Are my contact forms being used to spam?

[tmallen]

I have a simple "contact us" form on my website, and I think it may be used to send spam. Email from my mail server (off of a shared host) is now being rejected by Craigslist, and on occasion (maybe once a month) I get a "viagra!" type of bounceback for an undeliverable message. I've always hard-coded the email address in the mail() call, but I wouldn't be surprised if I'm doing something wrong here. What can I do to audit this?

 

There are a few other contact forms on the same server for two other sites. All of the direct email forms have a hard-coded "to" parameter for mail(), and the two that send an email based on an email form value also write to the database. I checked over the database for these two, and of 120 people who have submitted the form, perhaps ten appear to be junk.

 

So, what's going on, if anything? How can I know? I get this feeling...that my domain name will be blacklisted or has been already, but I'm pretty careful when I use mail(). Of course, I'm no hacker nor a security expert.

[gevans]

It sounds like it should be safe seeing as all the addresses can be monitored, but try putting a captcha in place;

 

http://www.white-hat-web-design.co.uk/articles/php-captcha.php

[tmallen]

So is it more likely that the mail server on my shared host is being abused by a separate party? I use HostGator, and one would expect that a host of that size would by now have solved this problem for their customers, which is why I'm apprehensive to believe so.

[premiso]

Shared hosts are just bad news. Very insecure (most of them) and one person on that shared host can screw up stuff for the next.

 

So yea my bet is someone is abusing it.

[gmcalp]

I know that my host has had that problem in the past, so, yeah... it could be the reason.

[tmallen]

I tried Linode, and that was a living hell. I'm a web developer, not a server administrator, and while I can set up a nice LAMP stack, I'll be damned if I can pull the same off for DNS, email, FTP, etc. Where's the (affordable) middle ground? Linode is $20-30 a month for a reasonable server, and I pay $13 a month on Hostgator for, most importantly, unlimited bandwidth. This is important because I host a government site there that has several enormous PDFs for download.

[limitphp]

I'm going to be using lunarpages.  Has anyone used them before? 

I have their basic host plan....

 

[gmcalp]

It seems kinda risky to be using a shared host for government websites, don't you think?

 

I have been with Dreamhost for 4 years now and couldn't be happier (I know a lot of people haven't been). It's only 10.95/mo and they have lots of great features...

 

Now, to get back on topic, it could be your contact forms, but it's kinda hart to tell if you don't post the code for us to see.

[scarhand]

It sounds like it should be safe seeing as all the addresses can be monitored, but try putting a captcha in place;

 

http://www.white-hat-web-design.co.uk/articles/php-captcha.php

 

that captcha script can be foiled by any half-decent spammer

 

use recaptcha - www.recaptcha.com i think is the url

[tmallen]

By government sites I mean that they're advertising the sale of government-owned properties (for DC firms) and licensing opportunities. Sort of a gray area, not quite the same as hosting a DOD site; I'd expect the government to provide a secure host in that case.