These are bots trying to send you spam, or worse, trying to exploit your contact form to send spam to others.
For example, there are several well-known exploits for the PHP mail() command commonly used by contact forms that can cause the TO address you put in your code to be overwritten by POSTed data, if you aren’t careful how you handle the data coming in from your form.
Some ways to prevent this:
-
Use a captcha. For a low traffic site, even a static captcha (an image that just has the same text in it every time) will work very well.
-
Check the HTTP
referrerto make sure the POST is coming from your contact form. Many bots will spoof this though, so it isn’t terribly useful. -
Use hidden form fields to try to trick the bots. For example, create a field called
phone_numberon your form, and hide it with CSS in your stylesheet (display: none). A bot will normally fill in that field (they usually fill in all fields to avoid possible required-field validation errors) but a user would not, since it’s hidden. So on POST you check for a value in that field and SILENTLY fail to send the message if there is a value in it. I find that this method alone is highly effective.