I had a form like that. You put in your email and it sends an email from us@foo.com, to us@foo.com, and to them@whatever.com. We had internal mailing lists for clients, including something like all-clients@foo.com, but they were locked down so only certain people could send to them. Turns out us@foo.com was one of those people, and so someone would spam all of our clients by putting their return address as all-clients@us.com. We just took the form down and posted our email address.
The only real solution is not allowing contact form emails to be customized with free text input.
I guess you could have a manual approval loop for "weird" names (more than 30 characters, has a dot in it, etc) or other signs of spam. It would still leave some space for spamming though (I can't imaging a rule that stops "Buy More ETH" but doesn't stop any unusual real name).
I don't know I haven't really probed random contact forms to see if they block this kind of thing.
There's a lot more to do to block this kind of proxy spam entirely for sure I was just talking about the particular problem of using the contact for to send to an mailing list.
I'm sure enough organizations have a mailing list called "customers@company" or "clients@company" to make it worth a shot. Colleges probably have "students@school" or "faculty@school" list.
Might be enough names you can profitably do it by hand.
How did they know the internal mailing list address was all-clients@us.com? Unless I'm missing something, sounds like this would require internal company knowledge.
