Spamming Through Your Forms
Note: This article addresses automated form submission. If your form might be being hijacked (software used to send hundreds or thousands of spam from YOUR server), see Form Hijacking Resources for a list of articles to describe symptoms, to assist understanding, and to obtain SOLUTIONS.
Automated form submission, as addressed in this article,
is software masquerading as your form and submitting
information. Your form handling software is unable to
determine whether it is a person or other software
submitting the form.
Spammers are now using automated form submission software.
They can't get all of their spew into your mailbox the
normal way, so they use the back door. They probably
figure all site owners read email sent from forms on
their own web site.
It's not bad, yet, except for those it is happening to.
It can feel like an invasion of personal space. According
to the inquiries we're receiving, the blight is spreading.
You know your form is being automatically submitted when
you receive, more or less regularly, communication from
your forms that seem spammy.
Spammy stuff can be submitted manually by individuals,
form by form, it is true. But that takes a lot of time
and effort. The spammer would surely cease the manual
thing after realizing the small return.
With automated submission, on the other hand, it matters
less how small the return might be. Once it's going, it
takes very little effort to send spam to every form
handling software URL on the list.
The good news is that there are things you can do to
prevent it. And there are things you can do even if
spammers get your form handling software URLs into
their lists.
Automated Submission Prevention
Using software or a service that prevents automated
submission can be a solution for some site owners.
For others, three prevention methods are described
here. They may be used independently or together.
Software File Rename —
If the form handling software you're using is a popular
title, it might be found by robots looking for the
software's usual file name or names. Renaming each
software file (and changing the action attributes of all
forms that use them accordingly) could keep your software
hidden from spammers' searching robots.
The above only keeps file name searching robots from
finding your form submission software. It does nothing
to blind robots searching for the forms themselves.
JavaScript Required —
Insert the form using JavaScript every time the web page
loads. I am not aware of any automated submission software
in use today that can read and parse JavaScript.
To do this, the form must be in an external file and written
in JavaScript code. Then the file is retrieved by JavaScript
on the web page where the form is to be inserted.
It's actually not that hard, unless you have a long or
complicated form. The "JavaScript Method..." sections of
the "'Roll Your Own' JavaScript and PHP Syndication" article
at /rollown describe the process.
If you prefer to do it control panel easy, the Master Series
at /scripts has several syndication
software tools that can be used for that purpose.
Encoded Values —
The value of the form tag action attribute, or the values
of other attributes, might be encoded to foil the spammer's
robot that slinks around looking for forms.
For example, if the action attribute was
action="http://example.com/script.cgi"
the "t.c" part could be encoded for
action="http://example.com/script.cgi"
to cause the robot to think the script file name is "scrip"
with several parameters, Or, "p:/" could be encoded for
action="http://example.com/script.cgi"
to possibly cause the robot to think the action value is
a relative URL or just confuse it altogether.
Don't encode HTML tags or tag attributes. Some browsers
misinterpret. But attribute values may be encoded and work
correctly in all browsers I've tested.
/blog/development/Gen_HTML_Entities.html has code for a web page that can be saved on your computer's
hard drive and used whenever you want to encode characters.
Automated Submission Damage Control
If your form processing software is already on spammer's
lists for their automated submission software, here are
some things you can do.
-
Rename the form handling software file (mine.cgi,
for example). Renaming the file will invalidate the
URL now on the spammers' lists, causing a 404 error.
Action attributes of forms using the software will
need to be changed accordingly.
This may be a temporary reprieve. Or it could be
permanent. It depends on how soon, if ever, spammer
or spammer's robot comes to determine the new form
handling software URL.
-
Put the form on a different web page. This action
would not be enough, by itself, in most cases,
because the form handling software URL is already
on the spammers' lists. Thus, it doesn't matter
where the form is. However, it is an excellent
action to take in conjunction with renaming the
software file names.
When both software file name and URL of web page
form are changed, a robot can't quickly come back
to the form and determine the new URL when a 404
is encountered. It would have to do additional
spidering to find the form, which it might or
might not be programmed to do.
-
Make an additional installation of your software,
leaving the original as is (for the moment).
Change your forms' action attributes to use the
new installation. Then re-write the original
installation with these two lines (assuming Perl):
#!/usr/bin/perl
print "Location: http://example.com/thanks.html\n\n";
Replace the http://... URL in the above with the url
of your normal "thank you" page. The spammer now
thinks the automated submission is still good and
never looks for your new installation. It's a crying
shame to let the spammer think s/he is getting away
with something. But then, you're getting away with
something, too :)
-
Change form submission software or service to one
that has automated submission protection.
When damage control has been accomplished, you may wish to
implement one or more of the steps listed in the "Automated
Submission Prevention" section, above.
Additional Automated Submission Prevention Techniques
It's possible to prevent automated submission, or at least
most of the time. When a prevention system is bypassed,
other measures are put in place. All preventive measures
I've considered require programming.
"Type the letters in the image" verification systems are
currently effective. They also require real people to go
through an extra step just to use your form — doing the
dance to prove their existence.
A really good system would be transparent for real people,
yet effectively block automated submission.
In-Form™ from http://webform.flowto.info/ is such a
tool. In-Form uses an effective "secret" method to prevent
automated submission.
The Secret
The web page form is created anew for every site visitor
loading the web page into a browser.
The form is generated and printed to the browser by software
on the server. The form can be inserted into the web page
with SSI, PHP, or JavaScript. (In-Form uses JavaScript.)
The software on the server that generates the form for the
browser also generates a pseudo-random number or string of
characters for a control code. This control code is recorded
in a file on the server and also inserted into a hidden
field of the form.
When the form is submitted, the control code in the hidden
field must exist in the file on the server. Otherwise, the
submission is rejected. Each control code may be used only
once. Control codes automatically expire after a certain
length of time.
Question:
Did you find this article interesting and understandable? How can it be improved?
Your response is anonymous.
When done typing, click anywhere outside the box. [more info]
Will Bontrager
©Copyright 2006 Bontrager Connection, LLC Bontrager Connection, LLC
Please note:
Articles on this website are presented "as is". However -
If you have a question about a CGI script, HTML, CSS, PHP, or JavaScript
Ask one of our Experts and you'll have your answer!
Click here for details.
