May 10, 2006 - Spam Through Your Website's Contact Forms
Lately, more than ever my clients have been reporting strange emails being sent through their websites. These emails are automatically generated through online forms and are setup to allow their clients contact them through a simple web interface. However, spammers will setup robots or scripts to search out online forms and attempt to find weaknesses in them.

Here is an example of what is being received in the middle of the email that is generated:

Content-Type: multipart/alternative; boundary=806eede0ce1f48c47995dca801bbfbd9
MIME-Version: 1.0
Subject: for the
bcc: bajfla1@aol.com

This is a multi-part message in MIME format.

--806eede0ce1f48c47995dca801bbfbd9
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

in ral iles befure th man that made th goods. was that got him into throuble. an
--806eede0ce1f48c47995dca801bbfbd9--

Basically what they are trying to do is slip in a bit of extra content and enter a BCC email so that they can see if the email actually sends to them. The email in the above example was bajfla1@aol.com. Then the spammer will check this account and if the form has sent him an email - he will start using it to route spam through.

There are many ways to block this type of spam. The first is to have your web developer put a few extra checks on the form input to ensure that the input fits what the form allows (especially checking for extra line feeds). The second way to block this is to put a CAPTCHA on the form (please read one of my previous blog entries or see my CAPTCHA example).