1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 4:45 am May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Strange form spam

What does it mean?

         

dstiles

1:50 pm on Apr 17, 2020 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I use a contact form processor I designed myself years ago for IIS and recently adapted for linux apache. I use it for half a dozen or so sites recently converted to linux apache but still have a few sites using the original IIS version. It seems to work as well now as it always has but seems to attract an entirely different kind of spam. Or is something else going on?

Under IIS I get about the same quantity of form spam as on apache - at most a couple per day, often none for several days. The IIS spam is in the form of ordinary text, easily picked out from real submissions by the incidence of certain words or phrases. Apache sites' spam comes as variations on the following... 
Sent By: FSHTXwVI
Email: jh650545@(g-guess-who)
Telephone: 6662483888
Town: TqPIsAGrmWYvdkpz
County: mbdaUukAEDvNZ
Country: England
Comment: HdwGmxRZTfahbvI
FoundOn: obTaPuQcim

Sequence of pages always seems to be: home, contactform, contactformsubmission, contactform acknowledment. I don't think it's ever gone straight to the form page (this may indicate it gets the site from an SE as I do not allow SEs access to the contact forms).

A few of the fields are near their text limit sometimes but Comment certainly isn't. Country is real because it's a drop-down with England as the first option.

The above format, with its rubbish content (different each time), has been submitted from almost the first site going online, about a year ago. I've even built a portion of the spam trapping code around the fact. The sites are very low traffic. The UA, at least recently, is the same for each submission, although the IP is always different - probably from a botnet.

It makes no sense. Why would anyone spam forms repeatedly with such useless text? I don't think it can be used as a probe as it's only allowed one go before having to start all over again - which it never does. Any ideas, anyone?

engine

2:19 pm on Apr 17, 2020 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



It's probably stuck in a loop and is filling in fields it thinks are there. Customised contact forms are tougher for them to figure.

One solution I used was to change the submission form address so that it was a random name and could not be guessed. The only link to it was on the site, which was eventually discovered. I just renamed the location again.

Eventually, I removed the contact forms entirely and problems solved.

dstiles

3:23 pm on Apr 17, 2020 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I'm not worried about the misuse - as I said, very low. It always goes into the form via the home page and fills in whatever fields it finds (usually the same names but not always the same quantity of fields) with 10-20 characters of random junk. That's the puzzling part. Readable text I could understand.

engine

3:29 pm on Apr 17, 2020 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



That's the puzzling part. Readable text I could understand.

It may be non-ascii characters.

dstiles

4:01 pm on Apr 17, 2020 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Hmm. Possibly but they certainly resolve to ascii after being filtered by PHP's regex. If it IS non-ASCII I would have expected even more characters, especially in the Comment field.

Also, if one or more fields fails the regex the form is never submitted.

lucy24

5:02 pm on Apr 17, 2020 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



It may be non-ascii characters.
If so, it’s a non-Roman script using a one-byte encoding. (I spent some time with a Base64 decoder.) And again if so, I wonder what the robot thinks “County” means?

phranque

8:24 pm on Apr 17, 2020 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



perhaps they are searching later for these random strings to see if your UGC shows up in search results.

dstiles

9:45 pm on Apr 17, 2020 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



From an email? Sorry, I can't see that.

phranque

4:10 am on Apr 18, 2020 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



From an email?

they don't know until they try that your form results in an email rather than posting content on your site.

tangor

5:56 am on Apr 18, 2020 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Looks like an injection attempt ... but if so, it is poorly done!

RhinoFish

6:18 pm on Apr 21, 2020 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Yep, injection screening, they need to form fill and pass the checks to get to the submit phase, so they can see appended parameter names (and any client side data) for future injection exploit.

dstiles

1:12 pm on Apr 22, 2020 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Hmm. I wish them luck with that, then. Thanks for the info, guys.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 4:45 am May 21, 2026