Most websites on this planet have at least one single webform. This could be a newsletter sign-up form or the contact-us form.
One of the most common causes for IPs and domains to become listed on a blocklist are websites with insufficient form security and bad design decisions that allow websites to be used to send spam-by-proxy.
This should be avoided, as it can negatively affect your IP and domain reputation.
How Do Webforms Get Abused?
Spammers have written automated bots that look for web forms like newsletters, contact us or sign-ups on websites.
They then use these forms to send spam by adding a small spam payload into one of the form’s input fields, hoping that it will be used on any email sent.
Instead of filling out their own email address, they’ll fill out the email address of their target.
Suppose you have a newsletter or mailing list. In that case, it is absolutely critical that you ask all sign-ups to confirm that they wish to activate their subscription by clicking on a link within the first message that you send them. Do not send them anything further unless they haven’t done this. This process is also called double opt-in.
Here are some real-world examples we’ve seen in our spam traps:
In this case, the attacker has used an “account name” or “full name” field to enter their spam payload.
The email address was their target’s email address, in this case, one of our traps.
The spammers would then resubmit the form multiple times with different email addresses to send their spam via this website.
By doing so, he negatively affects the IP and domain reputation of the owner of the website.
In this case, the webform was used to send 14,000 messages per hour to our detection network alone.
This went on for several days before it was corrected which meant that at least 750,000 spam emails were sent due to the flaws in this form.
Best Practices on How To Secure Your Webform
- Protect sign-up forms and any form that generates email responses (such as contact-us or newsletter subscriptions) from automated submission by using some form of CAPTCHA.
- Ensure that all sign-ups are validated by an email that requires the user to click a link (e.g. prove that they entered a correct and valid email address and that they have access to that email).
- Validation emails like the above should also have a link that allows a recipient to report abuse (e.g. I never signed up for this, this was sent in error, don’t send me anything further, etc.).
- Form inputs should be checked for URLs or domain names in fields that should never contain these e.g. first/last/full name. If found, the form submission should be rejected as likely abuse.
- Form inputs should always have a limit on the amount of text that can be entered and submitted.
- Form submissions from single IP addresses should be rate-limited e.g. a single IP should not be able to submit a sign-up form lots of times.
- The volume of emails generated from form submissions should be closely monitored as large spikes above normal will indicate abuse.
- NEVER generate emails containing submitted fields to the email address that was supplied in the form (this was common on old contact-us forms and is completely open to abuse).
- If you generate email addresses from forms, add additional headers (e.g. X-PHP-Script) to the email message to help identify the path of the form and the IP address that submitted it to help find sources of abuse and to help recipients of any abuse to filter them
Having abusable web forms will not only affect your IP reputation or your hosting provider’s reputation, who will likely disable your account to protect other customers. It will also affect your domain reputation and your general reputation as a whole, affecting the perception of your business and your ability to do business.
Junk sign-ups to your website will poison your user database and fill your mailbox with spam to the point that you might miss an important message or customer sign-up.
Bulk automated form submissions could also affect the webserver’s performance which will have a negative effect on the performance of your website as a whole. Therefore, we recommend following the best practices above to secure your webforms from abusive behavior.
If you want to learn more or have something to add, please feel free to reach out through our contact us form.