"know your enemies" The Art of War - Sun Tzu
Anatomy of a contact form Spammer:
Though difficult to comprehend they are typically human,
so no CAPTCHA, reCAPTCHA, maths questions, select an image
or testing of general knowledge trivia is going to hinder them.
The more prolific ones targetting social networking sites use
a third party breaking system using 'mechanical turks' aka
humans for hire or even their own image to text converters.
However they are creatures of habit and something you will
often find them doing is trying to insert TWO differnent types
of links at once in an effort to save time.
Hands up if you have seen junk like this ... I've added the backslashes \ to make the code more readable.
<a href=http:\\/\\/spamsite.com>wdcfwf2e</a> dfguyf2u [sdsd sxdas](http:\\/\\/spamsite.com)
The important thing to remember though is that NO normal user
ever puts HTML or BBcode in the message field of a website contact
form, plaintext URLs are used instead because that's the 'human' way of speaking.
For example "hey bro have you seen www.lovelogic.net" you never say
"hey bro have you seen < a href=http://...." think about it...
So validate form inputs server side, check for HTML & BBcode tags then gently
prod the sender with a polite error message if these are found. If they persist
then grab the IP so you can ban or redirect it, spike them with an 'evercookie'
just in case they think using a proxy is clever and make sure they don't want
to come back.. crashing the spammers browser is always a popular favourite.
Meganerd also makes a good point about using a form token as this hinders the would be
spammer injecting a bogus message directly into the mailing script via a URL using GET or POST.
So the more awkward you make it the more the spammers will pass you by for easier pickings.