Contact form spamming

Tuesday, June 14th, 2022 - General

We’re seeing a larger and larger problem with users setting up forms on their websites that have their contents emailed to someone being abused more and more.

The abuse is PROBABLY from bots – or computer systems that just hunt for these forms and submits them. Bots are not human beings sitting at a computer screen filling out these forms. Most of these bots are sending spam, they’re just completing the form and submitting the form. They don’t really care where the message goes. Some forms are more abusable than others in that they may allow the submitter to specify an email address to send the submission to.

All of this adds up to a ton of spam being sent out from our server from these bots or malicious users. When this happens, our servers get blacklisted and then nobody can send out mail from the server.

We’re reaching a point to where we are going to have to do something to curtail this.

What can you do to help?

Insure that you’re forms that are emailing data have some type of anti-bot or anti-spam measures. Captcha is a common anti-bot measure – that’s those squiggly letters and numbers that you must type into a box or clicking on all of the pictures that contain a bus or some item. The understanding here is that a bot won’t be able to make that determination, but a real human being will.

How to deploy captcha on your forms depends on your infrastructure. If you are using WordPress there are various WordPress plugins that can help in adding Captcha or other anti-bot measures into your forms.

Make sure your forms are submitting to a local email address. A local email address would be something like – where is setup as an email account in your web hosting control panel. The opposite of a local email address would be a remote or external email address, i.e. an,,, etc email address. Remote email addresses are not delivered to our server. When you have your form configured to send it’s contents to a remote email address, then when a bot, spammer, or malicious user submits your form with a spam message, then our server sends that message to that remote server. That remote server is eventually going to get tired of receiving spam from our server and will start blocking our server.

Using a local email address on your form won’t alone prevent spamming of the form. But it will prevent that spam from being sent out from our server leading to server blacklistings.

We will eventually have to put measures in place to prevent forms from sending to remote/external email addresses. The level of spamming being done on these forms is just becoming too great and we’re going to have to deploy measures to prevent this.