How to Guarantee Your Site is Blacklisted for Email
Happy New Year! Marketing Technology finds and reports on the latest technology that will enable your business to effectively market to your audience, for acquisition or retention strategies. Subscribe now the Marketing Technology Blog RSS feed or to the Marketing Technology Email to have new content sent directly to your inbox. You'll also find my other business blog helpful, Social Media Domination.
My boss and I were reviewing one of our clients’ sites today. They’re going to be moving to our email integration soon - which is a good thing. I’m guessing their websites are probably already blacklisted… here’s why…
They have a contact form on their website. It’s nice enough, a bunch of fields to send all your personal info to them to sign up for their email initiative. A closer look, though, and it’s really simply a tool they’ve put out for spammers to take advantage of.
<FORM name="form1" action="http://theirsite.com/emailformhandling.asp" method="post">
<INPUT type=hidden value="contact" name="what" />
<INPUT type=hidden value="http://myspamalink.com" name="sitename" />
<INPUT type=hidden value="7" name="site" />
<INPUT type=hidden value="7" name="client_code" />
<INPUT type=hidden value="contact" name="formname" />
<INPUT type=hidden value="anyone@someone.com" name="sendto" />
<INPUT type=hidden value="http://www.somepage.com" name="nextpage" />
Notice the hidden fields where you can input an email address! As a test, I pulled the form, put my email address on it, and put a link in the other hidden field. I clicked submit and a minute later, I had a SPAM email in my inbox!
This is how spammers can continue to send email without worrying about getting blocked. All they need to do is find a form like this on your website and they can script a process that pushes millions of emails through overnight. Who gets blocked? Not the spammer… the company does!
This specific form is on a website of a billion dollar business, not a small business. And there are thousands of these types of insecure forms everywhere on the net. The irony here is that they did it on an ASP page - a page that could have easily done a lookup for email addresses at the server and appended them.
In case you’re wondering, of course we’ve told them!
Personally, I’m skeptical of anyone what doesn’t have an email address listed on their blog and only a contact form, but it seems that is the only 100% way to do it. I also like image email addresses that people can see but have to type in. Maybe embedded Flash would be another route. Are you a contact form only guy?
“skeptical of anyone who doesn’t have an email address listed”… ouch! If I had my email address out on my blog, even with a JavaScript obfuscator, I would get tens of thousands of spam a day.
Don’t be skeptical - we’re only trying to protect ourselves. The purpose of the contact for IS so that folks can still get in touch with us without leaving us open for spambots.
Doug
But email addresses hidden in JavaScript, images and Flash aren’t safe either. See http://www.cryptologie.com/SpamFull.pdf for a study a few years back. “Some of them resolve ASCII protection and even basic javascript or flash code.”
The best protection is still to stop publishing email addresses, and use a web form instead.
I have yet to see spam show up at my wife’s email that I do JavaScript obfuscation at http://www.rachelsteely.com, but that sites only been up a month. I would never tell a friend to put their email address out in the wild if they didn’t know what they were doing. I would probably have given up long ago, too if I didn’t have Google as my anti-spam software.
I found your blog post very interesting, but I don’t understand exactly how this works.
If you fill in this form, how do the spam bots get your email address?
If the site has hidden fields with your email address all the time, then it’s obvious how the spam bots get them.
But when you’re filling it out, don’t you just hit submit, and then the hidden fields go away, right? Does the spam bot have a program set on that page that captures what you type in or what the site puts in the hidden fields while you’re using it?
I don’t understand. Can you please explain this more?
And what can be done? How do you implement a form that spam bots can’t do this too? Is it just a matter of not using hidden fields for email addresses or is it more than that?
Thanks
As a visitor, you’re not in any danger. The issue is for the people who put up this form. A Spammer is able to ‘highjack’ the form and send spam out using it. It’s a terrible practice that the company has deployed on their website.
Doug
Thanks