One of my clients was targeted by spammers. The business was receiving upwards of 500 emails each day, plus their email address was used to generate a ton of email payloads to huge mailing lists – so much so that their website was threatened to be kicked off the server. That's when they became my client.
My company's task was to solve this mess.
First: disable all email scripts from the site. After inspecting the headers on the emails, it became clear that the email scripts on the server were not responsible for the bulk payloads being sent. We traced the bulk emails to another server known for sending large amounts of spam. We managed to get that shut down.
Disabling the email scripts did stop one type of spam, that is the bots that hijack forms on the website. Typically those are sending marketing junk, porn, and other malicious emails. That was a lot more difficult to deal with. The client needed to collect information from their customers and also needed the forms for file uploads as a core function of their business services. We could not leave the forms shut down without some type of strategy.
The strategy we came up with has now worked for several years and has eliminated nearly 100% of all spam and kept junk out of their inboxes.
We've since used the strategy for several other clients and our own websites.
How does it work? It's actually pretty simple.
First, let's discuss how the traditional process works. There is a form, form processing (validating, mainly) and then form transport. Web forms are straight forward with many designs available. For validation, we used a three stage process: 1) javascript (or JQuery); 2) HTML5 input types; and, 3) PHPMailer-FVE (previously Form Validator / PHPMailer-FE). For email transport, we used PHPMailer-FE or PHPMailer.Pro or a combination of the two.
Forms don't really need PHPMailer.Pro. PHPMailer-FVE is designed to handle the data from forms. The "FVE" is an acronym for: Form Validation and Email. PHPMailer-FVE uses the server's email functionality (SMTP or Sendmail) to transport the form data packaged as an email.
In the past we had also used Javascript (or JQuery) to send quick emails. So we harnessed the functionality of Javascript to create an email "envelope" and passed that off to the user's own email client software to handle the email transport. In short: we used the sender's own email software. That's what defeats spammers.
Spammers and hackers work on the basis of anonymity. Since we can't see see or trace them, they can deliver the garbage payloads without being traced. Using their own email software defeats that ... and makes them traceable. And, they won't send you their payloads of they are traceable.
It works. We've used that strategy for years now and can safely claim it works.
That being said, we've now added that to PHPMailer-FVE.
That provides choices for email transport: SMTP, Sendmail, and optionally: Javascript.
That means we can still have forms, form validation, and choices for sending. It's been in production for nearly one year now, and we've recently enhanced PHPMailer-FVE to not only send using Javascript, but to also redirect to a Thank You page after sending. That means it's impossible to reload the page too (and it gives confirmation that the form was successful in its mission, along with launching the user's email software will all the data filled in).
The strategy for our client was a custom created javascript solution. We did use our original Form Validator as part of this strategy, but the gathering of the form field data was manual, the building of the email body was manual, and we were unable to redirect to a thank you page, relying instead on a javascript Alert to confirm the email "processing".
It's automated now. We've modified PHPMailer-FVE to handle all the processes from collecting the form data, validating the form data, packaging it as a Javascript email resource, and sending it through Javascript to the user's own email software.
Follow along as we plan on releasing it publicly as an MIT licensed script. PHPMailer-FVE.