Here is an example, I let a friend parked his rarely used site on my server. He has a "dead" online form on the site which send the user input to a 3rd party address, but he never checked that 3rd party address again.
Some bots attacked that form, and hundreds of thousands emails were sent to the 3rd party mail boxes. And then 3rd party hosting company blacklisted my server's IP.
This brings me to another question, in addition to add protection codes, should I allow sending the content of online forms of the sites hosting on my server to a 3rd party email address not hosting on my server?
We only hosted the sites we develop and we can persuade the clients and in our coding we will only send the form contents to the email address we host (if they want, then they can auto forward the email to 3rd party.)
This way, if a hacker attack happens, at least I can know from my scirpts which was monitoring the qmail queue and take action right away, instead of not knowing what is happening until 3rd party blacklisted me.
