Over the last few weeks my humble email form has been getting a slowly increasing amount of spam emails sent through is - usually with Japanese email addresses for some reason. Now as the web form just gets sent to me and doesn't go near the web site so I just sighed and put it with the rest of my spam.
And that was that. Well until this morning anyway when I woke up to find 48 of the confounded things sent over several hours last night - this time incidentally, all from gmail addresses.
Cursing I started to look at the HTML to see about putting in some horrible "Please confirm you want to send this email" kind of step, and it was then I realised something.
Last November I wrote some new, very convoluted PHP for my email forms when my previous PHP one suffered an email injection hit (i.e. using my email form to spam people).
One of the things it does is that it rot13 encodes the names of the fields in the web form. So I call a field "email" because that's what it is and I want to easily know what it does when I look at the code. However the PHP rot13 encodes it so that when you view the source code to the webpage, it actually says "rznvy". It's a silly, trivial little encoding, easily broken.
Notably all the recent spam emails were sent by the blog email form which - like the rest of the blog - is still using a HTML pre-processor called Hitoplive, so doesn't have that "protection". The result? Spamming robots can go through my HTML and work out exactly what everything does, and then use my own webform to spam me...
Maybe this is the cause of my recent problems - the blog's own webforms are too 'bloomin' obvious to "read". And of course the techniques I use on other webforms aren't foolproof, and doesn't stop people full stop, but the amount of junk emails I get from other webforms is notably smaller than what I get through the blog.
Maybe all this is just coincidence. I'm going to make some subtle changes to the blog's email form and see...