Don't let the bad guy's spam your web forms!

• Getting to grips with form spam
• Test their patience with powerful form field validation
• Blast them with a nice data confirmation screen
• Nuke 'em with the big one - CAPTCHA

Getting to grips with form spam

Everyone is familiar with regular email spam: The bad guys get hold of your email address and the next thing you know your inbox is filling up with all kinds of junk. Web-form-buddy can help prevent that as it allows you to keep your email address completely excluded from your web pages (unlike many other form scripts where your email address has to be present in a hidden field in the source HTML and where hackers can easily harvest it!).

But web form spam is a slightly different problem. The bad guys might start to take an interest in your web forms for several reasons.

1. Because they are probing for vulnerabilities. They hope to hijack your mail server and use it to relay their spam. They hope to be able to do this by exploiting poorly written "home made" web form scripts (usually PHP scripts) . For more on this see our page on spam injection.
2. They think they can get links to their spam sites published on your web pages
3. They're just bad guys out to cause trouble

"Bad guys out to cause trouble" - actually it's not very likely that your web form will attract that kind of attention. Just like in the early days of the computer virus it was usually some sad geek on an ego trip trying to cause damage, but now it's criminal gangs and serious racketeers that are involved. So too with form spam, the bad guys have taken over from the geeks because they have a serious purpose in mind - to make lots of lovely wads of cash!

Of course, just like regular spam, most form spam is stupid - and you're going to think "who on earth falls for this stuff"? In particular you're going to wonder "just how do these idiots think that by completing my web forms with lots of junk they are ever going to benefit from it or get me to do anything that might help them in any way?". But there is a twisted, commercial logic behind modern-day form spam which runs like this:

• Modern search engines such as Google rely heavily on inbound links to rank web pages in their index
• Many web sites allow their visitors to publish content on their web pages through completion of a web form. The two most common cases are:
  • Comments posted on blogs
  • "Guest book" pages
• So spammers create "bots" (automated web crawlers) to seek out and find pages with forms in the hope that they are of the type mentioned above.
• When they find such a page the "bot" fills out the form and submits it, and typically the content will contain lots of links to spammy web sites.

For the most part of course this project seems hopeless. There aren't many bloggers who will allow un-moderated comments to get posted on their site surely? And those that do are bound to set up some anti-spam filter (such as askimet)! The same must surely be true of guest books? But of course spammers are not stupid. Far from it. They use highly automated systems with a scatter-gun approach. If it just gets a result in just one in one hundred thousand attempts, they can be on to a winner. The cost to them is negligible - but of course the aggravation you suffer can be extreme!

And this is the problem - these form spammers will waste your time with their junk form submissions. They don't care very much to distinguish between forms that can post comments on a blog or on a guest book from other kinds of form, such as simple contact forms. Why should they bother?

[ back to the top ]

Weapon 1: Test their patience with powerful form field validation

It's truly amazing how many forms are out their on the web with zero - absolute zilch - field validation! You hit the submit button - the form gets sent! Simple as that. That's meat and drink to these bad guy web bots of course.

With Web-form-buddy it's very easy to add lots of useful field validation to your form. There's no coding to do in the web page or in a script. You just pick out the fields in your form from your control panel, and you're done!

The beauty of field validation is that it does not hinder your genuine, "human" users. In fact it only helps them by prompting them if they have missed something on the form or made a typo. For example if you're asking for a telephone number and your user enters an invalid character, Web-form-buddy can pick up on that. The same goes for all kinds of fields such as email addresses, names, post codes and so on.

But this kind of thing drives all but the most clever "bots" nuts! It's very difficult for a web bot to figure out from the HTML source of your web page what kind of data a field must have to allow a form to be submitted. So this is one great way to eliminate significant amounts of form spam - and help your users to boot!

Some "bots" though are darn clever. So even this may not be enough. And that means it's time to get serious!

[ back to the top ]

Weapon 2: the data confirmation screen

Just like our first weapon, Web-form-buddy's data confirmation screen feature is worth having in itself - but as an additional bonus it fends off even the cleverest of automated submission robots.

What happens with this option is that Web-form-buddy displays a web page after the form has been completed which allows the sender to review and check their data entry. That's a nice feature and your human users will thank you for it. But if your bad guy's little web bot is over-heating already through having to figure out the field validation maze - this final step will blow it's fuse and scramble it's brain!

But just in case that little spam "bot" is not yet down and out - you've still got an ace up your sleeve with Web-form-buddy....

[ back to the top ]

Weapon 3: Nuke 'em with the big one - CAPTCHA

A CAPTCHA is a simple test that is easy for a human but well nigh impossible for a computer or "bot". You are bound to have run into these in your travels on the Internet (Google uses them when you sign up to their services for example). Typically you are presented with a few odd looking numbers and characters that you enter in a box before your form submission can be completed. The idea is that this is something only a human can do, but is impossible for an automated web crawler.

With Web-form-buddy you have a choice of not just one, but three different types of CAPTCHA test:

• Standard CAPTCHA: the user has to type a few letters that are displayed on the screen to complete the form submission
• Simple math CAPTCHA: a very easy arithmetic test e.g. "what is 6 + 3?"
• Google ReCAPTCHA: This started as a project of the School of Computer Science atCarnegie Mellon University and has now been taken over by Google. Google ReCAPTCHA is not only a very powerful anti-spam device, but as humans solve the CAPTCHA tests the results are pooled to help in the task of digitizing books (more info here).

Unlike our first two weapons, it's true that CAPTCHA does not help your user. On the contrary it gives them an extra job to do. Having said that, the technique is so common now that most web users accept it. And arguably, although obliged to complete an extra step in the course of the form submission, your web user or customer will come away impressed with the professionalism of your web site!

[ back to the top ]

~ Get started with Web-form-buddy today - take the free 14 day trial! ~