Oh brother. This morning a spambot of some kind finally got past the rather weak Javascript obfuscation I was using to hide the address of our contact form script, and my Inbox was filled with hundreds of porn/gambling spam emails, sent directly through the script using proxy IP addresses of zombie machines all over the planet. I knew the bots would eventually be able to crack simple Javascript escaping, and it looks like that day has finally arrived.

Of all the spambot attacks, this is the most idiotic and pointless; why send one person a billion emails? It’s just chaos for the sake of chaos, sheer stupid harassment that’s easy to defeat. I just turn the darned thing off.

I’ve also noticed some probes by bots trying to use the script that emails an LGF article. That one has slightly stronger defenses than the contact form, and there hasn’t been any wide scale exploitation of it (that I’m aware of).

But it’s clear I’ll need to strengthen the defenses in both those scripts; I’m going to give the Carnegie Mellon University CAPTCHA service a try.

UPDATE at 3/26/08 1:09:14 pm:

Decided against CAPTCHA because it’s annoying and obtrusive; instead I’m using a token-based method that’s a variation on the method we already use to secure our login form. This should be very difficult for a bot to defeat.