Spam from my own contact form?

Today I have been receiving strange spam email from my own contact form at

It looks like there is some sort of bot filling in my form with stuff like and sending it to me. Sometimes there is some text jibberish trying to sell pirated software. Is this something I can fix myself? or is it system wide?

I had this problem for a while too, it seems to be search engine bots just going through your website to update their records.
I’m sure there’s a technical way to stop them from sending emails with your form, but I just put a metatag in the head of the form page :
and that seemed to stop them.

What needs fixing? You haven’t said anything is broken.

Perhaps it would help to clarify things. First of all, it sounds like one of the following two things are happening:

Scenario 1:

  1. A visitor accesses your “Contact” web page.
  2. He types in a fake e-mail address and a message advertising something.
  3. He submits the form, hoping that you read the message and thus see the solicitation, or modifies a bot that does this automatically.

Scenario 2:

  1. An email spammer sees you have a “Contact” web page.
  2. He notes the form fields and URL and writes a bot that submits form data.
  3. The form data attempts to find security vulnerabilities in your script that can be exploited to send spam to other recipients beside yourself.

Regardless of the scenario you should definitely be stripping HTML from the message being submitted. When I get form spam, most of the time it looks like:

<a href="url">url</a> [url]url[/url] which makes it really easy to filter out in the script.

You should probably ask someone to take a look at your script so they can rule out Scenario 2 though.

:cool: [color=#6600CC]Atropos[/color] |

out of curiousity… where can i get a contact form for my site? I want to put one up…

Use the coupon code [color=#CC0000]60DOLLARS[/color] when signing up to Dreamhost for an instant [color=#CC0000]$60 off[/color]!

See for form setup.

Web Hosting Reviews | Shonky’s Blog | Hot Product Directory

You can easily make your own. See these articles on the DreamHost wiki for more details:

Simon Jessey | Keystone Websites
Save $97 on yearly plans with promo code [color=#CC0000]SCJESSEY97[/color]

I also recommend checking for header injection and the like. Chances are someone isn’t wasting their time trying to just e-mail you (though it’s possible).

Check out Gordaen’s Knowledge, the blog, and the MR2 page.

In addition to the good advice you have already received, I would only add that you not just ignore it. I did, once, after allowing a “well known and widely used PHP form-maililng script” that I did not personally inspect (closely enough) remain in a site I was migrating from another host for a client.

I started seeing what you are seeing and said to myself, “I really ought to look into that!” but I didn’t do it right away. After a few flurries of these emails, usually arriving in “bunches” once or twice a day, and then nothing, I figured it wasn’t that big an issue, and kept shoving it on the “back burner”, prefering to spend my time on “paying” work. Big Mistake.

The next thing I know, the spammers/script-kiddie/low-lifes had succeeded in putting together a string that “worked”, and I received an email from DreamHost that my user had been restrcted from sending email due to apparant spam activity and over 200 emails per hour.

It took a rather frenzied dive into my stats and logs to identify the culprit as, at that time, many of my sites were running as the same user. Before I found the problem, exorcised the exploited script, and convinced DH that I was not a spammer (BTW, I think longevity with your hosting provider helps with that! Probably something those who switch hosts at the first sign of trouble should consider). several hours had gone by during which none of the sites running as the affected user were able to send mail. Bad Webmaster. Disgruntled Clients. General Very Bad Thing.

Final note: I have never had the version of formmail.cgi provided by Dreamhost exploited. Use that one, especially if you are not sure how safe the one you are using, or have coded, really is.

Sharing the three lessons I learned from this:

  1. Don’t trust any script you don’t thoroughly know, and understand. If you really can’t, or won’t, inspect the thing yourself and know it is sufficiently “hardened”, trust only those scripts that are vouched for by those who you know can and will. “Popularity” or “common and widespread use on the net” are not an acceptable substitute for this process, and niether is the fact that a script cost you a lot of money from a “professional” or a “script selling website.” In fact, you can argue that the very popularity and wide usage of a script makes it more likely to be exploited because attacking it sucessfully will open so many doors (think IE exploits here).

  2. Never ignore indications of activity that might be “hackish” or “crackish” in nature or intent. Just because it didn’t appear to work for the perpetrator does not mean they won’t keep trying. If they do keep trying, they must believe they will succeed (they know what script you are using, or know the flaw they are trying to exploit), and if that is true, and you don’t do something to prevent it, they probably will succeed.

