I've got a php Feedback form on one of my sites. Until today it has been unaffected by spam. However, tonight when I checked my mail I got loads of automated looking spam through the feedback form.

They were all 'from' various addresses made up using my domain name.

Is this something new? In 3 years of this site I have never had such spam?

Here is the contact form page: http://www.majormagnets.co.uk/contactform.php

In all probability, one spider got hold of your address and then provided information to several different addresses. We had the same thing happen a while back with one form on our website. We received hundreds of emails from an online poker site. Eventually, they stopped. I'm guessing that the spam emails were timed or something, and that our address was dropped after a period of time.

I've just received about 200 of these damn spam emails today! I don't think I've truely hated the spammers till now. It took me 5-10min to download all my mail! Lucky the email addresses they 'come from' are obviously not real so I can delete them quickly.

I hope they stop picking on me soon! :mad:

use some validation to ensure that the mail post is human, the Captcha project is a form submission validation tool, you can google for it... http://www.google.co.uk/search?hl=en&q=Captcha+project&btnG=Google+Search&meta=

If you make a new form, make a new email address to have the mail sent to and park up the current email, after a while, you can go back to using your regular email. I got spammed when I ran a mail server on one of my PC's as well as many attempts to connect to it to get it to send emails out.

Never reply to the sender of the spam, you will need to do what I suggest and leave your email box until it is full, leave it so that the servers send a response to say your box is full, leave it like taht for a few weeks then empty it, if you grab one of many spam tools, you can empty all your email accounts without having one email land on your computer.

It gets worse....

It seems some spammers are using my email address to spam others. Amongst the spam emails I found a couple of genuine emails pleading with me to stop sending them emails! So they have been getting spammed and it seems like it is coming from me!

I am worried about getting blacklisted or something! Surely this is quite common. It is so easy to change the 'from' field. I wonder how many emails are being 'sent' by me.

I will follow your advice for letting my mail box fill up and also ask my host for advice.

Another thing you might do is create a specific email account for the form results, separate from your personal one. You could title it something like "Organization's Form Reponses" (the real name in there instead of Org.)

Well they completely filled up my server space through emails to my feedback address and to my catch-all. I tried to change my email address in the feedback form but I couldn't re-upload it because I was over-quota so I was left without a feedback form for a day!

I got my server to clear it out. I deleted the catch-all. Then I deleted the feedback form user and made a new one. That email address has already received 700 emails tonight just 24h after it was set up. So I guess 'they' have a script waiting for me to change my email address so they can bombard it. I presume it is a script checking my site rather than a human.

Why am I being targeted?!

So I can't use that feedback form script anymore, so has anyone got a suggestion for a free feedback form I could use that won't be hijacked by evil ba$tard spammers?

So the captcha would prevent someone spamming the feedback form, but can't the robot also just download the feedback.php file which my contactform.php uses? The feedback.php has the email address in it and this is how I presumed they were getting my email address rather than hitting the feedback form directly.

edit/ okay this is the feedback form (http://www.thesitewizard.com/wizards/feedbackform.shtml) I use and it says to update it if I am getting spam so I will do that and see how I get on with another address!

If the situation is THAT bad, why the hell havent you simply shut your site down with a simple message saying back soon, closed for lunch or something whitty and read your site code for weaknesses as it reall does sound strange when you state that you have emails from people.... 'pleading to stop spamming them...'

1.a)are these people from your address book.
b) from your mailing list.
c) are they recieving emails from your website???

2.Do you use a database and if so, is the host secure? are you using passwords and login names that are considered 'STRONG' as your database security is as important as your site code and its security.

3. is your code clean from bugs and from hacking attempts? insecure code will allow access to your site and possible brute forcing to break in and hijack your site to use and do with as they please, this is often easiest when people choose weak passwords and logins coupled with weak security in the site code.

4. Have you scanned your PC for Malware, Trojans, Hijacks, Spyware, etc.

5. Firewall, do you run one, if not, why not? (Windows firewall does not count! & same for p2p firewalls) this helps guard against hacks and your system being used to spam people!

This is quite common, unfortunately. I've completely stopped using catchall accounts for this reason, and that seems to resolve much of it.

The poor folks that respond to this spam asking you to stop will have their mail bounce back - hopefully that either convinces them you're gone, or that the mail was forged to begin with.

Dave

Well it seems to have cleared up. 0 spam emails today! The problem seems to have been some exploit in the feedback form I was using (above) the new version patches this exploit.

I actually emailed the people that had mailed me asking me to stop and I explained what was happening and that the worst thing they could do was reply to the mail as they had just done! I shudder to think abotu how many peopl are still being bombarded with emails 'from' me!

This happened to me a while ago.

I just did a ereg check on the from email and if it included my domain I did a die("get lost");

This happened to me a while ago.

I just did a ereg check on the from email and if it included my domain I did a die("get lost");

lol...

what about this one...

die("Uploading credit card details and bank acounts.... ;)");

I have an online ASP form that when submitted goes directly into an access database on my webserver. Recently I also started to get spam submitted (comes in on an average of 1 per day). Does anyone have a solution on how I can prevent this from happening? Any help/advise would be greatly appreciated !

Thank you

As mentioned, wait it out. There's not much you can do. The more you interact with the spammer, the more stuff you'll receive.

Thanks KDLA...

Just to let you know I too saw about 7-8 spam emails come into my feedback form on the 5th and 7th of September.

Fortunately that was it and it has stopped but I do find it interesting that mine also hit the "feedback" form and no other forms on my site.

I didn't think anything of it until I read this. I just checked and the IP address sending them linked back to Thailand.

Don't have anything to suggest just wanted you to know you weren't the only one.

I log information on every use who submits something via my feedback form, so if they are using that to spam you, then you should have a log of their IP addy and stuff.

Also, when I made my first successfull website I was getting hit with 5-10K of spam every day. I switched on some very advanced filtering on my side, and some validation on the server side, changed the address, and then I started only getting a few hundred from the people who were really tricky, and several of them I was able to turn in to their ISP.

It isn't an easy battle to fight, but it won't last forever.

Feedback form spam is easy to defeat.

You have no need to put up with it at all and you dont need to worry about losing customers either.

The same techniques can be used too stop automated signups on websites WITHOUT the need for turing tests. (thats those often hard to read images with letters and numbers on them)

Spam bots generally now include ocr readers that defeat many simple turing tests. and when a spam bot fails they often send the turing test to a real human for intervention.

If you have a forum you will see countless signups that bypass the simple turing tests placed on the signup pages.

stop feedback form spam (http://www.managedlinks.com/formspam.php)