We had to consider this when writing the nms formmail program. Formmails are the most badly abused CGI programs on the web. Here are what we recommend (and, whenever possible, enforce) in formmail.

• Only ever allow the form to send email to a fixed set of email addresses. Most spammers will test formmail programs by trying to get an email sent to themselves. If you don't send email to addresses that are input through the form then the spammer won't get his test email back and will probably abandon your site.
• If you're sending to ad-hoc email addresses, then only send fixed text that is configured in the program and not taken from the form. If a spammer can't change what the email says then your system is of little use to him.
• If you can't do either of the above, then force people to register (and check their email address is valid) before using your system to send email. That will discourage spammers as (for obvious reasons) they don't like to leave a trail.

As in so many areas of life, it's just a case of making your system harder to abuse than your neighbours'. If your system gives the spammers any trouble at all then they'll soon move on to a less well-guarded server.

As in so many areas of life, it's just a case of making your system harder to abuse than your neighbours'. If your system gives the spammers any trouble at all then they'll soon move on to a less well-guarded server.

This is not my experience - my (work) logs show that we often get repeated attempts at the same script from the same IP address, or from different IP addresses but with the same payload (including the same throwaway target email address) over a period of time.

One particularly persistent guy has returned from the same IP address to the same script with the same payload once a month for at least the 6 months we've been logging enough to tell.

Note that this is just logging the special case where people explicitly attempt to trick the script by inserting things like "some text\ncc: email@address" into random fields that look as if they might make it into email headers.

(For what it's worth, we deal with this by logging such abuse, and blocking offending IP addresses for escalating periods of time.)

Hugo

Thanks.

Each form goes to only one email address which is one of the clients members. However there are hundreds of forms one for each member.

Unfortunately the client does not believe that you should have to register to ask there members a question. But we are trying to change that.

UnderMine

Unfortunately the client does not believe that you should have to register to ask there members a question. But we are trying to change that.

Your client needs to be introduced to the realities of the situation; registration or spam - pick one :-)

--
<http://dave.org.uk>

"The first rule of Perl club is you do not talk about Perl club."
-- Chip Salzenberg

When you say the forms are used to send requests from the public to clients, does that mean that anyone is allowed to send these requests?

I'm not completely understanding, but if only certain people are supposed to be using these forms, then maybe you should create some sort of members only interface? I'm not completely convinced you should wait until someone actually sends the data to be trying to prevent it.

Can any of the CPAN modules such as Mail::SpamAssassin be used to flag potential outbound spam before it becomes an email?

Well not quite before it becomes an e-mail but before it leaves the server, yes. You can use Mail::SpamAssassin's spamd in association with a plugin for your MTA (such as spamass-milter for Sendmail), to process the mail before it is forwarded on it's next hop. You can for instance set the threshold such that it will bounce or drop the mails rather than simply flagging them as spam.

/J\

In addition to everything else being proposed here, you should seriously consider consulting a DNS-based RBL. It's easy to do, especially in a web-backend context where you're guaranteed to be connected to the internet and to have the sender's IP address.

@/=map{[/./g]}qw/.h_nJ Xapou cets krht ele_ r_ra/;
map{y/X_/\n /;print}map{pop@$_}@/for@/
[download]