Why Do Spammers Send Spam?

Recently a client asked, "Can you help me understand what the bot developers gain or hope to gain from their annoying efforts to spamming?". This question was in response to a recent announcement we had made about efforts to help reduce form spam (also known as comment spam).

A little background here, if you do not run a website then you may not be aware that in addition to spam that is sent directly to your email address, there is a growing trend of spam form submissions that arrive in your inbox via form the form submission notifications.

A quick search for 'why do spammers send spam' yields several results that are useful to understand email spam. There is a comprehensive article at How Stuff Works that details the extent of the issue, causes, and steps you can take to stop spam. We also enjoyed Randy Cassingham's discussion about who is sending spam.

As to why people spam website forms, our answer to the client was:

Good question, and I would say that for the most part they are seeking financial gain. Many times the goal is to post comments to websites, these comments appear on the website and therefore the spammer can create links to their sites. These links get clicked and if you get enough clicks you will make sales, or have users do other things like give up personal information in a phishing scam. Unfortunately, the bots simply look for forms to submit, they are not written to differentiate a WordPress comment form from a Joomla contact form for example. So they just submit to any form they find.

In some cases the activity is likely just hobbyists, no real goal other than to be able to successfully send the form spam.

Lastly, some may be hackers trying to gain control of a website. It is possible in some cases to alter the data in the database, or upload files, if the form is not secured against this. Hackers constantly test to find new and undiscovered vulnerabilities that they can exploit.

We found several good discussions about form spam, and why people send it. But most suggestions about fighting form spam seemed a little dated, primarily recommending that you use a CAPTCHA. In our experience, CAPTCHA does not work reliably in many cases, and then too it burdens the real user with having to complete a challenge to submit your forms (think "it may deter legitimate users from submitting my lead forms!"). UPDATED for 2017: Google has made great improvements to their RECAPTCHA product, and we now recommend using it to fight form spam. 

We have had good success using HTTPBL to block form spam as well. To learn more about that approach, read our post BLOCKING FORM AND COMMENT SPAM WITH A HONEYPOT.