The Fine Art of Spamming - Email Form Spam

Even I’m surprised occasionally. Having worked with technology for many years, I’ve seen just about everything – or so I thought. Over the Thanksgiving holiday one of our authors reported spam that he thought came from his domain, which is hosted on our system. Since access to our servers is tightly restricted, I suspected someone was using the Contact page on his site to send spam. Upon investigation I discovered I was correct but also found something new, or at least it was to me.

One of the optional features than an author can activate on a site built with our system is an email form on their Contact page. An email form is one of those fill-in-the-boxes-and-click-to-send forms that you’ve seen on many other sites. We offer this feature in order to hide your address but still allow visitors to contact you by email. Some people don’t like these, but they serve their purpose in hiding email addresses.

What I discovered was that some spammers target email forms – not personally on a type-and-click-to-send basis, but with automated software tools (often called ‘bots’) that roam the net looking and trying any form they can find. The intent is not so much to spam the person receiving email from the form but rather to exploit any vulnerability that the form may have.

For example some forms will mail the sender a copy or allow you to enter additional “cc:” or “bcc:” addresses. If your form has these or other vulnerabilities you become an unwitting ally in spamming other people. Unfortunately, the people receiving the spam will think you sent the spam and blame you. Not good because once you get on a ‘sends spam’ list it’s difficult to get off.

Fortunately our development team custom developed our contact form, and it does not allow sending email to other addresses. However, our author was receiving annoying email when the spam bot was trying to hack his Contact form – and it was trying about once a day with a blast of between 6 and 24 email attempts at a time!

So we took a look at different strategies and came up with several ways to thwart the attacks. I won’t go into details here, since this is a matter of security. However, even though we have repelled the attacker, we know they and others will try again. So we are hard at work on a human validation feature. You have probably seen these on other sites where a graphic with letters and/or numbers are shown that you must enter. Since the graphic is only readable by a human, this prevents automated systems from sending you email though your contact form.

The point I would like to emphasize is that we implement these changes as part of our continued system improvements and feature enhancements. There is no additional charge to our subscribers. We support our authors and when we find problems we work quickly to correct and improve our system.

On a side note, we are nearing the completion of WebforAuthors Release 2 enhancements and I will post a summary when we finish. And we have defined Release 3 and are finalizing the delivery schedule for these new features. 2006 promises to be an exciting year for WebforAuthors and our subscribers!