Solving a Form Security Issue

Jeffery KirkUncategorized, Website Tips

You may or may not realize that we develop websites and host them for our clients.  What I’m about to tell you comes from that expertise.

Over the past few months we’ve noticed a security issue that has become a major concern.  If you have your own website, you should be aware that SPAM Bots and Form Bots have been developed that are intended to compromise your site.

What am I talking about?  What are SPAM Bots and Form Bots?  What do they do?

Well, let me define what these bots are.  SPAM Bots and Form Bots are automated computer programs that exploit website vulnerabilities. 

Spambots have been around the longest.  They search for text email addresses within your site.  They are attempting to harvest the data and add those addresses to their catalogs so they can send you more junk! 

Formbots look for forms within your site, often found on Contact Us, Request-a-Quote, or Blog Posting pages of your website.  They typically use automated means to fill in your forms and submit them so that you get junk messages.

Once a spambot has your email address you are likely to get a deluge of spam email sent to every address listed within your website.  Over the past few years spam filters have gotten better at blocking this type of junk.  Formbots on the other hand are starting to become a greater nuisance.

Since formbots are filling out the forms on your website, and the data that comes from those forms is likely to be delivered directly to you without being filtered, the perpetrators have found a way to create a flood of messages that can clog your inbox.  The spam is actually being generated on your own site!

In November 2008 a major SPAM network was shut down.  Yet from January 2009 through June 2009, SPAM volumes have risen over 60%.  Yikes, the junk just continues to grow!  Interestingly over 75% of SPAM originates from only five major Bot Networks. 

So, let’s say you’ve already got your email spam filtering in place (if you don’t, we can help with that too), now what?  How can you stop spam coming from your website?  The answer is actually rather simple.  Make sure every form includes a CAPTCHA code!

A what???  CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. By installing CAPTCHA on your website it will:

  • Perform and grade a test that only humans can pass, not automated Form Bots
  • Verify that a submitted form is from a human or disallow submission
  • Remove vulnerabilities to manipulation by automated software
  • Reduce the number of “false-leads” generated by your website
  • Keep your company’s inquiry inbox from being flooded by fake submissionssample captcha code in form

Take a look to the right.  I’ve posted an example of a CAPTCHA code inserted into a form: 

The goal of this is to assure that only humans can successfully submit forms.  A formbot can try.  It can fill out the rest of the form.  But when it gets to the code, it will fill this field with junk too.  The junk won’t match the code so the programming can prevent the form delivery.  Nice!

At Comstar we recommend that you install CAPTCHA code on all of your online forms.  If you can do it, great.  If you need help, let us know.  Even if we did not create your site we might be able to help fix it.  If we originally developed your site we can retrofit it with CAPTCHA for a low cost.

Click here for Comstar’ s contact information.