Spamming You Through Your Own Forms
Are you getting spammed through your own web page forms?
If not, expect it.
This is what appears to be happening: Spammers' robots are crawling the web looking for forms. When the robot finds a form:
-
It makes a note of the form field names and types.
-
It makes a note of the form action= URL, converting it into an absolute URL if neded.
-
It then sends the information home where a database is updated.
Dedicated software uses the database information to insert the spammer's spew into your form and automatically submit it to you.
Before I present two workable responses to this invasion, let me mention in case you might be tempted to do it, requiring referral information before the form is processed won't work:
-
People who type your web page into their browser or arrive via a bookmark won't have referral information.
-
The newest browsers have security/privacy/anti-logging settings that block referrer information.
-
Some personal firewall software blocks referral information by default.
Blocking those who don't provide referrer information could result in blocking legitimate folks from using your form.
IP address blocking might work temporarily. But if these folks are as sophisticated (which is not very, actually) as those who scan the 'net for forms vulnerable to hijacking, they frequently change IP addresses. The IP addresses these thieves use are likely also used by legitimate surfers.
An Effective Response
An effective response, for the present, is to require JavaScript in order to use the form.
The following will work unless
- their robots can indeed parse JavaScript or
- your form information is already in their database (additional solution for that situation is below).
Step 1 —
Copy and paste this JavaScript somewhere below your form (below the closing </form> tag yet above the closing </body> tag).
<noscript>
<!-- Customize this message as appropriate. -->
<h3>JavaScript required to use this form.</h3>
</noscript>
<script type="text/javascript" language="JavaScript">
<!-- Freely obtained from https://www.willmaster.com/
// Between the quotes, put what follows the
// action= attribute of your <form... tag:
var url = "/cgi-bin/script.cgi";
// Between the quotes, put what follows the
// id= attribute of your <form... tag:
var formid = "myform";
// No other customizations required.
var s = 'document.getElementById("' + formid + '").action = "' + url + '";';
setTimeout('eval(s)',500);
//--></script>
Replace "/cgi-bin/script.cgi" with the value of your <form... tag's action= attribute.
Replace "myform" with the value of your <form... tag's id= attribute. (If your form doesn't have an id, it must be given one. That can be done by putting the id="myform" attribute into your <form... tag.)
Half a second (500 milliseconds) after the JavaScript is loaded into the browser, the form's action= tag will be updated with the specified URL.
Step 2 —
Now, in the <form... tag, replace the value of the action= attribute with "[TURN JAVASCRIPT ON]"
The <form... tag might look something like:
<form
id="myform"
action="[TURN JAVASCRIPT ON]">
If a JavaScript-disabled browser is used to submit the form, the "[TURN JAVASCRIPT ON]" message is embedded in the 404 URL.
See the next section if you have already been getting spam through your form or if you start getting it in the future.
If Your Form Information is Already in Their Databases
The only way I know of to counteract the fact that your form information is already in spammers' databases is to change the file name of the form processing program. This will invalidate their data.
Then, also change the above JavaScript accordingly.
In fact, it may be prudent to consider that your form information is already compromised, even if you haven't yet received spam through your form. You might change the file name of your form processing program at the same time you implement the JavaScript.
And that will take care of that.
Will Bontrager
