I'd vote for 1 or 4. Either fool him or don't deal with him at all. Most of these tries are bots, they won't be sad if you print out that you caught them.

If you don't want a lot of effort, just put an if-statement around your actual mail-sending

if($this_is_spam)
{
# log or discard
}
else
{
mail(...);
}

Are you speaking about what I call "soft spam" which consists in trying to advertise for some product/s
or about a spammer that use your form to send tons of emails?
Anyway in both cases whatever you'll try is only like a band-aid on a wooden leg :)
What's needed is reinforcing your form security.

there's a third kind: bots filling forms with random (probably unique) strings. Someone indicated in another thread they'd do a google-search later to check wether their form input will show up on a google-indexed page on your site. if that happens, they unleash bot-hell on your site.

Have you tried only allowing the form to respond to referrals from your site, if someone arrives at the form not from your own domain then they are redirected to your index page or you display an error page with a link to your index page.

Yes, checking referrals works very well!

Thanks for the replies.

My "problem" (if you want to call it that) isn't form security. My form is fairly secure -- and I'll adjust it if needed.

I'm just curious as to where do I send the spammer/bot once I discover him/it? Should the form just DIE? Should I redirect to my home page? An error page? Should I let them think they succeded?

What do you do with YOUR found spammer/bots?

[edited by: Mobi_Mobbi at 2:21 pm (utc) on April 17, 2009]

If it's a bot then it will be wasted effort, however it might be amusing to redirect to some of the trojan horse websites and just hope if it's not a bot he does not have good AV support and gets infected.

I'm sure you will be able to google for those, maybe worth doing that exercise on a Linux box.

YES YES I am bitter and twisted

I would do none of this. First, you are taking this personally (note "him" throughout. Girls hack too you know. :-) ) It's not likely even a person, as mentioned, it's a program pointed at your site because it initially revealed vulnerabilities.

Don't get me wrong, spammers are a personal vendetta of mine. But when you begin to take it personally, you begin to think irrationally.

I log everything. This is different than server logging, which doesn't tell the whole story. Log your raw input, before doing any cleansing.

Pore over the logs frequently. Guess what happens? You learn more about your enemy.

Play their game; collect information silently, don't be a smart a** and try to do something cool or they will call all their spam-buddies on you and maybe even DDOS you, and trust me, that's not something you want to take on.

IP banning works, but it's an endless task with a constantly growing .htaccess. You also run the risk of eliminating legitimate contacts. Personally, see point 1 - it cuts off the amount of intel I can collect on spammers.

So when a spammer gets caught in my trap, what do I do with them?

"Malicious input detected. Action logged, no email was sent."

That is all. Enough for their bots to log that there's no love here and not worth their effort.

>"Malicious input detected. Action logged, no email was
>sent."

>That is all. Enough for their bots to log that there's no
>love here and not worth their effort.

that'd imply their bots actually compare responses. I mean, I'm under the impression that most of these bots don't even target specific languages, just dumping their message into forms. They wouldn't know if the message succeeded or not, unless maybe, the same form was shown as an indicator that something is wrong. Unless you send a http-error, how would they know you didn't send the message?
I've heard rumors that some mail-spammers actually stop trying to bomb you if your server denies taking their emails directly, but from my experience on my systems, that's either not true or at least not true for all of them.
I guess like in every business, there are professionals and beginners. the beginner has a couple of scripts he found or wrote himself, but he won't do sophisticated checks wether it works or not, he play for quantitiy. Haven't you all looked at spam (or the requests they send) and thought "wow, I could build a better bot than this on a weekend"? That's why I think there are mostly non-pros in that segment. I'm pretty sure the pros are much harder to discover and thus rarely seen.

that'd imply their bots actually compare responses.

Okay, why do people spam?

Because they get paid for it.

If you were paying for spamming, what would you want to see?

Some form of evidence of delivery.

So yes, I'm betting on some form of logging or at least a way to view results of their bots.

I agree, but on the other hand: I'm a perl guy. Depends on how big the profits are, I wouldn't go to check logs, compare the body of http200-responses to see wether a message was sent. I'd just go for quantity. I'd run my bots, maybe use google to find contact-forms (or whatever I'm after), and just hit 'em with all that I can. I have no clue about profit margins on spam, but 10 form submissions per second should be possible even without any special infrastructure (e.g. my dev-server + my home dsl line). That'd be 10 responses per second. 600 a minute. Unless I was really into statistics, patten recognition etc pp, I'd have a hard time to automatically identify error messages. And of course, I wouldn't want to check them myself. So either I have sophisticated data mining technology and know how (if I do: why am I spamming and not cashing in on big corporate contracts?), I probably would try to recognise some standard cms-replies, but I wouldn't worry about the sites that use unique scripts with unique markup and unique messages, which, in my experience, are more common than those that use a standard cms.
You have any clue how much they're making on the different approaches? Maybe I should change sides ;). But seriously, if it's a conversion rate like 1000 requests get's you a dollar, I'd hit it with everything I have, and not worry about messages that didn't get sent. If spammers do think like me, teergrubing might actually be a good idea to slow them down, if you can spare the resources.

In my limited experience, the best thing to do is to return a 500 error so that the spammer thinks your form is broken. They tend to go away pretty quickly after that.

There's only one problem with a 500. One of the "signs" that a script has vulnerabilities is when you attempt to inject or mysql inject if you get a 500, it tells you the form input is not properly handled and may be an "opening" to investigate further.

For example, the general process is input->(usually) error check/filter->send mail-> respond to browser. In a perl script, you can generate a 500 by simply not returning a response to the browser. All a spammer would care about is step 3. So if it 500's, it may be no deterrent.

You have any clue how much they're making on the different approaches?

Nope. Just based on what I see in the logs, and what seems to work. Generally I see them come in , hit a form 3 or 4 times, come back in a week or two, then never return. New ones come up all the time, with the same pattern.

Generally, what seems to work, make it just difficult enough to make it not worth their effort, there are plenty of slower sheep in the herd. :-)