Software, your way.
How To Get Good Custom Software
(Download)
(PDF)
burger menu icon
WillMaster

WillMaster > LibraryManaging Website Forms

FREE! Coding tips, tricks, and treasures.

Possibilities weekly ezine

Get the weekly email website developers read:

 

Your email address

name@example.com
YES! Send Possibilities every week!

How They Spam Your Forms

Oh, no, please save me from another article about spam!

If you'll hang in there a few paragraphs, you'll see this is about how they do it, rather than how to prevent it. Further, this article is specifically focused on form spam, how they spam your contact forms and blog comments and such.

(Links to prevention suggestions are near the end of the article, if you're interested.)

Spamming can be done manually and can be done with software.

There is little manual spam. It takes too long. It requires persistence.

Spamming with software, on the other hand, can proceed automatically while the spammer cheers it up at a local pub.

How Spammers Find Your Forms

A robot meanders around the web, following links, looking for forms. There are a number of ways a robot can identify a form on your web page.

Most likely, it spots a form on a web page by the presence of a <form...> tag. If it is looking for specific form processing software (FormMail, for example), it might also scan the value of the action attribute or look for certain type="hidden" field names.

When it spots a likely form, the robot reports home with its findings.

The information the home database needs depends on how they intend to spam your form.

At a minimum, the home database needs either the URL of the web page containing the form or the URL of the form processing software. The home database may also require the form's field names and types, perhaps also any pre-filled values.

Cookie information can be stored by the home database so it's easier, later on, to pretend to be a real browser at your website.

How They Spam Your Forms

Your form might be spammed by completely bypassing it.

Even if you remove your form from the web page, the spamming may continue unabated. That can happen when the spammers' software knows the URL of your form processing software and can send the form information directly to it. It doesn't need your form anymore.

Depending on its sophistication, spammers' software may insert spammy messages into all form fields, or it may determine what type of information belongs where by the field names or types. An email address might be generated and inserted in name="email" fields, for example, and a spam message inserted into textarea fields.

When the information is ready, the software sends it directly to your form processing software, pretending to be an actual form submission.

The referrer information might be spoofed and real cookie information offered to act like a real browser at your web page. The IP address might be spoofed to bypass any IP blocks you have in place.

All of that can be done without a human ever laying eyes on your website or your form, everything automated with software.

In an effort to combat form spam, some site owners have resorted to generating a unique value every time the form is loaded. An example is the browser's user-agent information. Another example is the current date. If the correct value is not present in the form submission, the form processing software assumes it is spam.

To bypass those checks, some spammers' software now loads the form anew every time to read the current pre-filled field values. Only then does it submit to the form processing software.

To fool spammers' software, some site owners have been using JavaScript to insert form fields.

That will fool some auto-submission software. But not all. I have seen evidence that some such software can indeed parse JavaScript to extract the field information.

Using JavaScript to update the value of a form field seems to still be a workable block, so long as the JavaScript is obfuscated to prevent parsing. I have yet to see evidence that robots compile and run JavaScript (as opposed to just parsing it to extract the values).

But it's only a matter of time. The code to compile and run JavaScript as used in some browsers is freely available. It just takes skill and time to implement.

The use of images or questions that the form user has to recognize or answer has been stopping much automatic submission software. Recently, however, I have come upon information indicating some spammers' software is now finding ways to circumvent even that CAPTCHA.

Thoughts About Why They Spam

I do not presume to know with certainty why they spam. My inclination is to assume they do it for profit.

Spamming costs little beyond the initial investment in software and equipment. Once that investment is made, the cost is about the same to spam 1000 times as it is to spam 1000 gazillion times. (When I mention cost, I refer to the spammers' cost. Related costs saddled on hosting companies and ISPs is generally built into what you pay for website hosting and your Internet connection.)

Therefore, even if there is only one positive response for every batch of a billion spam, it may still be profitable for the spammer.

Form Spam Prevention Articles

One solution is to use Master Form V4. In order to stay on top of things so we can update Master Form V4, should that be needed, we actively monitor spammer software capabilities with special forms containing various vulnerabilities on multiple websites.

Will Bontrager

Was this article helpful to you?
(anonymous form)

Support This Website

Some of our support is from people like you who see the value of all that's offered for FREE at this website.

"Yes, let me contribute."

Amount (USD):

Tap to Choose
Contribution
Method

All information in WillMaster Library articles is presented AS-IS.

We only suggest and recommend what we believe is of value. As remuneration for the time and research involved to provide quality links, we generally use affiliate links when we can. Whenever we link to something not our own, you should assume they are affiliate links or that we benefit in some way.

More "Managing Website Forms" Articles

Strong Form Protection From Bots

Multi-Select Scrolling List Box

Verifying Two Form Fields Have Identical Content

Other Recent Articles from the Library

Keeping Image Location Secret

Easier Reading of JSON Data

Fixed Position Image

Visually Centering Images

Cookie Directory Protection

How Can We Help You? balloons
How Can We Help You?
bullet Custom Programming
bullet Ready-Made Software
bullet Technical Support
bullet Possibilities Newsletter
bullet Website "How-To" Info
bullet Useful Information List

© 1998-2001 William and Mari Bontrager
© 2001-2011 Bontrager Connection, LLC
© 2011-2024 Will Bontrager Software LLC