lucy24 - 10:11 am on Jul 10, 2013 (gmt 0)
What does the request look like when it passes through your server?
:: quick detour here to experiment, with unhelpful discovery that it comes through in my case as POST to the mail-handling page-- but the form fields aren't visible to the naked eye as parts of a query string ::
:: further detour to php page ::
I've got a series of lines containing
etc. So in that format I'd check for $_REQUEST[anything-not-on-the-approved-list]. Or at least $_REQUEST[specific-bad-things-here].
It would be a ### of a lot easier if it came through as a POST request with everything in plain sight in the query string. Then you could just check the request in htaccess, before even getting near the page, and slam a 403 on anything with an unwanted parameter.