Spam Evolved I

Spam from websites used to be the province of harvested email addresses, but spammers are always evolving and the humble “contact us” form that used to protect against spam is now a gateway for it.

Background:
Whenever you put an email address on a web page, it is visible to your prospects and customers. Having a contact email address is important and provides the easiest way for people to get in touch with you. It’s a de facto standard of communication on the web. However, along came the search engines, automatically indexing websites. And then along came their bastard cousins, the spam bots which specifically searched for email addresses on a web page, and very soon you were on their hit list and receiving volumes on unwanted email.

People then started hiding their email addresses and putting a contact form on the website. This meant that people had to fill in their information in a form and hit SUBMIT. A script on the server then packaged the message up and sent it to your email address which was hidden from the spam bots. And so your spam volumes went down.

For those who wanted to keep an email address on the website, a number of other “cloaking” techniques have evolved to hide the email address from spam bots but allow people to use it as per a normal “click here to email us” link would work. We use a familar JavaScript technique ourselves where possible.

However, the spammers did not sit idly by, waiting for the accidental discovery of an email address (they also pick a domain name and add random names on the front of it and then send emails out – it’s the equivalent of telemarketing companies dialing a random phone number to see if it connects, and then adding 1 to dial the next number, and so on; many misses but a few hits that might make the sale). Spammers began using the same technique as programmers to auto-complete online forms through their own scripts. So, they couple the spam bots search (now looking for web forms) with another script that analyses the form to know what the fields are called, and then plug the results into their spamming script that auto-completes the form with their spam and auto-submits it to you.

So now the humble contact form (and, for that matter, potentially any form on your website) is a potential gateway waiting for spammers to find and abuse it. And it’s only a matter of time.

How to deal with this problem:
There are five main ways to deal with this problem – it’s like a game of cat and mouse:

1. Rename your script
2. Introduce a barrier at the source
3. Use a server-based spam checker
4. Use a spam checker on your PC/Mac
5. Remove the form

Rename your script:
This is the “quick fix” and easiest thing to do. Just rename your contact form source file (making sure you update your links to it) and the spam tide should cease – this is because the auto-submission spam program is looking for the old name and won’t find it. However, it’s just a matter of time before the spam bots that are looking for new web forms find your new page and it starts all over again.

Barriers at the source:
There are a number of scripts out there that you can plug in to any web form (such as Bad Behaviour, written in PHP) which allows you to block auto-submission spam bots at the source. These programs work by identifying patterns of behaviour in how the form is submitted and are very effective at blocking auto-submission tools. You might get the odd submission slip through the net but the volume of spam will almost cease. (Ed’s note: The Bad Behaviour page has a lot of whitespace at the top at the moment for some reason – just scroll down until you reach the content). These tools were written initially to protect programs such as Wordpress and phpBB against spam submissions as forums and blogs are heavily targetted.

Server-based spam checking:
Your ISP or hosting company might offer a spam checker as part of their package, or as an add on. This then filters all email on the mail server before you even see it and anything suspected as spam can be quarantined or automatically deleted. You might need to check their “spam box” on the server occasionally just in case a real email that you want gets caught, but this is usually a good option for most people.

Use a spam checker on your PC/Mac:
Most of the latest email programs (Outlook 2003, Entourage, etc) are now building in spam/junk filters by default. These are very effective at blocking and deleting all the crap that comes through – although you still have to put up with the download of all that junk to your machine. For those people without the latest email programs, there are numerous options available, ranging from dedicated spam blockers through to suites of tools such as McAfee and Norton. Just do a search on the web for a range of options.

Remove the contact form:
Not always an option depending on how you want to manage communication from your website, but you could switch back to just having an email address on the web page (suitably cloaked from spammers of course). Sometimes the simplest way can be the most effective – technology isn’t always the solution!

But I still keep getting spam!!
Inevitably, your email address will end up on a spammers list and spam will come. It’s a fact of life on the Internet (over 60% of corporate emails are believed to be spam and this number is set to rise in 2006). The precautions listed above help stem the tide and reduce the numbers of ways through which you will receive spam – and personally I’d recommend a hybrid approach using a mixture of the methods – but you should at the very least use a spam checker on your local machine or figure out how the “filters/rules” system works in your email program. You can then quickly set up your own, personal patterns which your email program picks up and auto-deletes – here is a quick primer article on rules for Outlook. This might be a cheaper alternative to buying a package, but you need to keep it up-to-date yourself.

Supplemental piece on “Barriers at the source”.