Some spammers have tools that will defeat Captcha verification. some just use cheap offshore labour. This allows bots to generate high volumes of mail via a website. They will enter the victim's email address and select "send a copy to me". In a default configuration, this is what happens:
- A message gets sent to the victim, with headers that say it is "from" the victim.
- The victim reports the message as spam.
- The spam reporting system flags the IP address that the message came from as having a poor reputation.
- This impacts mail delivery for all users on the same server.
Because the from address is wrong, it is also difficult to establish the source of the spam. Any steps we take to recover the reputation of the IP address require that we certify that we've taken steps to fix the problem. By forcing a valid from address, we are better able to find and fix the source.
A second major benefit of this policy is that it can interfere with the functioning of a hacked site. Hack scripts have to do extra work to determine what the valid outbound email address is, so they are usually sending with bogus from headers. Any message like that from our servers is rejected outright.
- Set up an address for mail from your site. It is common to use something like firstname.lastname@example.org (replace yourdomain.com with your actual domain name). You can configure cPanel to refuse inbound mail to this address.
- Set the "to" address to your address or your customer service address, as desired.
- Set up your site to use email@example.com as the "from" address.
- Use the submitter's email address as the "Reply-to" address.
- We strongly recommend that you disable any "send me a copy" feature.
- Keep using some form of Captcha.