I’ve put my feedback form back on the site, and I’m fairly confident that it’s spam proof now. It checks the HTTP referrer (amusingly, this environment variable has been canonized in misspelled form as HTTP_REFERER) and, more importantly, it disallows certain special characters in the email headers. I think that’s how the spammers got me before. A word to the wise if you have any kind of web form that sends email: don’t allow \ or % in any of the form fields – these can be used as footholds to hack into the email headers.

And now I’ve got spammers using the “comment” feature of my blog to spam me with get rich quick schemes and breast enlargement offers. I’m happy with the size of my breasts, thanks. Fortunately, Movable Type includes some nice banning features that will hopefully be sufficient to stem the tide.

What a pain.