rocknbil - 11:33 am on Jan 28, 2007 (gmt 0)

There is a post here that brought up a deceptively simple way to nix these attacks. Simply put an EMPTY hidden field in your form. The field is to be submitted blank. If there's data in it - poof. Bots will populate it.

They are doing this with automated programs that only visit your form to collect the form field names and the post URL. From then on it's a direct command-line request to the form processor.

Unless you have specific reasons for alowing any HTML - if it's in the submission, stop the process. Same is true of [forum] [style] [links]. Also bcc and multipart-form/data have no place in form input.

Always log any submitted form data. This reveals so much more than your server logs ever will.