Preventing Contact Form Spam

2006-03-21

You surely won't be happy when your web site gets used for someone else's financial gain. Here are some ways to prevent contact form spamming and abuse.

In order of least-effective to most effective ...

Use Obscure Field Names

Another thing you might want to do is avoid using "email" in the name of your form fields. It might stop less intelligent bots from identifiying your form as a possible target.

Stop Repeated Submissions

Form submissions are not hard to spoof. After all, HTTP is a well-published standard, and form submissions are formatted in plain-text. This means that any programmer of average skill can construct an application that repeatedly sends form submission data to a web server, with whatever fields and data they wish to send.

This means two things: the submission processing script probably shouldn't blindly package all received form fields into an outgoing email message; one should try to thwart repeated submission.

A way to do this: start a session and keep track of whether the visitor has viewed the contact form normally (via the HTTP GET method). Don't store this info in a cookie because cookie data can be seen and modified directly by the bot. Only accept a POST if it comes from a visitor that just did a GET. Of course, when you process the POST, store in the session that they just performed a POST. However, this solution isn't infallible. All a bot needs to do is support cookies and request a form (GET) before it POSTs.

Prohibit Multiple Recipients

Following good netiquette, it's common to send a copy of the submitted contact form to the submitter. After all, they've probably specified their email address in a form field so the website owner can reply to them. Allowing the email field to contain more than one email address and blindly sending emails to whatever is contained in the field is an open invitation for abuse.

Don't allow multiple addresses to be separated by a comma.

Prevent Email Message Injection

The email standard has the following characteristic: a single period on a line denotes the end of an email message. This means that one can concatenate two email messages with a line containing a single period. The mailer will send both emails as if they were passed to it separately. Many times this is how spammers get out their own emails.

If your contact form script blindly takes the contents of a submitted textarea as the message body, the spammer could throw their own email into the textarea (headers and all). Some scripting language mail functions may not look for this so the dot may get treated as a message separator.

Thus, one way to prevent injection is to replace any line with a single period with two periods. Or just drop the message altogether if you detect foul-play.

Filter non-Humans

Perhaps the easiest way to prevent spamming programs from abusing your form is to add a CAPTCHA to the submission page. It requires the submitter to type in the string contained in an image displayed on the page.

Exploit Lack of CSS Support

I came across this tip from somewhere else on the web, but I can't remember where. It's not original to me.

Create a special field that is hidden in a normal browser (has a style attribute of "display: none"). You should probably name it "email" or something similar to bait the bot. If when the form is submitted there is data present in this field, you'll know it wasn't submitted using a standard web browser, thus was probably submitted by a bot and you can discard the results.

 

comments powered by Disqus

 

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.