The entire langset.php file should be changed to: <?php defined( '_VALID_MOS' ) or die( 'Direct access is prohibited.' ); global $mosConfig_lang; if (file_exists("$comPath/custom/".$mosConfig_lang.".php")) { include("$comPath/custom/".$mosConfig_lang.".php"); } else { require("$comPath/custom/english.php"); } ?> The spam expolit occurs because the original file does not test VALID_MOS. This vulnerability exists in build 1.8.1 and earlier.