A New Form of Spam
Email spam is not a new topic for most. Misspelled messages with promises of “Gr3@t M0rtg@ge Ratez” fill up inboxes on a daily basis. With a wide variety of spam protection services available, these nuisances are rarely even seen anymore. Unwilling to be silenced, spammers have taken to a new forum – online contact forms.
Nearly everyone with a Website has a contact form. It allows one more opportunity for a user to contact your business, and the messages are tailored with the information you need: Name, contact information, comments, questions, etc. The contact form is so common that scripts have been developed by spammers to crawl sites and look for forms. Once found, the script will automatically submit them with a bogus name, email address, and the very messages that are usually blocked by spam filters. However, this time the message is coming from an address that you trust – your own.
Fear not, contact form owner. There are a few ways in which you can once again guard yourself from “FR33 IP0Dz”.
-
Validation
Unlike chaos theory, spam messages are a somewhat predictable. For instance, a check can be made in the form script to see whether your site has submitted the form. The origin of the submitted form is called the “referer” (this is how the geeks spell it), and many spam script submissions contain an empty referer. Submitted form values themselves can also be checked for patterns such as invalid email addresses and common spam content.
-
CAPTCHAAlthough validation can help, spammers are always coming up with bigger and better ways to deliver you useless information. Enter CAPTCHA, which stands for “completely automated public turing test to tell computers and humans apart”. You may have seen a form that contained an image with squiggly numbers and letters, and you were asked to enter these characters before submitting the form. This is one example of CAPTCHA. This technique is very effective in fighting form spam, but it can also make your form inaccessible to the visually impaired.
-
3rd Party Spam Filters
Just as there are services that filter your inbox, there are similar services that check submitted form content to see if it’s legitimate. For instance, a service called Akismet accepts the values posted from your form and run them through a complex algorithm. If everything checks out, a “thumbs up” is sent back to the form script and the message can be sent. This method of spam prevention is more accessible than CAPTCHA, but it is also more costly since the service usually requires a subscription fee.
With the techniques I mentioned above you can dramatically reduce the unwanted spam messages that come from your contact form, and once again your business can concentrate on following up on legitimate leads.
Let's get the discussion going. Please comment on this article.
About the Author
Mike Wisian is TradeMark Media's Technology Director. He uses his XHTML, CSS and programming skills to create Web sites and rich Internet applications.
Discuss This Article
4 Responses to “A New Form of Spam”
sign up
Posts by Author
- Andrea Richeson (10)
- Carly Smith Hohl (8)
- Caroling Lee (33)
- Gina Hollis (6)
- Izzi Hassan (3)
- Janis Gonser (19)
- Jean Conover (19)
- Jeff McAllister (8)
- John Rasco (1)
- Jonathan Horak (6)
- Kristine Fernandez (4)
- Kyle Greenan (7)
- Manoj Thomas (14)
- Margeaux Denson (1)
- Matt Williamson (2)
- Mike Wisian (33)
- Nick Weynand (64)
- Robert Banh (2)
- Rudy Pena (2)
- Sarah Bailey (6)
- Sarah Cox (21)
- Steve Garcia (5)
- TradeMark Media (350)
Published by
An accessible CAPTCHA solution called reCAPTCHA is a new option. This particular CAPTCHA implementation uses our ability to decipher distorted text to digitize books, as humans can usually read text which OCR programs cannot.
After some experimentation with ‘referer’ validation, limiting links, blacklisting, etc., we settled into blocking blog comment spam with Akismet, Bad Behavior, and ReCAPTCHA.
For the price (free), ReCAPTCHA is probably the best CAPTCHA out there. You get to filter out the bots and Carnegie Mellon gets their books digitized—after you read about the concept, you wonder why no one thought of it before. The client interface is pretty darn smart as well. It addresses the accessibility issue by providing an audio challenge.
For the back end, there are plenty of plugins and libraries to suit almost any environment. It was a dirt-simple plugin install on WordPress (example) and almost as easy to add to a PHP mailform.
Oh, and one other thing. If you want to display your email address on a page, you can wrap it in a reCAPTCHA as well (clicking on the ellipses in an email link brings up the ReCAPTCHA challenge).
We haven’t had any problems yet, but this is very good information to know just in case…
Thanks for the ReCAPTCHA idea, Steve and Jonathan. I tried other forms of audio CAPTCHA, but hosting them seems to tax the server.