Customer bombarded with bogus emails...

I have a simple contact form on a customer's website that I created with CSS Form Builder a few months ago. This weekend, the customer received about 1500 emails that were responses from that form.

The form has CAPTCHA security on it.

I need to know if I did something wrong that allowed some automated email generator thingy to do this.

If someone was able to figure out how to logon to this customer's site and retrieve files, would they be able to bypass the CAPTCHA?

Ugh...

~J

can you verify that captcha validation is catching bad security codes on the form?

if the captcha is catching a bad security code, a site visitor could not disable it.

captcha will not prevent all spam from getting through.

there are some automated tools available that can read the security code on the screen to bypass captcha, it is also possible that human being is doing the job manually.

When you say "can you verify that captcha validation is catching bad security codes on the form?", did you mean to try entering a different code than what Captcha is requesting? I did that, and the form would not submit.

I don't think the form was being submitted manually, because they received those emails in such a short period of time.

Well, dang... I suppose the captcha screens out the majority of junk, but there's just no escaping people with too much time on their hands...

~J

Okay - the form just got hit again... It's just a simple form on a bank's website where customers can opt-in to something.

I only have the captcha image. If I added the security question too, would that help prevent this?

You can also add a honey pot to stop spam

I read about "honey pots" - just wasn't sure how to tell the form not to submit if the bogus field is filled out... is this done somehow with the validation?

you hide the honeypot field with css, so that it isnt visible to a site visitor

when carrying out the email validation, check the field to ensure nothing is entered, if there is, then it cannot have been completed via the form, therefore it is spam

Re your post #4, yes - a security question would help. You could also increase the 'noise' in your captcha image to make it harder for the bots to OCR it.

Having said that, the extreme nature of the attack you are experiencing is not usual. It seems to be targeted. It may be worth asking your hosting provider if any other subscribers to their services are reporting similar events.