beavis - 3:12 am on Jan 28, 2007 (gmt 0)

Am I thinking clearly here? Any suggestions in this battle?

My web form submission process is as follows:

1. User enters data into fields (name, e-mail, phone, alt phone, address, comments, etc.)
2. User presses submit
3. Data is posted to a commercial form processing script (http://www.mydomain.com/formscript.asp?form=#*$!)
4. Form processing script performs server side validation of fields.
5. Form processing script saves submitted fields to database.
6. Form processing script calls e-mail component to send form field data to client.
7. Confirmation page is displayed to user.

Recently, I have noticed hundreds of spam entries in my database. The name, e-mail, and phone number fields (required for the form to validate) contain bogus data that validates. The comments section contains a link to an online pharmacy that I traced to the Ukraine.

I am not sure of the entry point this spam bot is using. While it could be loading my page, automatically filling in the form, then submitting, after reading WebmasterWorld, I believe the bot is more likely directly calling the script from a remote server.

The purpose, of course, is to send spam e-mail for the pharmacy website. But, I am a little puzzled on exactly how this is being accomplished. When I check the name, e-mail, alt phone, address, comment and other fields that have been saved, I do not find the expected long list of e-mail addresses. Likely, there is some way that the bot is passing the script a list of e-mail addresses outside of the fields that are saved in the database. If anyone knows how this is possible, please explain it to me. From my reading, I have learned that the bot could somehow call the script and pass on a huge list of “BCC” e-mail addresses to send the spam message to by utilizing virtually any field.

The other less likely possibility it that the bot is not sneaking a big list of e-mail addresses into the script, but just hoping to advertise the pharmacy to the form recipient.

Because of the way my forms are processed, my end users are not actually receiving these spam submissions. This is the one bit of good news. I could perhaps ignore this whole problem were it not for the annoyance of seeing the bogus data in my otherwise clean database of submissions and also out of fear that e-mail from my domain could be blacklisted. However, I don’t really know whether there is a way to implicate my domain or even my host’s mail server in the scheme.

As far as battling the spam, I have the option of upgrading to a new version of my form processor that uses captcha, but I am weary of using this because I fear that the bot may simply learn to call the script at a point past the captcha verification. Another common solution that I have read about is to hide an input field with CSS and try to entice the bot to fill it in. Then, if the field contains data, the submission is spam. Unfortunately, my form processor doesn’t contain this functionality and since the bot has already figured out how to successfully call the script, I don’t think the method would work, anyways.

What I may try to do is modify the e-mail component to look for requests to send e-mail to multiple users and just terminate if this happens. While this would not rid me of the annoyance of seeing the bogus entries in my form submission database, at least it would defeat the spammer’s primary purpose.

If anyone knows of threads that discuss how I could configure my e-mail component to snoop for spam attempts and abort if they are found, I would appreciate the links. I am using the CDOSYS component.

Also, any other ideas would be appreciated.