Spammers have never balked at using Web forms as a way of sending out spam messages–anything to expose their wares. Basically, they will look for a public Web server that allows them to provide feedback or information to a certain company. These Web forms require them to fill up certain fields with information such as names, phone numbers, email addresses, and–wait for it–even spam messages. Even worse, spammers can also send image spam and/or infected files if the Web form contains a field that will allow them to attach such files. If they have finished filling up the form and submitted it to the Web server, recipients of the Web form will now receive the spam.
Strictly speaking, the messages they get are not spam email. What they get are another type of threat/annoyance. Here is a sample Web form:
Figure 1. Web form allowing all sorts of input from site visitors
Here are two sample Web form feedback email that has spam content:
Figure 2. Sample email with spam content sent by the Web form feedback mechanism. Notice the active hyperlinks to spam sites and domains.
Figure 3. Another sample email with spam content
The possible victims here are the employees of the target company, specifically the designated recipients of the Web form feedback. This looks like an automated attack by a bot that scours the Web for possible points of entry. Since the actual sender of email like this is legitimate (the Web form’s feedback mechanism), some anti-spam filters may actually let this email through.
Again, this is a reminder for Web admins to enforce some kind of input sanitization to, at the very least, disallow the use of scripts and HTML tags in Web forms, or to use one of the many secure form-to-email scripts available online. Some require users to decode a CAPTCHA code before being allowed to submit the filled-up form. These proactive measures will save admins both the time and resources needed to sift through these kinds of unsolicited and useless content.