I'm not entirely sure what you mean, but in situations like this you should always do your processing serverside. The people who are spamming your form are probably not even bothering with the main page - just feeding in the details + address they need to submit to into a bot.

what i meant was, im getting forms sent to my email with:

junkaddress@myexamplecompany.com

and most likely any customers are not coming from my company...

so i want to be able to block any forms that are trying to process with an email address of my compnay....

thanks

What are you using to process the form? (PHP, Perl, etc..)

classic ASP.

Presumably users can enter an email address into your form, and your ASP script is constructing an email, substituting this email address into the FROM field of the email(?)

The problem is that today it maybe "junkaddress@myexamplecompany.com", but tomorrow it's "junkaddress@anotherfakecompany.com" and so on...

It could be a robot that is auto-submitting the form, in which case there could be something else you could filter your form submissions on... perhaps the user agent is a bit of a strange one?! Entering identical information in more than one field...?

If it is a robot, then almost certainly any client-side JS is being bypassed.

The quick fix... in your form-to-email ASP script (server-side), at the point you read and validate your form data (before the construction of the email), you need simply check for the invalid email address/data and halt execution.

Well, that's a very high level approach... any specifics are really down to how your ASP script handles the form I recon... maybe one for the ASP forum?

tony are these addresses with YOUR domain name, more like

here1@yourdomain.com
here2@yourdomain.com
here3@yourdomain.com

?

If so this is a pretty common ploy. Usually there are other patterns in their submissions that are troublesome too, such as content-type and bcc.

If this is the case, do it directly in your ASP script. Do a pattern match on @yourdomain.com, if it exists, error out. There is no reason for anyone at your domain to submit your own forms, correct?

Also the BCC and content-type are troublesome. Even though your mailer doesn't have a BCC, what they do is insert a newline in one of the mail headers and create **their own** BCC, then insert hundreds of email addresses in there.

content-type is often input as content-type:multipart so they can insert an entire message in the hopes that your script will send out their second part.

Neither of these have any place in any part of a web form, so do a pattern match onthem and error out if found.

Lately been getting a lot of link spam too, trying to send links as <a href> or [a href], so it's probably a good idea to kill those as well unless you have specific reasons for letting someone submit HTML links.

Also I've said it before, I'll say it again: LOG all data input from your forms. This is fundamental to putting a stop to form abuse. Form data does not turn up in access logs as you'd expect, just create a log file and write all input data to it (with an IP address,) you will be astounded at what you will find.

Yes that is what i am receiving....

Now, pardont my ignorance but how would you actually code to deny any addresses at my own domain? Here is a snippet of my client side validation.
<SCRIPT language="Javascript">
function ValidForm()
{var oForm = document._form;
oErrors= new Array();
lCount = 0;
ValidString(oForm.reqName.value,"Please fill in your Name.");
ValidString(oForm.city.value,"Please fill in your City.");
ValidString(oForm.state.value,"Please fill in your State.");
ValidString(oForm.reqAreaCode.value,"Please fill in your Area Code.");
ValidString(oForm.reqPhoneNumber.value,"Please fill in your complete Phone Number.");
ValidEmail(oForm.email.value,"Please fill in a Valid Email Address.");
if(!ShowErrors())
return true;
else
return false;
}
</SCRIPT>

and ive been told twice to log data, and am almost clueless on how to do that...i saw a sample in another post, but should i use an SQL table, or access dbase file?

Well tony, it's a little more elaborate than that - first realize one thing:

Most of these attacks are queries DIRECTLY to your script. They are not done in a browser. So anything you do in Javascript will not help. You need to do this on the server side, directly in your ASP code.

Do you do your own coding or is this a canned script? You will need someone to alter the code so it does a regular expression match on the pattern - that is, "email = '@yoursite.com'" won't work, it needs to be a match pattern that equates to "if the email ends with @yoursite.com".

There are other things you need to do as well - make sure it's ONE email address, not a comma separated list, etc.

Logging is pretty simple, you can store it in a database but the simplest method is to open a plain text file on your server and add all the submitted contents to it. Again, this is something you would do directly on the server.

My ASP is a little rusty so can't give you examples, but with sufficient searching you can find appropriate resources.

In the problem mentioned by you. You must do all the processing at server side as client side processing may not be so feasible.