Form spam has been around for some time now. Ever since the first person found that they could automate the submission of content on a form and get it displayed immediately, form spam has been an annoying inconvenience. Actually, before that time when a human could just spam a form. Automation has made it much easier to continue an attack over days, months, or even years and has made the issue more noticeable.

Guestbook and forums have received the brunt of spam data. Inserting links with the hope of enhancing the link count to a particular website has been one goal. Other times, it’s plain entertainment to see if reverse engineering a form can reward oneself with a gem (also known as hacking).

Viewing the form fields and testing what data can be entered and how the form responds to the data is one common method. Does the content submitted get added to publicly viewable webpage? Can you add links and images, formatting, and hidden content?

Captchas have been used to prevent automation. The hope is that humans won’t be motivated to enter captchas for every attack.

Usually the attacks come from a number of IP addresses that are often referred to as spam bots. Online databases keep track of such IPs and one validation that the IPis a bot can help prevent further attempts from the same IP address. Occasionally, they will try a new IP address and the effort of blocking is repeated.

Preventing the number of entries within a time period can help prevent a overly active bot, but can also hinder a legitimate and overly active human posting in a forum.

The attacks are also common on contact forms. Many contact forms have vulnerabilities with how they handle the to and from email addresses. A simple carriage return within a to or from field can cause havoc on email headers. Once compromised, there is no limit to the number of emails that one can send.