  3. Don’t host multiple sites under the same user name. I know it is by far the easiest way to manage things at Dreamhost, but take the extra step and segregate sites by user. This can minimize your exposure if an exploit occurs by only having one “problem user” to deal with and make it much easier to locate the offending script, visitor, bot, etc.
    </gratuitous advice>


Uh oh, I’ve been getting a ton of spam. I’m just going to delete the forms from my pages.

Alec Usticke
DreamHost referral

Weird. I deleted the forms from my web sites, and I’m still getting spam. I guess I’ll email support.

Alec Usticke
DreamHost referral

If you have published your e-mail addresses anywhere - on your own site, or third party sites (such as this discussion forum even) it will be ‘scraped’ by spammer search bots and added to a list for who knows how long. Your site has mailto links and all those addresses will be spammed because of that, not to mention the one you have in your sig here.

Were you using the DreamHost site? If you were, removing the forms won’t help if a spammer can access a cached version, say from Google. He just needs to know what the form fields were set to and he’s still in business.

Really, your own form processing script is the way to go, but one does need to make sure it is configured and designed correctly, which does take some expertise.

:cool: [color=#6600CC]Atropos[/color] |

The spambots are scraping the forms on my sites and posting them somehow to with just a subject header, email, and my recipient name.

Other spammers seem to be using the other fields that I’ve created.

I’m wondering how they’re doing it, and how I can stop them.

I tried putting a required field in the form of a checkbox for non-spammers, but I don’t think that’s going to thwart a spammer who’s bypassing the form entirely and just posting right past it.

[quote]The spambots are scraping the forms on my sites and posting them somehow to with just a subject header, email, and my recipient name.

Other spammers seem to be using the other fields that I’ve created.

I’m wondering how they’re doing it, and how I can stop them. [/quote]
It’s done just like your browser does it - parse the HTML for the form information, then send a request with form data. So in order to stop them, you have get valid users to take an extra step, perhaps going through two pages to submit the form or using captchas.

:cool: [color=#6600CC]Atropos[/color] |

Well, the weird thing is, I changed the username to which the form gets sent to one that forwards to another address entirely (still hosted on Dreamhost, of course), and I was still getting spam at the previous address, apparently from the same spammer.

Then I took the form off the page completely, and still got spammed.

How’s the spammer doing that? Using a cached version of the page?

I’m a bit sickened, as this address that I was using with that form was a totally clean address that never got any spam at all until I started using the DreamHost formmail system.

Had I anticipated that spammers might use it against me, I would have created a series of throwaway addresses and would change the address whenever the spammers found the form.

But as it is now, my beloved address appears to be nearly compromised, and if this spammer figures out that he can put that username he has together with my domain name, the floodgates will be open and that account will be useless.

I’m very sad about it.

So, lesson learned, good people of DreamHost, if you are using the formmail DreamHost provides, don’t use your regular email username in it.

Here’s what I’m going to do from now on…

Create a series of usernames like this (copy & paste comes in handy), followed by a space and then my real email address:
… and so on.

I’ll use the Automator program on my Mac to generate the username part of the list and that which follows.

I’ll copy and paste that list into the bulk editor for forwarded email, and then use the username part of the first address as the username in my form.

When I start getting spammed at that first address, I’ll change the username in the form to the next one on the list, and delete the first one.

The spammers will be sending to a non-existent address. Fudge 'em.

It’s going to be a hassle, but I can’t think of a better solution at the moment.

Yeah, that is a sad circumstance. I think you have figured out that once the adsress makes it “loose” into “the wild”, you can’t really get it back. All the other steps you went through won’t really help as it regards that original address. Once harvested, it is resold over and over on list after list, and will never be the same again. :frowning:

Another approach is to use the NMS-FormMail, and it’s “aliasing” mechanism, to not expose any email address in the form. That will save you all the machinations you are now considering resorting to. Just a suggestion - Good Luck!


Right, the expression “closing the barn door after the horses have fled” comes to mind.

Yet another update… now that it’s possible to instantly create disposable aliases of usernames by adding “+whatever” before the “@” symbol, I’m just going to have my form results sent to such an alias, and as soon as the spambots start hitting it I’ll just quickly bounce that alias in the control panel and change the form recipient to something else.

Hardly an elegant solution, I know, but at least it puts the burden on me and not on people who are trying to legitimately use the form (as few and far between as they may be).