A feature that most (if not all) websites has is a standard 'contact us' form, i.e. basically an HTML form that allows for the input of

FROM ADDRESS:
SUBJECT: (sometimes optional)
BODY:

And that information is put into an email address to be sent to the appropriate party at the company. The 'TO ADDRESS' field is hardcoded into the form, which is why it's not present in the form itself (after all, you don't know what address in the company you want to send it to). What many don't realize is that these forms are ripe for abuse. There are two main methods in which they are abused:

1. They are used to generate spam emails to the company.
2. They are used to generate spam emails to the company AND to random internet users.

The first method is simple - a spambot, or an automated script whose sole purpose is to generate spam, simply finds the form and fills it out with spam trash, which generally forces the company recipient to read it since such forms have a good chance of side-stepping the company's internal spam filtering.

The second method is a bit more devious - the form is 'overloaded' and corrupted so it not only emails the intended company recipient but also internet users that are on the spammer's mailing list. The method used here is more complex, so I won't go into it in this post, but regardless of the exact manner it can be disrupted by doing a little more work in creating the form.

A complex method involves the use of CAPTCHA, or image verification. You've likely seen this before when signing up for forums; you have to enter in a string of numbers and letters displayed in a strange-looking image. This is a good method to use because it's very robust, and it is designed to prevent automated scripts from interpreting the image. There are a few drawbacks though:

1. Usability: If it's hard for spambots to read, it could be hard for real people to read as well. This creates discomfort among users, and if they don't feel like slugging through they may well choose NOT to send you a message. From a sales/marketing standpoint, this is bad news.

2. Hack-ability: There are a fair number of 'bottled' captcha scripts on the internet that are available as open source, and also some that can be bought. A great many of these have been 'hacked', i.e. spammers have code in place that can actually read them! This means that the captcha you install may discourage some spammers, but others will breeze through it with no problem!

A simpler method of defeating this is something I found on a random captcha site a few days ago. Basically, since spammer scripts fill out all available fields when sending the trash, you can setup a 'honeypot' for them, i.e. an empty field that isn't shown to the average user. So, instead of having these fields

FROM ADDRESS:
SUBJECT:
BODY:

You instead have

FROM ADDRESS:
SUBJECT:
BODY:
BODY2:

To prevent users from seeing 'BODY2' simply use CSS (Cascading Style Sheets) to hide the field - you can do so by wrapping the form field in this tag:

<div style="display:none;visibility:hidden;">

This prevents human users from seeing the field. Now, when the form is submitted, run a check to see if the BODY2 field contains any content. If it does, then you know that a real person didn't submit the form and instead it was a spambot, so just discard the information. If the field is left blank then you can safely format the rest of the fields into your email message.

Note that this will only work on 'generic' spam scripts. If a script is tailored specifically for your website, then it will likely be 'trained' to ignore BODY2 and the message will still get sent. Even so, if it stops even half the spammers trying to abuse your forms, it's a good thing.

PS: Another article on this topic can be found here:

http://www.geekwisdom.com/dyn/antispam_hidden_form_field

Nice tip in your first post Jamie. I haven't heard of that one yet. But it's definitely worth a try.