Subscribe to
the Possibilities Ezine

Subscription Terms of Service
Privacy Policy

RSS feed links

Blog Article Categories

Automation

CGI

Content Protection

CSS

Debugging

HTML

JavaScript

Perl

PHP

Recommendations

Related Sites

Statistics

Web Development

Web Site Maintenance

Misc

Spamming You Through Your Own Forms

By Will Bontrager

Are you getting spammed through your own web page forms?

If not, expect it.

This is what appears to be happening: Spammers' robots are crawling the web looking for forms. When the robot finds a form:

1. It makes a note of the form field names and types.

2. It makes a note of the form action= URL, converting it into an absolute URL if neded.

3. It then sends the information home where a database is updated.

Dedicated software uses the database information to insert the spammer's spew into your form and automatically submit it to you.

Before I present two workable responses to this invasion, let me mention in case you might be tempted to do it, requiring referral information before the form is processed won't work:

1. People who type your web page into their browser or arrive via a bookmark won't have referral information.

2. The newest browsers have security/privacy/anti-logging settings that block referrer information.

3. Some personal firewall software blocks referral information by default.

Blocking those who don't provide referrer information could result in blocking legitimate folks from using your form.

IP address blocking might work temporarily. But if these folks are as sophisticated (which is not very, actually) as those who scan the 'net for forms vulnerable to hijacking, they frequently change IP addresses. The IP addresses these thieves use are likely also used by legitimate surfers.

A Solution

A solution is to use In-Form™

In addition to neutralizing automatic form submission attempts, it is hijack-proof. We put a lot of attention into staying on top of the latest web page form subversion tactics, and to block those tactics in a way that is transparent to the form user.

However, In-Form™ is for relatively simple forms. At this time, it is unable to process multi-page forms, forms requiring datbase updates, and some other complex forms.

An Effective Response

An effective response, for the present, is to require JavaScript in order to use the form.

I'm quite sure their robots are unable to parse JavaScript at this time. However, this has not been proved by testing. Although we do have bait forms, proving by lack of response could be rather hard to set up.

The following will work unless

• their robots can indeed parse JavaScript or
• your form information is already in their database (additional solution for that situation is below).

Step 1 —

Copy and paste this JavaScript somewhere below your form (below the closing </form> tag yet above the closing </body> tag).

<noscript> <!-- Customize this message as appropriate. --> <h3>JavaScript required to use this form.</h3> </noscript> <script type="text/javascript" language="JavaScript"> <!-- Freely obtained from http://www.willmaster.com/ // Between the quotes, put what follows the // action= attribute of your <form... tag: var url = "/cgi-bin/script.cgi"; // Between the quotes, put what follows the // name= attribute of your <form... tag: var formname = "myform"; // No other customizations required. var s = 'document.' + formname + '.action = "' + url + '";'; setTimeout('eval(s)',500); //--></script>

Replace "/cgi-bin/script.cgi" with the value of your <form... tag's action= attribute.

Replace "myform" with the value of your <form... tag's name= attribute. (If your form doesn't have a name, it must be given one. That can be done by putting the name="myform" attribute into your <form... tag.)

Half a second (500 milliseconds) after the JavaScript is loaded into the browser, the form's action= tag will be updated with the specified URL.

Step 2 —

Now, in the <form... tag, replace the value of the action= attribute with "[TURN JAVASCRIPT ON]"

The <form... tag might look something like:

<form
     name="myform"
     action="[TURN JAVASCRIPT ON]">

If a JavaScript-disabled browser is used to submit the form, the "[TURN JAVASCRIPT ON]" message is embedded in the 404 URL.

See the next section if you have already been getting spam through your form or if you start getting it in the future.

If Your Form Information is Already in Their Databases

The only way I know of to counteract the fact that your form information is already in spammers' databases is to change the file name of the form processing program. This will invalidate their data.

Then, also change the above JavaScript accordingly.

In fact, it may be prudent to consider that your form information is already compromised, even if you haven't yet received spam through your form. You might change the file name of your form processing program at the same time you implement the JavaScript.

And that will take care of that.

To link to this article's permanent URL, use the following code:

<a href="/blog/javascript/spamming-with-forms.html"> Stop them spamming you through your own forms. </a>

The more links to real solutions that you provide for your site visitors, the more you will be seen as the person who knows where the real solutions are.

January 4, 2006

Please note: Articles on this website are presented "as is". However -

If you have a question about a CGI script, HTML, CSS, PHP, or JavaScript
Ask one of our Experts and you'll have your answer!
Click here for details.

© 1998-2001 William and Mari Bontrager
© 2001-2008 Bontrager Connection, LLC