I suggest you test the steps on different browsers to see if the person is not facing a problem completing the steps.

If it is automated, capatcha can help reduce a large porition of automated submissions.

You have got his email address, email and ask him if he is facing any problems, and perhaps also implying that he is being monitored.

Also a note: no one would put in detailed contact information if they are attempting to get into your system.

I have tested it on Firefox, Chrome and IE, and have not found any problems.

The same person appears to be submitting the form 2-3 times a day with different contact information. The area code of the phone number is always New York City, but the mailing address is a combination of email address and cities around the country. The spouse is always "18". The email addresses appear to be mostly real, as I have only received a rejection for one of them, but a different one is entered each time. I'm afraid he found some sort of vulnerability that is allowing him to use the form for spam.

Thanks for the captcha suggestion. I have now added that. It will probably stop the problem, but I'm still wondering if he was exploiting some security issue.

Log the person's IP too. Some people just go away if you manage to block their IPs.

I will submit my theory. :-)

Kudos on the logging, this is the first step to figuring out what they are up to.

The semi-regularness of it indicates this is most likely a bot. If you keep watching, what it might do is eventually stop (which is a bad sign, below.) Did you notice early on that it was only submitting part of the information, and in subsequent logs, more and more fields are completed?

If so, this is likely a bot "sniffing" out the form. It will hit it like that for a while, then stop - then the real spam comes in from a different bot (or a different function of the same one.)

Normally this will escalate to links submitted in the text areas of the emails, but I don't see that you have them. It doesn't matter - this is a bot, not a real person, they just point them at sites and let them run. Many of them spider the web for forms and add the to a database, the spammer doesn't even know what sites it's hitting.

Generally you can filter them based on that text field input.

captcha

Well, there are other way to do this than to create a barrier for legitimate users, but if it's good enough for you, it's good enough. You can search this site for many more user friendly approaches.

One simple approach is the empty hidden field, a bot will put a value in it, if the value is populated, don't process.

One simple approach is the empty hidden field, a bot will put a value in it, if the value is populated, don't process.

That is quite clever :) You could even name it something you would find on most forms (email_address or first_name) ... and they will fall for it.

another easy way that usually works against returning bots, is to check the referrer. The chances are that nobody goes to that page directly, they will always tend to come from another page in your site. so if the referrer isn't from your own site, just reject it straight away.

that might block the occasional human too, but then you can follow up and do other checks for them, like putting a cookie on their system. bots are highly unlikely to accept a cookie. So if it's not there, reject it.

Thanks for all the great ideas. I'll play around with the hidden value, referrer check and cookie. How reliable is referrer? Is it returned by the browser, in which case it could be faked.

I agree that captcha is annoying to people and if the other methods work, it would be better.

Rocknbil - I'm sure you're right about it being a bot. The first one was on September 9 and all fields were filled in.

The spouse is always "18".

That's a lovely detail. It suggests that the robot doesn't know "spouse" so it assumes "age".

Did it really say 30332? That's kinda fun, because in real life it's the ZIP code of Georgia Tech, which indeed is in Atlanta. Maybe you've got a student project in action :)

Yes that's the zip code. I went back and looked. Exactly half the zip codes are 30332 and the other half 10001 (New York, New York).

What are they teaching those students, anyway? ;) Reminds me of my computer teacher in High School (1973, pre-Internet). He knew how to hack the phone system for free long-distance calls.

How reliable is referrer? Is it returned by the browser, in which case it could be faked.

it's not 100% reliable so it's not going to work all the time, but then you can follow up with your other checks. if you combine it with the hidden field and everything else then it should be plenty.

another thing you can do is log the "browser string". if you combine stuff like the user_agent and server_protocol into a string, and save it alongside the data, then you can check whether that person has already submitted info.
that way, even if they change their IP, you still have a means of identifying them.
and it doesn't matter if some of the HTTP's are blank or faked either, because that info will just be combined into the string.

but even so, it's not going to be 100% reliable so you should combine it with all the other stuff you're doing. if you keep adding loads of different ways to foil them and use them all together, then each bad guy is bound to fail at one.

$keys = array('HTTP_USER_AGENT', 'SERVER_PROTOCOL', 'HTTP_ACCEPT_CHARSET', 'HTTP_ACCEPT_ENCODING', 'HTTP_ACCEPT_LANGUAGE');

$tmp = '';

foreach($keys as $v) {

if(isset($_SERVER[$v])) { $tmp .= $_SERVER[$v]; }

}

$browser_sig = md5($tmp);