This is a response I sent on the WebDesign-L mailing list in repsonse to a question about email form security. I reposting it here since, you know, “The Busy”.
Referrer checking is the wrong to go about this. Referrer’s can be
trivially faked and will only protect you from the most amateurish of
spammers. Also, referrer’s aren’t reliably sent with all browser
requests. You won’t be protecting yourself and you will be
frustrating legitimate users.
Some things to do with any form that sends email
- Don’t send commands directly to the MTA (aka. sendmail). You
aren’t that smart (neither am I). Your scripting/programming
language of choice should have a layer built on top of this. For
example, the mail() function in PHP
VALIDATE any user input that’s going to be sent in in a header
or used as a “To”. Remove all carriage returns (\r), newlines (\n)
and commas or a spammer can set their own headers (think
Bcc: [lots of addresses here]) or add additional addresses (the comma)
LIMIT how much input a user can set. A spammer is only going to
use your form if they can find a way to insert their message into
it. Ideally, all a user should enter is their name and address, with
the URL being sent along as a hidden field. This URL should then be
validated on the back end, ideally against a list of “allowed” URLs.
If that’s not feasible then some kind of string comparison looking for a
single URL with the proper domain. A regular expression like this is a
If you must allow the sender to include a little message along with
the URL, at minimum strip it of all HTML and domain names.
everything to a database and/or learn how to read your server log
Have an alert automatically sent to you if there’s any kind of
suspicious activity. (more than one message a day sent to the same
address, more than one response a day from the same IP, a large spike
in responses, etc.). These actions may be legitimate, or may be the
work or a spammer. Check your logged information and take appropriate
action if need be.
Consider a challenge/response CAPTCHA
Keep in mind this is a significant accessibility barrier. CAPTCHAs
will also significantly reduce the number of responses you get, even
from people without special access requirements.