "http://www.example.com/contact" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
  203.0.113.3 - - [20/Jan/2023:13:58:06 -0500] "GET /contact HTTP/1.0" 200 5431 "http://www.example.com/contact" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4400.8 Safari/537.36"
  203.0.113.3 - - [20/Jan/2023:13:58:07 -0500] "POST /contact/send_mail HTTP/1.0" 200 2787 "http://www.example.com/contact" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4400.8 Safari/537.36"

• Once you visit the contact form of the website, it does not seem to use modern security measures (Captchas, for example)
• The page source for the contact form includes lines that are similar to the following:

  <form id="contact-form" class="form" action="http://www.example.com/contact/send_mail" method="POST" role="form">

Cause

Outdated and unsecured contact form on a PHP-based website is abused by an outside party in an attempt to send spam messages via the sendmail service on the server.

Since the messages are initiated via the contact form, the attempts to deliver them begin with an attempt to deliver the message to the mailbox that the contact form is configured to work with.

Resolution

Update the contact form residing on the website script in order to make it secure enough to avoid being abused easily by an outside party.

Alternatively, you may disable the sendmail utility for the domain that is involved by following the steps in this article:

How to disable PHP mail() function for a spamming domain on Plesk for Linux server?