WeBlogged

You know what would be so great? We could have a form on our site, and we’ll collect people’s information and then we’ll build up our contact lists and leads, because we’ll be sending out important information, specials and discounts through email, and people will come to our site from across the Internet to sign up and we’ll be able to email them regularly and keep in touch and increase our sales and customer interaction!

WON’T THAT BE GREAT?!!! Yes, it would be great IF:

… we didn’t get hundreds of bogus emails from random addresses that don’t exist.

… we get e-mails that contain characters we don’t recognize — like someone is submitting scripts or trying to hack our forms or something.

… people would fill out the information I really need, like mailing address or phone number.

… people would fill out the information in a useable format.

The Drama of Form Spam

Here’s the rub. Having a form online means you will have abuse. There is just no way to stop all of it from coming in. You can, however, take certain precautions to help diminish the volume of the non-useful and sometimes harmful submissions.

There will always be spammers who pay workers pennies to sit and submit Internet forms all day — it’s all they do. If these people submit the form, there is really nothing you can do to stop them. They don’t care what kind of form it is, and many times, these people don’t even speak the language your form is written for. So even if it is a form that only goes to one person, the spammer will still type in all kinds of random and sometimes repulsive stuff that you have to fetter through to get to the “real” submissions.

It’s just the nature of the beast. Understand that if you have a form on your site, there will be people who abuse it.

Now, if you’re getting hundreds at a time, with entries that are very similar (they will be one or two letters off, or using repeating terms but certain blanks will be filled out in different ways), then that means there is most likely an automated spamming / hacking program that is attacking your form to 1) send bogus info to the receiver and 2) find ways to crack the mailing program and possibly use that to send out spam of their own, using your system.

Having a form on your site comes with some basic responsibilities on the part of your web development guru. Here are some things you can use to set up your web forms to cut down on spam submissions and to make your forms more useful.

Web Form Security Options

1. Use Required Fields. Make sure specific field are required for the form to successfully submit. This is fairly basic and should be a standard addition to every form you have.

2. Validate required fields. This is also fairly basic and should be a standard addition to every form you have. Make sure fields are what they are supposed to be. Don’t allow MM/dd/YY for a field that is supposed to have numbers instead of letters. Make sure email addresses have an @ sign. Limit zip code fields to a certain number of numerical characters only. Make sure no html tags are submitted in fields like “Name” and “Phone.”

3. Strip HTML and scripting tags / commands. Unless your form answers need html for some reason, strip it from the data. Good safeguard for hack attacks as well. You can use this in combination with the validation (detailed above) to almost stop the URL spam.

4. Add a CAPTCHA. This is the thing you see at the bottom of forms (pretty regularly now), where you have to type in certain characters to submit the form. If you don’t type in the right characters, submission doesn’t happen. If you use a captcha that is not cracked or easy for hackers to hack, you’ll have a fairly stable form for some time.

5. Include a language or culture specific question. For instance, let’s say you have an English site, and your target audience is American. Include a question that will be an easy question for Americans, but to foreign people, it won’t mean much. Like — Who was the first president of the United States? (the accepted answers would only be “Washington” or George Washington”) Or What is the major American holiday in November? (answer would have to be “Thanksgiving”). … then once the foreign spammers figure out the answer, and you start getting spam again, then change the question and the validation that goes with the form (so only certain answers are accepted). Sad to say, but because these people are being paid pennies a day, chances are they are not as educated and many would not know English — so they wouldn’t know what to put in the form unless they were instructed to do so.

6. Require e-mail confirmation. Set up your form so when someone submits the form, your system sends an email that would require the person to click on a link in their email to fully submit the information (to confirm their email address). With this option, you wouldn’t even get the email unless their address was confirmed. … Again, though, if a spammer has a real address and actually checks their email and they click on the link, there is no way to stop them. One risk is that you may lose valid contacts using this through spam filters, not checking email or people overlooking the requirement.

You can use one of these items or a combination of several, or all of them if that’s what floats your boat. It is really just a matter of preference. Keep this in mind, though … As programmers program, hackers hack, and eventually, every security is broken. Anytime you provide functionality, you have to realize there is a balance between security and function.

Oh — and Happy New Year! May your 2008 be form-spam free!

Just my 2¢ anyway!

© 2008 Jennifer Poyer

Tags: Form Data, Form Submissions, Online Form Security

This entry was posted on Wednesday, January 2nd, 2008 at 2:05 am and is filed under Email, SPAM, Web Design Tips, Web Development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.