If I understand right you think it's only coming from your mail sender page script so you only need to add some code to the top of that page to prevent the script from executing if the referral didn't come from your own contact page.

Something like this at the top of your mail sender page might help take care of the problem:

<?php

$origin="https://www.example.com/contact.php";
$referral=$_SERVER["HTTP_REFERER"];
$refervalid=0;

if($referral==$origin) $refervalid=1;

if(!$refervalid){
echo 'Your Message Was NOT Sent You Bad Bad Bot. Also, For Validation Purposes This Form Requires A Valid HTTP Referrer And Referrer Headers Enabled. There Was An Invalid Referrer Or You Are Using A Browser Plugin That Disables It Please Enable It, Use Your Browser Back Button, And Resubmit Your Request.';
exit;
}

?>

I wouldn't use that just on it's own but that seems to be all you are asking. I would also parse the user input to cleanse it but I think you are saying you already have that in place.

Hi, thanks for your replay.
This is what I was thinking before posting, to look for http_referer.
I also thought about adding a hiding input in contact.php and check if it exists.
What do you think?

I've just tried adding a hiding form input and check for it in sender page.
Just after a few minutes I received another of that contact mails.
How is it possible for those people to surpass

if(!isset($_POST['pass']) || $_POST['pass'] != 'yes') exit;

?

I'll try now with referer option.
Thank you

The referrer is often spoofed with these spambots, so it's not reliable. A good captcha system helps quite a bit. You can also simply check the user-submitted content for "href=" or "url=", which is almost always spam unless your users are likely to be sending you HTML mark-up examples.

Hello,
There are two scripts: contact.php and mailsender.php where the form sends the post data.
In contact.php I have some restrictions (prototype) like Name only accepts alpha data.
In my example you can see that Last Names are numeric.
I guess those bots get the name of the action form from contact.php and "work" on mailsender.php directly.
I also have a simple captcha (put the correct sum number...)

What about passing and checking a SESSION var?

My previous contact form used Mailcode V1.7 from myphpscript.net
I never received those mails from these bots but I guess they were attempting to find holes.
Looking inside mailer.php from Mailcode I don't see the script checking for a valid recipient domain but email address structure.
The main difference I see is that there is a SESSION security code (from captcha) that is compared with a POST security code.

Nah you don't need a captcha, this looks to me like typical link-dropping spam. the concepts here [webmasterworld.com] will reduce it to almost nothing.

More here [webmasterworld.com] if you want to extend it to log your form input in an intelligible format - which you should, so you can see what they are up to. :-)

Thanks rocknbil for this data.
Have you heard about ZB Block from [spambotsecurity.com...] ?

Simple, block all emails with a URL in the body as most spams contain a URL.

Also, do some simple JS code to verify people are actually typing at the keyboard.

One of the simpliest methods of avoiding contact page spam?

1) Rename your contact page to something obscure. Don't use 'contact.php' or 'contactus.php'.

2) Add the 'noindex' meta to your contact page header. You don't want spammers finding your contact page in the SERPS.

This will drastically cut down on automated spam attempts.

Yes, that is what rocknbill links do.
Thank you

Actually . . . they don't (rely on obscure file names,) not really. What it does starts from the most basic concepts: know thy enemy. It begins with the second link, logging input from your forms to see what they are up to.

You have to keep in mind that most of these are automated. All they need to do is find "contact" or "contact us" on your page. This will lead them to your form, whatever it's named. You can arbitrarily change the file name, they will still find you.

Once they do that, they only need to find the form action. Then they need never visit your page. The automated bot is them pointed at it, set it and forget it. The bot assesses what fields are used, which are required, through several automated queries to the form processor (I have seen this in action, see logging, above.) Once it does that, it's ready to start hammering your scripts.

They are sneaky, too - they will hit you for a week or so, then go away, letting you think whatever action you took to stop them worked. Then at some random interval they will return again.

Part 2 of know thy enemy: if you use a legible logging routine for your forms, certain patterns will start to form. Nearly all of these attacks will come in the forms I mentioned in those links.

Some other ploys that may or may not provide some form of relief:

Empty hidden field: Put a hidden field with an empty value in it. Bots will populate all fields, if this field has a value, stop the script.

SIMPLE challenge/response: Easier than dreaded CAPTCHA, ask "what is three plus five?" and set your script to accept EITHER a case-insensitive eight or 8. Change it as often as you need. I've only had to do this in CMS's that won't allow me to filter input.

Dynamic field generation: Have your script dynamically generate the field names. This will also provide only a temporary relief, bots are fairly wise to it.

Many of these may work permanently, many of them provide only sporadic or temporary relief, but it all comes back to Selena Sol's timeless quote:

Every user input is a potential hack. Every user input is a potential hack. Every user input is a potential hack.

The first job is to accept only the input you want, and throw everything else away. Then you can apply filters to see if someone's up to no good. This works. :-)

@ Rocknbill - I don't think you grasp what I wrote.

Many hackers use Google SERPs to find targets for their automated hack attempts. I won't name the software here, but it uses Google serps to populate its database for URL's to attack.

By restricting search engines from indexing your contact page and secondly making sure that your contact page is named something else helps decrease attacks.

You can't be hacked if you are not found in the first place.

However, once someone specifically targets your contact page, then having other measures in place is definitely necessary.

This will lead them to your form, whatever it's named. You can arbitrarily change the file name, they will still find you.

Forms hidden in obfuscated javascript which are decoded and written directly into the HTML are completely safe from automated abuse, until a human stumbles along to hand-code it.

Great tactic to thwart automation except it's a big accessibility problem.

SIMPLE challenge/response: Easier than dreaded CAPTCHA, ask "what is three plus five?" and set your script to accept EITHER a case-insensitive eight or 8. Change it as often as you need. I've only had to do this in CMS's that won't allow me to filter input.

Yep, use something similar myself and what incrediBILL says is very true, but I don't always hide the whole form. (See Below)

Once they do that, they only need to find the form action.

I really like action="javascript:void(0);" and attaching a click function dynamically on the load of a js file sometimes. ;)