Change the field parameters.

Instead of email use 'tablecloth'; instead of name, use 'widgeon', instead of date use 'splendid'.

Beats all robots; if this one persists, then you have stalker, and worrying about the form is the least of your worries.

Don't see how that would help. The spammers seem to be directly accessing the form url. I beat off 99% of bots just changing script name. But I love to test so why not.

It's akin to a click army of posters who once they have the url address of the form they pound it to death. The fact that they have one lone account at AOL Hometown makes me wonder if it is a stalker. The fact is it has earmarks of both a lone poster and multiple ones.

I tell you what's funny. I've used quite a few tricks effectively in the past. My mentioned script was apparently working well but the spammer came back with 50 shortened url's in 12 hours to evade the script.

Make it so your formmail script writes a cookie to the users PC when the form is printed. Now when they submit the form, if the cookie isn't present, have the script exit with an error message. This will also block people from using the form that have cookies turned off but might be a good compromise if they are far and few between.

I’m working on a strange variation of Quadrille’s post now Perl Diver. I want to see what degree of automation they are using. Actually I’ve expensed way to much time on this spammer already.

Do report back; in my experience, although it 'feels' like a personal attack, it's generally someone targetting many sites of a certain type. My method produced blank forms or nothing at all - I've yet to find a spammer who rewrote a script for one site.

The joy in one case was a huge spike in submissions, as the spammers tried to work out what was happening .... then it tailed off completely.

It'll be no defence if it is one persistent toe rag ... but at least you'll know!

I will report back. I've put together a lot of newer tricks this afternoon based upon the comments. I love the challenge but more and more sites are just completely shutting down forms.

Another trick is to put in fake fields which if filled out trigger an IP ban or whatever. ie make a 'website' field which is hidden so as to not be viewable by web browsers but the spam bot will fill it out.

Putting in a captcha is another solution, even a simple one like ever the name of this site.

The spammers seem to be directly accessing the form url.

You're close to it - most of the time they vist the form ONCE, to see what processes it. Then from a command line or an automated program, they query the script directly, figuring out which fields are required and more dangerously, which ones go directly into mail headers. Consider,

curl -d 'email=spammer@example.com&comments=anything' http://www.example.com/yourscript.cgi

This goes directly to the processor. So anything you do to the form is never even seen. Changing the form fields works for about, oh, five minutes for the truly motivated, all they need to do is figure out what you've changed. Just like a brute force password attack, their programs throw dictionaries of possible form field names at a script until they get a result.

Now imagine if I can put a newline in the email field. As you know, this usually winds up in the To: field of a mail header. The newline is not a normal \n, so it usually can't be filtered. The end result is that your to: field now parses out to this:

spammer@example.com
BCC:address1@spam.com,address2@spam.com . . . .

Ad infinatum. 1000 email addresses and because it's a BCC, you're annoyed with only one email - but are quickly becoming the target of an email blacklist because someone's using yor form to spam (usually AOL.)

Log all data input to a form processor. This reveals what they are up to and using environment variables you capture the offending IP's. Then put those IP's into an .htaccess file in a deny from directive and they're outta there.

More on this topic here [webmasterworld.com].

most of the time they vist the form ONCE, to see what processes it. Then from a command line or an automated program, they query the script directly, figuring out which fields are required and more dangerously, which ones go directly into mail headers ... So anything you do to the form is never even seen. Changing the form fields works for about, oh, five minutes for the truly motivated, all they need to do is figure out what you've changed. Just like a brute force password attack, their programs throw dictionaries of possible form field names at a script until they get a result.

Quite; but most of them are doing it on an industrial scale; as you say, they visit once; many will never know they've been excluded, others will see that they have, and either *not* figure it out (not all spammers are bright), or not care; easier to move on that tweak a program for one site.

While it's possible to throw a dictionary at the fields, I've never seen any evidence of this - and as 95%+ of all forms are utterely predictable, I don't see most spammers as seeing a need to be that thorough - like most spammers, if they hit 95%, why sweat on 5%? Easier to add 100,000 new forms, and get 95% of them.

Yes the problem is it is an industrial strength attack from the pharmacy industry. Ownership is located in India. Well known US hosting companies protect them arguing that since the mail doesn’t directly come from the domains they won’t suspend. I argue that since all the url’s in the mail point to the domains they should be suspended. This is the first time I've thought "pink money" was in play. You have to be careful checking the url’s because it triggers more spam. They also have BU's, of BU's, of BU sites in case any hosting company suspends them.

As for setting up a block file these people shift to a new set of url’s and free proxies daily. I’ve recorded about 1000 of their IP’s and they seldom if ever return to one.

It does seem to be a sophisticated operation. They adapt to any changes to the form extremely quickly (in less than 3-4 hours). It reminds me of a click army if you have ever dealt with one. In this case it is the posting of affiliate links. I pity any legitimate person who runs a good forum, BB, or comment area especially at schools or universities. It would take blocking all out-going links or having a fleet of moderators to stop it. I can just shut down a form without damaging the overall business. It could be wise to do so.

Sounds like the operation that ruined a wiki I was working with.

They have no fears of nofollow - they just blindly post, post, and post again.

maybe try one of the captcha modules on CPAN, I've heard this is one easy to get running:

[search.cpan.org...]

Quadrille what's funny is I've gone down result after result in Google showing they've been suspended from dozens of wiki's. Many posts are the same. IP untraceable or you may be blocking school or university because IP is used by many. You have to triple check to make sure they don't float legitimate IP's to block. I give credit to most wikis though. They seem to be some of the few who police comment areas which is really the root of some of this problem.

