So then, you don't recommend having a form send copy to submitter?
Could have some safeguards such as set up a no index robot file..
Spammers will pay no attention to robots.txt.
I don't know if every form is found and exploited.
They pretty much are.
I would think there would be many other less time consuming ways to send spam then looking for a form, maybe I'm wrong.
Yes. Sorry, you're wrong. Spammers write programs that automatically probe web sites for insecure formmail programs. These probes send emails back to the spammers when an insecure installation is found.
They then use other programs which pretend to be a browser and submit hundreds of forms a minute to send out their spam.
And this is only really useful to the spammer if the form contains text area correct? Not much use from a text field.. I suppose just the text field would be targeted, but then all of these messages that they would send would also have the name of field before their advert...
That's right. They need to find the name of the text field and insert their advert there. But most formmail programs don't check the size of the data submitted for a field so the sheer size of the advert overwhelms any other data in the generated email.
What about setting the program to not allow so many submissions within a time period. There is no way this particular application/setup will have much traffic.
That's one suggestion. I've seen that implemented a few times.
There is no way to authenticate to prevent exploitation for spam purposes? This send copy to submitter is needed.
Of course, this is another way to block abuse. To force your visitor to register before they can send email using your formmail. This is how web mail programs solve the problem. But in most cases where you'd want to use a formmail, putting the extra registration step into the process would stop people from using the form.
Here's a simple experiment you can try. Do you have access to your web server's logs? Try looking in the error log on a server that doesn't have a formmail program installed. I can almost guarantee that you'll see a number of cases where people try to access formmail on the server. This will be the spammers programs probing the server for invunerabilities.
If you don't have access to the server logs thne take a look at this. The formmail.pl on my server simply dumps details of each request into this file, so you can see how frequently I get probed.
Is that clearer?
Dave Cross, Perl Hacker, Trainer and Writer
Get more help at Perl Monks