Defeating Formmail Spam

Share

7th October 2007

Defeating Formmail Spam

Having taken care of the website for PSIGE for some time now we have begun to notice a rise in the spam generated through the site's formmail system. Although we've taken every precaution to ensure that the script is correctly set up to filter out submissions from other servers and the site form to deny comments with forbidden words in them (eg. viagra and casino), we have not been able to prevent the direct calls to the cgi script from forms that purport to be from the PSIGE site, but in fact aren't.

After a long and thorough search through the internet we drew a blank on finding patches for the formmail script that would perform a screening service to filter out the forbidden words before sending, and not being specialists in the Perl programming language that the script is written in, we have taken the bull by the horns and written an entirely new form-handling script in PHP which does everything we need it to. It allows us to use aliases instead of real email addresses on the form itself; it validates the form content, checking for a valid email and filtering out forbidden words; prevents "injection" attacks from malicious code being submitted through the form fields and in short works like a dream.

Once we've tidied it up into a library script we will then roll it out through all the sites that we manage where a contact form is used. We hope that this will finally give us the upper hand over the automated spam generators that have started to become the bane of our sites.

Other News