PHP Form Spam Described

In late 2005, spam operations began to heavily spider sites for exploitable PHP forms. Many forms installed in the late 90's allow for additional headers fields, available through the PHP mail() command the forms use to send email, such as CC and BCC.

Clever spammers found a way to take advantage of this by passing mass email via the form's BCC header field. The result was a major increase in spam and a resultant knee jerk reaction by many large ISP's, like AOL and others. AOL for example reacted to this type of exploit by preventing the receipt of virtually all email sent from PHP forms.

Solutions?
1. Replace your form with one of the latest perl script forms.
2. If you are sending form data to an AOL account, you may with to change your receipt address to an address at your domain name instead.
3. Change the name of your forms to something other than form, formmail, or similar name. This will reduce the likelihood that spam operations will attempt to abuse your forms.

If you are receiving spam complaints due to your online form, please update or replace your form to prevent abuse.

See similar article for recommendations:
Web Form Security - Image Verification