looks like it would

But im kinda confused on what you mean when you say direct attempt to send message, please elaborate.

Thanks.

By "direct access" I mean where a bot is directly calling the routine to send email messages (presumably message_send.php), inserting its spam, and sending. That's opposed to where a user clicks on the message send link within a page on the site. The intent of the .htaccess entry would be to block direct access to message_send.php when it is not called from a link within the site. So that would only allow it to be accessed if it is called up from a link within the site.

I'm seeing a rise in the number of attempts to send email through my blog. Looking through the "Direct B-Hits" tab in the stats section I found one IP address yesterday hitting the "send an email message" screen 12 times in the course of about 2 minutes. Not a huge number of access but it's clearly a bot and an organized attempt at an exploit. I expect the turing test is stopping the actual sending of messages.

The problem with email spam is that you may not even know your site is doing it, since unlike comment spam you don't see it happening unless an email is directed to you. I started looking into this after I recieved an email from my own blog pitching pharm stuff. And I guess if a site sends enough email spam it risks being black listed by SORBS or Spamhaus or whoever.

The antispam keywords also seem to apply to blog emails, so there is also that level of protection. I'm figuring though that the .htaccess approach might block a few more attempts.

Thanks - I'll make that change to .htacess and see what happens.