Mail form and spamming
Avoid spammers taking control of your mail forms!
Spammers can use your contact form to send spam to other users than the users you have specified!
Spammers have bots searching the web for contact and email forms.
By following these two simple steps will prevent your website's contact form from turning into a spam machine.
Step 1
The oldest and most obvious error to make is applying a "TO" parameter in your html form
<form>
<input type="hidden" name="to" value="myAdress@example.com" >
<input type="text" name="message" />
<input type="submit">
</form>
This is a big no-no. Use a serverside validation of who the email should be sent to.
Example of serverside validation of email recievers:
<form>
<input type="hidden" name="to" value="scott" >
<input type="text" name="message" />
<input type="submit">
</form>
Note that there is no email adress in the form.
String to = request.getParameter("TO");
if(to.equals("scott")){
to = "scott@example.com";
}else{
//do some errorhandling...
}
On the serverside you can check if the TO parameter is valid, if not you can take some action.
Step 2
This next step is one of the trickey ones
You must "clean" every input field that is sent from the form, this includes optional fields like telephone, fax, message, subject, from, yes every input field that you use.
I'm not going to reveal any details on how the spammer can exploit inputfields, but by removing any charaters like "\n", "\r", "\t", "==" and "rfc822" from the users input, reduces the spammers chances by succeding in spamming.