Home » Secure Web Coding

Safe Contact Forms

Posted by admin

Back in the 90's everybody thought it was cool to use a simple mailto: link with the fancy schmacy subject pre-populating link to open the visitors email client to send a message to you.

Then unscrupulous netizens decided to put bots out scanning the internet like search engine bots do, grabbing any email address it can find and sending it back to it's database for later spamming.

Once that happened people started using form for people to send messages to you. With that came a market for programmer to build generic form processors for people to use to send this email. The other way to get a form to work was this urban legend of the form action accepting mailto: links...which only worked maybe half the time.

These form processors typically held variables, such as recipients, email type, and such things, in hidden fields of the form. The stupid thing about this is that the email addresses are then still in the page code, so the email address is still being indexed by spambots.

That is what led me to create FormM@iler, just the simple task of really hiding the email address from bots and creating a safe and secure form processor for web hosts and web site developers.

By simply using a form processor you open up your web site visitors to your servers mail functions, which opens up your server to possible exploit. This is something that is not to be taken lightly.

When creating a contact form there are a few things to consider.

  • First, keep the recipients email address in the processing script, not in hidden fields on the form.
  • Be sure to parse any information that goes into the email headers (such as to and from email addresses and subject text) for line breaks. These line breaks typically reveal an exploit attempt, as the user is trying to insert bogus headers to exploit your form for spamming. If they can inject CC or BCC headers they could send untold numbers of spams on your account.
  • Use as little scripting as possible to get the job done, the less logic the less ways for some jerk to hack ya. Some people like to program things unnecessarily complex just for the sake of doing it. Don't be that person.
  • If you use a third party script, check it's update history, how often patches are released and what kind of history of exploits it has. Whichever one you choose to use, get on a mailing list to be notified of updates and keep it updated.

Follow these simple rules and should be able to keep you email addresses safe from spying eyes and spammers wanting to use your resources to send their crap.