The StyleSheet - For businesses that use the internet

A New Form of Spam

Posted September 11, 2007 By Mike Wisian |

Email spam is not a new topic for most. Misspelled messages with promises of “Gr3@t M0rtg@ge Ratez” fill up inboxes on a daily basis. With a wide variety of spam protection services available, these nuisances are rarely even seen anymore. Unwilling to be silenced, spammers have taken to a new forum – online contact forms.

Nearly everyone with a Website has a contact form. It allows one more opportunity for a user to contact your business, and the messages are tailored with the information you need: Name, contact information, comments, questions, etc. The contact form is so common that scripts have been developed by spammers to crawl sites and look for forms. Once found, the script will automatically submit them with a bogus name, email address, and the very messages that are usually blocked by spam filters.  However, this time the message is coming from an address that you trust – your own.

Fear not, contact form owner.  There are a few ways in which you can once again guard yourself from “FR33 IP0Dz”.

• Validation

  Unlike chaos theory, spam messages are a somewhat predictable.  For instance, a check can be made in the form script to see whether your site has submitted the form. The origin of the submitted form is called the “referer” (this is how the geeks spell it), and many spam script submissions contain an empty referer. Submitted form values themselves can also be checked for patterns such as invalid email addresses and common spam content.

• CAPTCHA

  Although validation can help, spammers are always coming up with bigger and better ways to deliver you useless information. Enter CAPTCHA, which stands for “completely automated public turing test to tell computers and humans apart”. You may have seen a form that contained an image with squiggly numbers and letters, and you were asked to enter these characters before submitting the form. This is one example of CAPTCHA. This technique is very effective in fighting form spam, but it can also make your form inaccessible to the visually impaired.

• 3rd Party Spam Filters

  Just as there are services that filter your inbox, there are similar services that check submitted form content to see if it’s legitimate. For instance, a service called Akismet accepts the values posted from your form and run them through a complex algorithm. If everything checks out, a “thumbs up” is sent back to the form script and the message can be sent. This method of spam prevention is more accessible than CAPTCHA, but it is also more costly since the service usually requires a subscription fee.

With the techniques I mentioned above you can dramatically reduce the unwanted spam messages that come from your contact form, and once again your business can concentrate on following up on legitimate leads.

« Return to current issue

Let's get the discussion going. Please comment on this article.

Discuss This Article

4 Responses to “A New Form of Spam”

1. Posted September 20th, 2007 at 1:10 pm, by Jonathan Horak

   An accessible CAPTCHA solution called reCAPTCHA is a new option. This particular CAPTCHA implementation uses our ability to decipher distorted text to digitize books, as humans can usually read text which OCR programs cannot.

2. Posted September 20th, 2007 at 3:07 pm, by Steve Stedman

   After some experimentation with ‘referer’ validation, limiting links, blacklisting, etc., we settled into blocking blog comment spam with Akismet, Bad Behavior, and ReCAPTCHA.

   For the price (free), ReCAPTCHA is probably the best CAPTCHA out there. You get to filter out the bots and Carnegie Mellon gets their books digitized—after you read about the concept, you wonder why no one thought of it before. The client interface is pretty darn smart as well. It addresses the accessibility issue by providing an audio challenge.

   For the back end, there are plenty of plugins and libraries to suit almost any environment. It was a dirt-simple plugin install on WordPress (example) and almost as easy to add to a PHP mailform.

   Oh, and one other thing. If you want to display your email address on a page, you can wrap it in a reCAPTCHA as well (clicking on the ellipses in an email link brings up the ReCAPTCHA challenge).

3. Posted September 21st, 2007 at 12:30 am, by Marshall Durrett

   We haven’t had any problems yet, but this is very good information to know just in case…

4. Posted September 24th, 2007 at 4:15 pm, by Mike Wisian

   Thanks for the ReCAPTCHA idea, Steve and Jonathan. I tried other forms of audio CAPTCHA, but hosting them seems to tax the server.

Leave a Comment

Name (required)

E-mail Address (will not be published) (required)

Website