Hi I have alot of contact forms on various websites. I have been tracking this for a few months I have been getting Quite alot of Spam From my contact forms from this ip 61.152.169.27 using the email "greet@hotmail.com" Should I just block IP from the server? I really don't want to have to add code to all my contact forms. Thanks.
rederick, you would just have to put the code to block the ip address in the .htaccess file of all your websites, not much work really.
Better yet, if you have shell access, just block them at the network level: route add -host 1.2.3.4 reject Code (markup): 1.2.3.4 being their IP address of course.
Most likely he is trying to mail() inject and he could be succeeding and you don't know it. To avoid this I suggest you try a better contact form with captcha.
I do have some checks for things like "Content-Type" and "BCC:" in my form processing script, if it finds these in the posted form variables, the script dies and does not send the mail. These seem to be working alright to stop the injections, I have not moved to image verivication yet. This particualar spammer from IP 61.152.169.27 has been submitting contact forms trying to sell chainsaws and stuff in Chinese, so i just used iptables to drop the requests. I don't understand how he could be succeeding without me knowing?
you may not see what he is doing because he injects another header like someone said above, you have to make a strict input checking on subject field and from field...and maybe others..depending on how your form looks like
Regarding the mail() inject. Here you can find useful information on this issue: http://www.anders.com/projects/sysadmin/formPostHijacking/