form spam

One site I run, The Virtual Bookcase has webforms that look like they might send e-mail in the background (which is correct, but they just treat user input like probable evil stuff which is to be distrusted until fully verified). Some spammers try to find a way to send e-mail to other addresses using php mail() header and mime injection tricks (page has a good explanation of the problem, and how to fix it). One trick worked in the past, but I closed that, and now I just get all those injection attempts as filled-in forms (with some weird stuff, a multipart mime mail in one of the fields, with a bcc: to a valid address for the spammer) at webmaster@ including the IP it was tried from and the e-mail address that was supposed to be the drop box (which makes scanning the mail logs for succesful attempts easy, one run usually uses the same drop box). The mail body is usually 'random text' which is supposed to pass spam filters. Other input fields are filled with what looks like e-mail addresses (no idea why).

Anyway, an overview of IPs and dropboxes seen:

210.146.119.101      magnetic54@SexMagnet.com
213.186.59.138       punk65@PunkAss.com
72.36.221.227        hellothere@ToughGuy.net
217.160.170.145      punk65@PunkAss.com
72.36.221.227        hellothere@ToughGuy.net
134.83.1.225         hellothere@ToughGuy.net
72.36.221.227        andagain@GameBox.net
213.132.156.76       hellothere@ToughGuy.net
Searching for hellothere@ToughGuy.net yields loads of pages with likewise attempts. But the dropbox still works I guess.

The domain names are all registered to the same organisation:

Registrant:
 HotPOP LLC
 PO BOX 508
 Newton, MA 02460
 US

 Domain name: SEXMAGNET.COM

 Administrative Contact:
    Master, Host  hostmaster-92533@alias.HotPOP.com
    PO BOX 508
    Newton, MA 02460
    US
    +1.5187131719
By the looks of the main website, hotpop llc seems to offer free pop accounts. So they are not the spammer or the spammer organisation (although they do appear a bit 'shady' to me) but the spammer uses a free mailbox with them.

And a day later, I get another famous one:

201.28.113.205      tlccooperfamlly@aol.com
212.182.119.173     tlccooperfamlly@aol.com
213.225.101.145     tlcc00perfamily@aol.com
Links: Form Post Hijacking with a clear explanation and solutions.
Koos van den Hout (koos@kzdoos.xs4all.nl)