Perl Diver as for captcha I've held off of that because from what I've seen they'll willingly fill it out. I could be wrong.

and either *not* figure it out (not all spammers are bright)

Oh contraire. These guys are incredibly smart, and don't need to tweak anything. To wit,

While it's possible to throw a dictionary at the fields, I've never seen any evidence of this

I worked for an ISP for 5 years, under the most diverse conditions possible and logged millions of attempts at form abuse. Start logging all data input from your forms now. Eventually you will see how their process begins.

It goes undetected because web servers log requests and are cryptic when it comes to submitted form data. Mail servers log mail sent, but nothing inherently logs form input. I have seen 50 or 60 attempts in a row throwing different data at a processor until it finds the fields that get accepted. Then it finds the ones that produce an email result. Then it's "game on."

This all occurs in a span of under a minute to ten minutes at the most. So obviously, the programs are written to do the work for them, they don't need to tweak anything. In fact, they probably never even visit the site - this can all be collected with a bot.

or not care; easier to move on that tweak a program for one site.

I have one "playground-site" I keep alive just for the purpose of watching what they do, spammers are attracted to it like moths to a flame. I have been watching them for years. Early on I did all this form field and script name changing. As I said, it lasted five minutes. They were back in record time. If you think it's easier to just move on, you're not familiar with how motivated these guys are to spam every resource they can.

Enlightenment begins with logging data, I can't say it enough. Once you see the nature of what they're sending you that goes by undetected (because your ISP never complains or you never get a spam-email until it's too late,) you can take appropriate steps to stop it permanently.

I'm really not disputing any of the possibilities you mention, but the fact remains, on several sites I have successfully stopped form spam dead in its tracks merely by changing form parameters.

So while I totally agree that the efficient spammer you describe probably exists, it is also true that not all spammers are bright (and I know that from seeing them defend themselves, anyway!), and not all spammers would bother to chase that last 5%, so long as their c*** is successful in most cases.

I'm not talking about stopping stalkers and obsessives - that's a different ball game, and we yet don't know if that applies here - I'm talking about the average hit and run spammer. And my experience suggest that they are neither careful, efficient, thorough - or particularly bright. Many just apply the software they bought from other spammers, and use it until it gives them a zero return. Then they buy an updated version. Spammers EXPECT their work to have a dimminishing return as defences are developed; not all spammers have the skills or incentive to tweak as they go along.

I'm talking about the average hit and run spammer

Believe me if that were all it were, I'd be very happy. :-)

Here's the problem: These people will come and hit a script a few times, then go away. This is to allow you to think they have given up. For the first few months, the obvious ploys work - move the scripts, change the form fields, screen the input data better. Then a few months later BAM they point their bots at you again, X 10. As time goes on more and more IP's start showing up, telling you they're calling in all their buddies.

I don't know if I even believe there is a casual spammer. One or a few hits is a warning, we've sniffed you out, we'll be back. I also doubt stalkers except in isolated cases, it's not a personal vendetta, these people are paid to push crap and are paid on delivery. So the larger a list they can maintain of sites that care vulnerable, the longer they stay in business.

The last bit is mostly speculation, but I've had a lot of long late nights to think on it and have scoured and scoured for ways to slow them down a bit. Or go bother someone else. :-)

I'm happy to agree to disagree. I'm sure there's a few obsessive spammers who feel affronted if one site gets away; and I know there's some stakers out there.

But my experience (direct and indirect) is that the average spammer is much like the average anyone else; making a living. Most couldn't give a cuss if they fail to show on a few out of 10,000 sites; they are harvesting 10,000 more tomorrow.

I also know for a fact that many spammers are thick opportunists, simple hand-to-mouth slimeballs who just click where they are told to and lie when they pretend to be so great.

Don't forget these folk you rate so high don't even know which sites use nofollow :) Well, DUH! ;)

I shut the form down three days ago. It still continues to receive the same level of spam activity as when it started five months ago.

The position of my hosting was that these particular type spammers are becoming almost impossible to trace or block. They argued many even knew how to break some captchas. The hosting company now concentrated on client apps that weren’t vulnerable before release to customers. They never endorsed NMS but the problem is they weren't endorsing anything in the formmail area. That is understandable.

Based upon talking to some of the actual spammers in July they proceed exactly like Rocknbill describes. I’m use to what Quadrille describes and percentage wise that's what I mainly see. The spammers said, and I quote, they intend to flood any site that was vulnerable with millions of posts. They seemed mostly interested in arguing the legality of what they did. It was a screwy set of ethics but they wanted to convey the message that you can’t accuse people of spam if you’re allowing people to post to anything.

I also track more than you imagine Lucknbil and fed them a test account when they offered to remove me from their database. I did that to judge their intentions because like with the spam everything else was untraceable. They promptly bombed that form. I also realized they would destroy any forum, blog, etc without a second thought. I covered my tracks when dealing with them because I reconized they weren't the usual sloppy spammers.

I walked away from the situation with two things in mind. They actually had automated the process of joining even membership forums. Plus they knew how to thwart even the best efforts to run them out of any site that allowed posting. They also seemed to incorporate a human side as a mop up to the operation.

Remember what is being trafficked is medications (drugs).

To me the form virtually becomes worthless even if I have beaten every spammer before or can beat 99.99% of them. If one can get through posting 25-75 messages daily others will follow with time.

outland I can help. Defeat is not an option. :-) It's our Internet too. You can find my sticky, we can chat.