|
Got
a contact form on your website? It could be turning you
into an unwitting spammer.
Those
forms work using a form-to-email script (a script is a program),
usually in Perl or PHP. They are also often called "form
processors." Often one of the first scripts webmasters
learn to install, they can be pesky for a novice to configure.
A number of things can make them behave oddly, so forms
are a big source of helpdesk questions.
Spammers
can hijack your form through a number of vulnerabilities,
using your email server to send out thousands of spam messages
per minute, that all look like they came from you. They
*did* come from you, which can result in you having your
web hosting account shut down without warning.
Bad
forms allow all of the fields to be filled with fake info,
so the real spammer may be invisible. Even if you are not
"really" the spammer, you are still the owner
of spam generator.
Don't
wait to fix this, thinking the spammers will miss your little
site. FormMail exploits are the #3 source of attacks on
websites.
Matt's
FormMail from ScriptArchive.com is one of the most popular
scripts on the Internet. Versions of it are in use on major
websites and web servers, and in hosting management packages.
In fact, it's so popular that people use "FormMail"
to refer to all form-to-mail scripts, like they call all
paper tissues "Kleenex."
But
the tech news is just stuffed with security alerts. Last
year, "secure" FormMail version 1.92 and an alternate
called FormMail-clone were widely installed, making hosts
and webmasters feel safe. But not for long.
Professional
spammers quickly found new exploits. NO version of Matt's
FormMail is now secure (and neither is CGIemail, another
popular form script). Many of the form-to-email scripts
on HotScripts and other script collections are insecure.
What
can you do?
Whether
you are replacing an insecure form script, or installing
one for the first time, make sure you do some research.
There's a list of "more secure" scripts below,
but always look for the most recent version, since those
spammers are a clever bunch.
Here
are a few things you can do with any form-to-email script
to make it more secure:
If
you want a form, but your host does not allow the you to
install scripts (or if you don't feel you have skills to
deal this stuff), try running a Google search for "remotely
hosted formmail" to find services that will host
a form that does not live on your site.
|
Is
this your site visitor?
"I
hate forms. They never have the right boxes. They often
fail. The usual thing is you get an error message so you
hit the back button and then you find all your inquiry
has been wiped out and you have to start again, often
repeating this cycle several times before giving up.
Unlike
an email, you have no automatic record of what you've
written. If you really must ignore this and use a form,
include an email as well. Never never never build a
business website without a straight forward email address."
--frustrated
user Jonathan
Webb
More Form Fun
Phorm
PHP Form Handler
Hitch your form to a database
Style
Web Forms with CSS
CSS makes forms prettier
Building
Web Forms in Flash
Movie + script = data movement
Forms,
usability, and the W3C DOM
Improving usability of complex forms
About.com
Forms Tutorials
Useful info made annoying with ads
Having trouble getting your form script to work?
Check
the Gryphyn Media FAQ and find help
with installing scripts.
Tip:
Never
use the ugly default "thank you" page. Redirect
the user to a custom thank you page with a real message
and some choices of places to go from there... like your
FAQ, search page, or discussion forum.
|
