|
Building Better Forms and Beating Spammers |
|
|
Written by Marty R. Milette
January 8, 2007
Techniques to Kill Form Spam
Form spamming is easy. Takes 1 line of code to fake a "Referrer". Any programmer could use Visual Basic or Excel to create a form spamming application in a few minutes. Keep in mind that spammers are lazy. They look for simple forms with no validation, ones that reply immediately to the address entered on the form, and that echo back text fields collected from the form.
In Russia, they play mean. Last year I had a case where a company was deliberately sending spam using their competitor's own server to try and get it blacklisted and annoy their mutual customers. Once your mail server is blacklisted, better look for another place to host it because it will be almost impossible to get de-listed.
Some techniques to kill form spam I use myself include the following. Keep in mind that I speak of forms that are submitted to a form-processing script on the server that you control -- not the automated posting bot as in the FrontPage Server Extensions which sends emails without analysis:
1. Apply thorough server-side form validation.
Forget about client-side JavaScript form validation -- spammers post data directly to the server. From the server-side -- validate email addresses - ensuring only one address is provided (injecting a list of addresses separated by commas is a common trick), that the email address is properly formatted and has not been used to submit the form previously. Validate the poster's IP address (not the "Referrer" property) - ensuring it has not been used before, or applying restrictions to how many times per day / week that submissions are accepted from that IP address. Validate all remaining text fields to ensure appropriate field lengths have not been exceeded. You may even scan text fields for common spam-related keywords if you wish.
2. Make the form's reply email useless for the spammer.Never directly echo back any text fields that were sent in the original form submission. Instead, submit the form to a server-side script that examines the post and then prepares different replies for the web owner and submitter. Send only a 'stripped-down' confirmation reply, such as , "Thank you for your inquiry about xyz, we will review your questions and get back to you right away..." rather than including any text that the web form collected. If there is no way to add the spam to the confirmation message, your form is useless to them.
3. Make it difficult for the spammer to automate the process.
Spammers are lazy. Make it difficult for the spammer to automate the process, but NOT more difficult for legitimate customers. Rather than resorting to CAPTCHAs (which I hate with a passion), just split the form over two forms -- where the user enters basic information on the first page, submits that form, and then fills out the second and perhaps more detailed page. It only adds one click to the process for the user, but makes it almost impossible for the spammer. (Especially if the second form server-side-validates the data from the first form and uses inter-form session or authentication keys.)
An additional advantage of this technique is that you can have the second form generated based on the responses from the first form -- so if the visitor states on the first form that the yare interested in widgets and not wigwags, the second form can ask detailed questions about their widget interests.
Marty R. Milette
 |
