Why do 'hackers' setup bots repeatedly fill out web forms?

Solution 1:

These are bots trying to send you spam, or worse, trying to exploit your contact form to send spam to others.

For example, there are several well-known exploits for the PHP mail() command commonly used by contact forms that can cause the TO address you put in your code to be overwritten by POSTed data, if you aren't careful how you handle the data coming in from your form.

Some ways to prevent this:

1. Use a captcha. For a low traffic site, even a static captcha (an image that just has the same text in it every time) will work very well.

2. Check the HTTP referrer to make sure the POST is coming from your contact form. Many bots will spoof this though, so it isn't terribly useful.

3. Use hidden form fields to try to trick the bots. For example, create a field called phone_number on your form, and hide it with CSS in your stylesheet (display: none). A bot will normally fill in that field (they usually fill in all fields to avoid possible required-field validation errors) but a user would not, since it's hidden. So on POST you check for a value in that field and SILENTLY fail to send the message if there is a value in it. I find that this method alone is highly effective.

Solution 2:

These bots are blindly trying every form they find in order to send spam mail. Some of them may have historical data of forms and even if it's not currently listed on search engines, these bots can post data to that URL.

Let's say a web site contains a HTML form for sending a recommendation to a friend, typically "Tell a fried" or "Send greeting card", which is not protected by a CAPTCHA image, for example. A bot could use the form to send thousands of spam emails using your SMTP server.

If the bot is coming from the same IP address, you could block that address on IIS or on your firewall.