Recent Posts


Some Email Form Script Guidelines


Frustrated by Magento? Then you’ll love Commerce Bug, the must have debugging extension for anyone using Magento. Whether you’re just starting out or you’re a seasoned pro, Commerce Bug will save you and your team hours everyday. Grab a copy and start working with Magento instead of against it.

Updated for Magento 2! No Frills Magento Layout is the only Magento front end book you'll ever need. Get your copy today!

This is a response I sent on the WebDesign-L mailing list in repsonse to a question about email form security. I reposting it here since, you know, “The Busy”.

Referrer checking is the wrong to go about this. Referrer’s can be
trivially faked and will only protect you from the most amateurish of
spammers. Also, referrer’s aren’t reliably sent with all browser
requests. You won’t be protecting yourself and you will be
frustrating legitimate users.

Some things to do with any form that sends email

  1. Don’t send commands directly to the MTA (aka. sendmail). You
    aren’t that smart (neither am I). Your scripting/programming
    language of choice should have a layer built on top of this. For
    example, the mail() function in PHP

  2. VALIDATE any user input that’s going to be sent in in a header
    or used as a “To”. Remove all carriage returns (\r), newlines (\n)
    and commas or a spammer can set their own headers (think
    Bcc: [lots of addresses here]) or add additional addresses (the comma)

  3. LIMIT how much input a user can set. A spammer is only going to
    use your form if they can find a way to insert their message into
    it. Ideally, all a user should enter is their name and address, with
    the URL being sent along as a hidden field. This URL should then be
    validated on the back end, ideally against a list of “allowed” URLs.
    If that’s not feasible then some kind of string comparison looking for a
    single URL with the proper domain. A regular expression like this is a
    good start

    /^[ ^:]+/i

    If you must allow the sender to include a little message along with
    the URL, at minimum strip it of all HTML and domain names.

  4. MONITOR the responses. If your privacy policy allows for it, log
    everything to a database and/or learn how to read your server log

    Have an alert automatically sent to you if there’s any kind of
    suspicious activity. (more than one message a day sent to the same
    address, more than one response a day from the same IP, a large spike
    in responses, etc.). These actions may be legitimate, or may be the
    work or a spammer. Check your logged information and take appropriate
    action if need be.

  5. Consider a challenge/response CAPTCHA

    Keep in mind this is a significant accessibility barrier. CAPTCHAs
    will also significantly reduce the number of responses you get, even
    from people without special access requirements.

Copyright © Alan Storm 1975 – 2023 All Rights Reserved

Originally Posted: 28th June 2005