Subscribe to
the Possibilities Ezine

Subscription Terms of Service
Privacy Policy

Most Recent
Software Additions

Go Short URL

Create short URLs with your own control panel, on your own server, and all your short URLs will have your own domain name.

Secure View and Remove

Remove the data from your secure server safely, without compromising your customer's trust.

Survey Lite

Provides an opportunity for your visitors to give you feedback on the subjects you want to hear about.

Attention Ticker

Scrolling text banner is perfect for special offers... news feeds... syndication to other sites ...

Reducing the Risk Of Providing Site Recommend Forms

Without certain protections in place, "recommend this site" forms are more vulnerable to misuse than contact and most other types of forms. That's because a message typed by the user is sent to an email address the user provides.

The inadequately protected beg to be taken advantage of by the unscrupulous. But that's another article.

One would think site recommend forms are hijacked more often than other types of forms. But that's not the case, at least not as of this writing.

I know why.

Spammers, or their servants, have robots traveling the web looking for forms vulnerable to a certain hijacking method. (Form Hijacking Resources has more info.)

The current crop of such robots, while effective at finding forms with a hijacking vulnerability, are not smart enough to differentiate the purpose of forms they target.

On willmaster.com and several other domains, alert systems cause visiting robots of this type to reveal their methods. And I receive emails from people who have forms hijacked, some of whom provide excellent documentation. The statement that the current crop of robots don't differentiate the purpose of forms is according to my knowledge as of this writing.

The reason "recommend this site" forms aren't specifically targeted is because a robot can find vulnerable forms automatically and manually searching for recommend forms requires lots of personal time.

That will change.

As more hosting accounts are reprimanded or shut down, the number of vulnerable forms will decrease. When the demand for hijackable forms exceeds their availability, spammers will have the incentive to build robots specifically for finding site recommend forms.

But that doesn't mean you have to remain vulnerable.

Master Recommend V3 (free) and Master Recommend Pro V4 ($49) both have security code built in to address these points:

1. The form hijacking methods currently used on other forms.

2. Automatic submission of recommend forms.

3. Malicious use of the forms.

If you're currently using either of the above programs, verify the version date is June 2004 or later. If earlier than June 2004, pick up and install the latest version for better protection. Upgrades are free.

Here is how the protections in Master Recommend Pro V4 work (unless otherwise noted, Master Recommend V3 has somewhat similar protections):

Protection from Current Hijacking Methods

The very effective code that protects webmasters who use Master Form V4 and other Master Series CGI software titles is also implemented in both Master Recommend software titles.

In essence, it blocks insertion of gratuitous linefeeds into email header lines, linefeeds hijackers could use as hooks to control the content and destination of the email.

Protection from Automatic Form Submission

When the site recommend form is loaded into a visitor's browser, a code is generated with JavaScript and a cookie is set with unique information.

The information is tracked in the cookie as well as in a hidden form field. Validation consists of matching cookie with hidden field, in addition to other treatments to ensure the information was originally generated by Master Recommend Pro V4.

The form with that unique information may be submitted only once. To use the form again, the form must be reloaded in order to generate another set of unique information.

Browsers without both JavaScript and cookies available can not use the form.

No challenge response system is required. The entire protection system is transparent to most legitimate users.

Protection from Malicious Use Of Forms

Protection is multi-pronged. Each prong works best with correct foresight.

1. The Master Recommend Pro V4's control panel has a form where the webmaster can type banned words and phrases.

   (Master Recommend V3 has no control panel, but does have a list of banned words and phrases built in.)

2. The Master Recommend Pro V4's control panel can be used to ban certain email addresses. (Master Recommend V3 does not have this feature.)

   The form may be submitted only from an authorized domain.

The likelihood of automated submission or malicious use of site recommend forms can be reduced by omitting the opportunity to write a personal note to the friend with the recommendation.

But that's not very professional. It's like telling visitors it's okay to recommend the web site but they have to do it with someone else's words.

Would you recommend a web site with that restriction?

While site recommend forms may not be specifically targeted by form vulnerability hunting robots at this time, it does not reduce any form's susceptibility.

Why take a chance? Software with protection is available.

Word-of-mouth advertising does not have to be dangerous.

Question: Did you find this article interesting and understandable? How can it be improved? Your response is anonymous. When done typing, click anywhere outside the box. [more info]

Type your response here. Thank you.

Powered by "Real Time Reader Feedback" from WebSite's Secret.

Will Bontrager
©2005 Bontrager Connection, LLC

Please note: Articles on this website are presented "as is". However -

If you have a question about a CGI script, HTML, CSS, PHP, or JavaScript
Ask one of our Experts and you'll have your answer!
Click here for details.

© 1998-2001 William and Mari Bontrager
© 2001-2008 Bontrager Connection, LLC