Contact Form Processing Products - for all your needs

FormMail • Form Encryption • Hosted Forms


This page documents the ATTACK_DETECTION_SPECIALS configuration setting in FormMail.

Type Of Setting

ATTACK_DETECTION_SPECIALS is a LEAVE setting, which means...

LEAVE : you can change this setting if you really need to and know what you're doing, but we recommend that you leave this setting unchanged.


Enables the "email address in a special field attack" detection.


Set ATTACK_DETECTION_SPECIALS to false if you don't want FormMail's attack detection to check for the "email address in a special field" attack.

This attack detection logic checks certain special fields for the presence of an email address. The special fields that are checked would never have an email address in them, so the presence of an email address indicates an attack on your FormMail.

The special fields that are checked are:

  • derive_fields
  • required
  • mail_options
  • good_url
  • bad_url
  • good_template
  • bad_template
  • subject (from FormMail version 8.00)

The list of fields checked is specified in the settings ATTACK_DETECTION_SPECIALS_ONLY_EMAIL and ATTACK_DETECTION_SPECIALS_ANY_EMAIL.

ATTACK_DETECTION_SPECIALS_ONLY_EMAIL lists the fields to check for containing only an email address. This means the whole field must comprise just an email address in order to be detected as an attack.

ATTACK_DETECTION_SPECIALS_ANY_EMAIL lists the fields to check for containing an email address anywhere in the field. This means if any part of the field contains an email address, it's detected as an attack.

If your "subject" field can validly contain an email address, you will need to remove "subject" from the list of fields specified in ATTACK_DETECTION_SPECIALS_ANY_EMAIL.

The special fields "derive_fields" and "mail_options" can validly contain an email address within them, however, they are listed in ATTACK_DETECTION_SPECIALS_ONLY_EMAIL so the logic only looks at the whole field value not just a part of it. It is never valid for these fields to contain only an email address.

It's also possible that you might use an email address as a parameter to your "good_url", "good_template", "bad_url", or "bad_template" fields, so they are also listed in ATTACK_DETECTION_SPECIALS_ONLY_EMAIL instead of ATTACK_DETECTION_SPECIALS_ANY_EMAIL.

Note that Tectite FormMail has always been invulnerable to this type of attack - your server is safe with Tectite FormMail.

The purpose of the ATTACK_DETECTION_SPECIALS setting is to allow you to ignore these attacks (no errors or alerts will be sent to you) and to send the user/attacker to an explanatory page.

Default Value

From version 9 onwards:


$ATTACK_DETECTION_SPECIALS_ONLY_EMAIL = array("derive_fields","required",


Before version 9:


$ATTACK_DETECTION_SPECIALS_ONLY_EMAIL = array("derive_fields","required",



From version 9 onwards:


$ATTACK_DETECTION_SPECIALS_ONLY_EMAIL = array("derive_fields","required",


Before version 9:


$ATTACK_DETECTION_SPECIALS_ONLY_EMAIL = array("derive_fields","required",


See Also