1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 12:04 pm May 4, 2026

Forum Moderators: open

Message Too Old, No Replies

Ludicrously stupid form spam

         

dstiles

9:33 am on May 31, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Since I moved my first domain from Windows/asp to linux/apache I have received incredibly stupid form spam - eg: 
RefID: BV_WE008202757D
Sent By: xIuLlMgdYv Agalinaomargareteq6787@gmail.com
Telephone: 4957386724
Town: kznQNGZSu
County: DKpLuETWjcXq
Country: Zpam
Comment: xeGfhADXZTzK
FoundOn: Other - FfbNxROAuiJX


The words before the colon are, of course, my form field headers. The country Zpam is a made-up one I added at the end of my Select (drop-down) lists whan I realised the spammer was always choosing the last item in the list. Sent By includes the person's name and email address; the email address was always gmail - well, they're well-known as a spammer-friendly service, right?

This had been going on for several years. I searched online for reasons but although others were receiving the same spam no one could come up with a good reason for it; not a probe, since there were never follow-ups of any kind. Sources appeared to be hacked IPs.

One weird feature: I have never received these on the windows server (still running), and never received any form spam of any other kind on the linux server.

A few weeks ago I looked at the UAs that were involved in sending this spam and discovered that since October 2020 ALL the UAs were:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
previously they were:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36


I decided that the UA was old enough that very few real visitors were actually using that browser any more, so I blocked Chrome/85. Since then I have received no more form spam. Until the spammer reads this and updates the UA, I suppose. :)

engine

4:23 pm on May 31, 2022 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Until the spammer reads this and updates the UA


hehe, well, if they haven't checked the UA in all that time, chances are it's a compromised network and the spammer is MIA.

Kendo

5:30 pm on May 31, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



The UA could be impersonation using a manually set header.

Brett_Tabke

6:14 pm on May 31, 2022 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



It is really hard to say what vulnerability they are probing for, but I've seen quite a bit of junk like that over the years. Most often, they are probing your cgi variable processing to see what gets through. It is where holes in cms systems live.

Also, never discount a screwed up script....

Lexur

2:57 pm on Jun 3, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Maybe they have some kind of spider posting on as many forms as it can find on the web.

A few months later they'll do a search for those strings, and where they see results they'll send their hordes of manual spammers.

phranque

10:50 pm on Jun 3, 2022 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



i agree with Lexur.
they are posting unique character strings to see if the form submission ends up as UGC that is eventually search-indexed.
then they use or sell the list of urls for forms that "work".

dstiles

7:45 am on Jun 4, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Ah. That makes sense! Well, in my case a failure. If it looks like spam I don't even send a confirmation copy - nor a copy to the site's owner, just to me.

Kendo

2:49 am on Jun 5, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I tested some software a few years ago that was recommended for link building. You could write articles and then just point it at the web. It would find websites to post to, solve even the most difficult captcha protection and mix the words in the message automatically for each post so as to appear not to be spam.

By now there surely must be software that seeks out webforms and makes the same moves. I get a lot spam through a few sites that are protected by capture and it is laughable... what they are spamming about is complete rubbish/nonsense. Makes me wonder why they bother.

Kendo

6:47 am on Jun 8, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I have different types of captcha on our web sites, some asking questions that only a human can interpret. But every now and then I get tired of seeing spam still coming though from the contact form on each website. So I opted to use the Google reCaptcha, the one that asks to select particular parts of images, sometimes asking 2-3 times.

But after updating some 30 websites, I find that I am still getting spam via those webforms.

Is it possible that spamming software has become that evolved, or does it mean that someone has been paid $3/hour to post spam while identifying the captcha image parts?

dstiles

7:52 am on Jun 8, 2022 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Apart from the spam mentioned in my OP I get no form spam from my linux/apache site. This has always amazed me because there used to be a fair amount when the sites were windows-based. I think it's probably because I reject a fair number of hits for header reasons.

I abhor reCaptcha. I seldom manage to get past it and unless I really, really need access to the site I run away.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. General SEO Issues / Crawler, Spider, and User Agent ID 12:04 pm May 4, 2026