The Contact Us form uses the standard XenForo flood check.
Except this flood check doesn't work for guest users, which allows guests to spam the contact us form without respecting any flood check, while users do need to obey the flood check.
A quick look shows this is because XenForo uses the user_id as the primary key in the xf_flood_check table rather than something which would support a userid or an ip for guests.
Except this flood check doesn't work for guest users, which allows guests to spam the contact us form without respecting any flood check, while users do need to obey the flood check.
A quick look shows this is because XenForo uses the user_id as the primary key in the xf_flood_check table rather than something which would support a userid or an ip for guests.