There is something I don't get, one of my web apps has a small form that allows you to enter you name and email address to "subscribe" to a user list for a site I maintain. The site is very low traffic, and only useful to a very small number of people that live in a very small town..it would be of no interest to anyone else.
Yet, every day, sometimes many times per day, someone (or a bot) is entering fictitious names and probably bogus email addresses into the form.
This form is not even active on my site anymore, it just happens to still exist as an orphaned page on my IIS directory (which tells me that someone is searching for these types of forms via Google, because there is no path to this form if you come in thru the default page.
This is not a big hassle for me, I can solve the problem with captcha, but what I don't understand is for what purpose would someone setup a bot to repeatedly fill in forms? I figure there must be a reason, but for the life of me don't know why?
What am I missing?
These are bots trying to send you spam, or worse, trying to exploit your contact form to send spam to others.
For example, there are several well-known exploits for the PHP
mail()command commonly used by contact forms that can cause the TO address you put in your code to be overwritten by POSTed data, if you aren't careful how you handle the data coming in from your form.Some ways to prevent this:
Use a captcha. For a low traffic site, even a static captcha (an image that just has the same text in it every time) will work very well.
Check the HTTP
referrerto make sure the POST is coming from your contact form. Many bots will spoof this though, so it isn't terribly useful.Use hidden form fields to try to trick the bots. For example, create a field called
phone_numberon your form, and hide it with CSS in your stylesheet (display: none). A bot will normally fill in that field (they usually fill in all fields to avoid possible required-field validation errors) but a user would not, since it's hidden. So on POST you check for a value in that field and SILENTLY fail to send the message if there is a value in it. I find that this method alone is highly effective.These bots are blindly trying every form they find in order to send spam mail. Some of them may have historical data of forms and even if it's not currently listed on search engines, these bots can post data to that URL.
Let's say a web site contains a HTML form for sending a recommendation to a friend, typically "Tell a fried" or "Send greeting card", which is not protected by a CAPTCHA image, for example. A bot could use the form to send thousands of spam emails using your SMTP server.
If the bot is coming from the same IP address, you could block that address on IIS or on your firewall.
If they can somehow get into your server and implant software on it without you noticing, that's one extra spambot for them.
Being registered is one step closer to being able to take over a server, since you're able to see a bit more of the files on the server.
Plus, if the form isn't protected against XSS and other such tactics, hacking is even easier.
They ususally try to forge custom HTML/PHP/ASP commands when they hit submit, its used as a backdoor for trojans etc.
Comment spam is one reason. They attempt to add a lot of links in blog comments, for example, in an attempt to raise their page rank.
Some of them just seem to just fill out any form they see with links to porn sites in the hope that somewhere, somehow the links in the form will appear on your site and be picked up by google.
I've had a lot of luck blocking bots with some custom mod_Security rules.