...and bypassing the form totally?

Once discovered, spammers rarely ever visit the form again. It's posted directly to the form processor.

To help you, we'll have to see the regexp.

Also it might be a good thing to see the nature of your spam. Are you logging it, or only basing this on what you receive via email? I ask for two reasons.

The first is if a form processor doesn't give the spammers what they want, they will go away. So there is obviously something there that is doing something you're unaware of.

The second is what you get in email may or may not be what's being emailed out. I'll give you two pretty common scenarios:

If I can modify the email header via one of the input fields, insert a newline into it, I can create my own BCC header and send out a thousand emails. You get one, aol gets 1000. You'll never know this is happening unless you log raw input.

If I can inject a multipart email into the body, you will only see the data before the multipart, meaning my multipart can contain a whole second message that sends 1000 emails at a pop. You'll never know this unless you log raw input.

I ask about the nature of your spam because it may be that none of this is happening, it may as simple as you're allowing emails to pass through with simple link drops. Easy way to plug that one too. And if it doesn't go through . . . you're not worth their time.

the </p> should get shredded because I run everything through html entities first.

I don't know of a way to log raw input yet. There is not a raw input log option at my host that I can see. Since my email traffic is so slow, I would like to see it anyway. Should I just create a file for that?

there is no way to enter information into the header in this application. It is hard coded.

My regex is ultra simple.

$badregex="/&lt;a href¦blogosword¦lesbiyanki¦<p>¦javascript/";

if (preg_match("$badregex","$commentary" ))
die ('#AO67FF: Radioactive ruby Gem error. Hazmat alert');

and the processor is $commentary=trim (htmlentities($_POST['commentary']));

Thanks

the </p> should get shredded because I run everything through html entities first.

Not if the input is html encoded (I think.) Remember, they will rarely be actually on the form.

I don't know of a way to log raw input yet.

Easy. :-) Create an empty file somewhere off-root, so it can't be accidentally discovered. Set permissions to write by the server user, usually your account name or apache. At the top of your script, define an array instead of a single regexp, this will give you more flexibility. There is no reason for a link of any kind to be in a form, unless it's a link exchange form, and even then, a full link with tags should be disallowed. Once you start logging, you can see what patterns to stop.

$log_file = '/full/server/path/to/spam_log.txt'; 
$max_log_size = 100000; // so it doesn't get too huge, this is 100K - huge. :-) 
$bad_patterns = Array ( 
 '\[\s*URL.*\]*', 
 '\[\s*LINK.*\]*', 
 '\%5B\s*URL.*(\%5D)*', 
 '\%5B\s*LINK.*(\%5D)*', 
 '\[\s*a\s*href.*\]*', 
 '\%5B\s*a\s*href.*(\%5B)*', 
 '\<\s*a\s*href.*\>*', 
 '\%3C\s*a\s*href.*(\%3E)*', 
 'viagra' 
); 
$is_spam_pattern = log_data(); 
if ($is_spam_pattern > 0) {  
echo "No email was sent, action logged." 
exit; 
} 
else { process_form(); } // <--- this is everything "you're doing now." 

function log_data () { 
 global $bad_patterns, $log_file, $max_log_size; 
 $key=$value=$trap=''; 
 $spam_in = 0; 
 $ip = getenv('REMOTE_ADDR'); 
 $currDate=date("D, m-d-Y h:i:s A"); 
 $filemode = (filesize($log_file) >= $max_log_size)?"w":"a"; 
 $input_content = " 
DATE/TIME: $currDate IP: $ip 
 "; 
 // Look for matches on any of $bad_patterns, set $spam_in to 1 if found. 
 foreach ($_POST as $key => $value) { 
  $input_content .= "$key: $value\n"; 
  foreach ($bad_patterns as $v) { 
   if (preg_match("/$v/i",$_POST[$key])) {  
    $trap .= "SPAM: $value found in $key field.\n"; 
    $spam_in = 1; 
   } 
  } 
 } 
 $input_content .= " 
Fields used for spam: 
$trap 
END $currDate/$ip ENTRY 
...................... 
 "; 
 // PHP 5 only, coded for =<4 compatibility 
 //file_put_contents($log_file,$input_content,FILE_APPEND); 
 if (is_writable($log_file)) { 
  if (!$file = fopen($log_file,$filemode)) { die("Cannot open $log_file in $filemode mode"); } 
  if (fwrite($file, $input_content) === FALSE) { die("Cannot write to $log_file"); } 
  fclose($file); 
 } 
 else { die("Log file is not writable"); } 
 return $spam_in; 
}