Why are my website forms spammed?

Our web application scanner (WAS) performs tests of website forms which might result in you getting many messages or emails. To avoid this problem, you can either exclude the URL for the form action, exclude the URL with the form, or block Holm Security VMP IP ranges from posting forms.

Exclude pages containing forms or the form action URL

Follow this instruction to exclude one or more URLs:

Or follow this instruction to do more advanced excludes using regular expression (regexp):

Block Holm Security VMP IP range

Our IP ranges are specified here:

Being spammed is a security issue

If our web application scanning spammed you mail server or system, it can be a sign of a vulnerability that needs to be solved. Some sites have no validation at all and some have validation that depends on the client, in other words the browser. Often validation is done using JavaScript in the client. By turning off JavaScript in the browser, the user can easily bypass the validation. A hacker with a simple program/script can take advantage of this by bypassing the validation and make attacks that can make the receiving mail server or software that handles data from the form slow or unavailable.

The safest way to protect your form is to add a CAPTCHA, or to validate the form in the underlying code that is executed on the server side.

Read more about CAPTCHA here (external site):