We have been seeing an increasing number of these 'bogus' form submissions with clients of ours that have online email forms, and have developed a way to prevent such submisssions. If your are using ASP for your form, simply add the code below to the top of your form's ACTION page:

<%
if Request.ServerVariables("HTTP_REFERER") <> "http://yourdomain.xyz/yourForm.html" then
response.redirect("http://yourdomain.xyz/someErrorpage.html")
end if
%>

Note that this script:

http://yourdomain.xyz/yourForm.html - this is the page where your actual form is
http://yourdomain.xyz/someErrorpage.html - this is the page you want the user to be redirected to if they try and post information to your form from some location other than your form page.

I think you need to be a little careful with a script like this. My understanding is that HTTP_REFERER is optional information, and privacy and firewall software may strip out the HTTP_RERERER info. This will mean that someone legitimately filling out the form on the proper page may appear to be making a bogus submission so they won't be able to submit the form. If you take advantage of this script, your error page should probably tell legitimate users that if they're getting the error page, they'll need to instruct their privacy/firewall software not to remove 'private' HTTP header information.

True, for example Norton Personal Firewall strips this information out

One other issue is that HTTP_REFERER is set by the web client. If a "hacker" has a tool to automate form submission, it would be trivial for them to set the HTTP_REFERER property to the valid URL for the form.

I think this is why sites wanting to prevent automated form submissions include those randomly changing, auto-generated, distorted .gif's of letters and numbers on their forms. It's a bit of a pain for the user having to type in the text from the .gif, but it avoids issues with spoofed or missing HTTP header info.

There must be some ASP controls around that make it easy to add these validation .gif's to forms. I think I read somewhere that support for this was going to be built into ASP.NET 2.0, but I haven't seen anything about that recently.

You are thinking of captcha

http://www.captcha.net/

I believe there are several components available for both ASP and CF.

--Bob

Another technique that I thought of after I posted is session-based validation. Basically create a session on either your site or just the part of your site with the form, and on the posting page set a session variable that can be checked on the action page. If the session variable is undefined, then the post didn't come from the form page.

for some of the reasons stated above, i'm just using brute force, by checking for field lengths beyond what is allowed on the calling (real) form and looking for email addresses (and the like) where they should not be. this is not the best, but it works. THe HTTP_REFERER is included in the email address as an fyi for now. If this does not prove to stop it i'm opting for jamies suggestion of blocking all/w incorrect HTTP_REFERER.
thanks
kes

Another method I've found is that on the form submission that was faked there were impossible entries such as a radio button that could only return one value of "Y" for example returned some funky email address.

My biggest problem with these bogus emails is that they are sending out spam to other email addresses by adding a CC field which doesn't exist in the original script. I added 'Mailer.ClearCCs' to my code and I think it's working? As far as getting the bogus emails, I just use a filter that only delivers the real ones.

Is using ASP.NET more secure? Will this stop the problem with bogus emails and people using online email forms to inject spam.

Has anyone tried using the CAPTCHA form validation as a way to prevent automated scripts from posting to your webform?

http://en.wikipedia.org/wiki/Captcha

Might be worth a look.

-Ray