The different forms available on your site are useful for specific manipulations. It allows visitors easily get in contact with support services. Their requests will be comprised of different things such as a request, demand, comment, appreciation and so on. The most common is using forms for easy and fast to contact customers through feedback, to place orders, to vote, to test or to create a subscription. On the most successful web stores, information submitted via web forms by clients is delivered directly to the company email. However, many forums and conferences designed to support CMS discuss the problems of spam attack after using the forms on the site for other purposes.
To be sincere, the forms are a very vulnerable section to be struck by spam. I can illustrate a quite simple scenario. On your Magento page, you have the feature of adding different products to a wishlist for editing and sharing. You add specific items to the list and are provided with some fields to complete. In these fields, you input sharing information such as email address and message and then submit the form. Most times, a spammer will use a script which takes emails of victims from its database and adds them to the field of email addresses. The message field fills with a spamming text. In a concise time, all victims will receive spam letters.
We are often confronted with this problem and are constantly seeking a permanent solution to avoid spam attacks. In this article, we will look at why the spam exists, its detrimental effects and the steps that can be taken to fight against them.
Who makes it and why?
The truth is just that, spam is very cheap and easy to create, mass and has high chances to be delivered to the target. The most unpleasant part about it is that targets potential clients or existing clients. We always have to protect our clients from it. But it is unfortunate that spamming will continue to live as long as there are those who benefit from it. And there will always be a business, that will agree with the drop in reputation caused by spam emails, because of the low price of such advertisement. It is the goal of spammers to reduce cost and forms found on sites are perfect to do this.
It reaches your client using the resources which you have already provided. These include your domain, your IP, your layout of a letter. The only thing the spammer needs is an easy script, and they are ready to attack your store. A reason for having spammers on other people’s stores is due to its relative cheapness.
If you value your customers, you will not disturb them with spam emails. Due to this, you will have a good reputation, and your letter will get to the recipients and not be dropped off into the spam cart. Also, as a company that plans to utilize one of the Simple Mail Transfer Protocol (SMTP), which will provide your emails with excellent delivery expertise. It means email delivery is a crucial reason for using someone else’s form because the attacker uses the resources for free including the reputation of the site and IP in MBP (Mail Box Provider). Spams sent from your domain, using your IP, with valid SPF, DKIM, and even strict DMARC policy are far from helpful in this scenario.
How does it affect your business?
The truth is just that nothing will be gained from spamming through the form of your site. After such actions, you will only receive damages and nothing more. It applies to your employees’, site administrator's or email marketer's working hours. They will have no choice but to cope with the consequences of this problem.
Spam attacks originating from your store will lead to a poor reputation, and it will make your clients lose their trust. Your potential clients will be affected because they will get a wrong impression and be scared away from the site. All this will lead to a reduction in profits. Take note that the bigger the business is, the more the effects caused by spam attacks.
How does the script work?
In simple terms, the primary purpose of the spam script is to utilize the UGC (User Generated Content) in the creation of content. Text similar to this nature can be added to any fields such as title, subject and the body of the letter. It means that for the spam message from your site, the spammer will need only his database of email addresses, script, your subscription/registration form, and the spam content.
There are different types of spams available via various forums. Listed below are essential examples.
Spam through autoresponse
The feedback form, request to support service, forms for proposals and requests are known to generate an automatic temporary response from the user. Setting up spam using the auto-response is quite complex. However, such a spam form is more effective. You will usually find certain messages such as "Thanks for your inquiry. We will respond to you as soon as possible. Generally, request processing takes a few days. If you do not hear from us within till next day, please, give us a call at 555-555-555 as your message did not get to us." Spam content is often added to such letters or used to replace them. The trick about this is that if the person does not send any form of request, then the auto-response is a spam.
Subscription Bomb Attack
The spammer will register a particular email box on thousands of services. These services will begin to send letters of confirmation and welcome letters to the user. Due to this the mailbox of the victim may become filled with a lot of unread messages while constantly receiving new letters. In this scenario, the letters are actually not the spam. They do not contain the spam messages but using the attacked mailbox becomes very difficult. This type of attack can direct at the mailbox of business and companies with various services. It may be an attempt to cause damage to competitors or to hurt the business.
Change of personal data
Such attacks usually play out according to the following scenario. The spammer logs into any boot device. From the profile setting, spammer changes the email and inserts spam content into personal data. Then the automated or manual email sends a letter to the user about changing the data, and in this email often add the spam text.
The form showing "recommend our service to a friend" and "enter the text of the invitation” is vulnerable. The UGC from your site flies over to the users who do not expect tricks.
What should you do?
This may be the most important chapter of the article. At present, there is not a single solution to deal with spam attacks through forms. The forms on the site remain the Achilles' heel to many businesses, but there are specific techniques that can be used in minimizing the risk of such attacks.
CAPTCHA comes in different ways- it may be simple or complex, with pictures, texts, figures containing input and lacking input. The sad thing, however, is that CAPTCHA can easily be bypassed. It means that you should install it, but do not expect it to be a magical solution for your site. If the target is your business, the spammer will gladly invest more time and resources in creating better codes for a successful attack. However, if your business is not the target, spammers will move on to your neighbor without CAPTCHA. To attack such a business requires minor efforts. That is why CAPTCHA is working in some cases.
In recent occasions of spam, such methods are not reliable due to the fact that they are unstable and can easily be bypassed by the attacker. The key thing to note is that the effectiveness of this method is dependent on technical implementation. An example of a validation method is regexp which searches for the presence of a URL in the UGC field. If the spammer script does not utilize the original “Contact us” form on your website to fill it with spam text but uses only request URLs from your website, then the validation implemented through parameter "form_key" will block attempt of such a spam attack.
Or here is another example of validation in Magento:
If the spammer’s script does not use actual "Contact us" form on your webpage for filling it with spam text, but only use form request URL from your website, then validation implemented through parameter "form_key" will block the attempt of spam attack.
These fields are visible to the script but not visible to the user. Unfortunately, this means, the obstacle can be bypassed by using a correct script.
It is a reliable and effective way to prevent spam attacks. However, due to its labor-intensiveness, it is not suitable for small businesses.
Double Opt In
The most effective and simplest of ways do not make use of unconfirmed mailboxes (those, that not passed the Double Opt In) UGC in the letters. Use them neither in greeting nor in quoting auto-responses.
This method is a complement to any other method. You have to learn about the problem to solve it. Keeping track of the schedules of registrations and making use of other forms provides you with an effective tool to detect problems and provides excellent product metrics. However this method is not effective for slow spam, that is if the suspicious activity is only a small fraction of original traffic.
The issue generated by spams through forms is higher now than ever before. Different business and trading procedures suffer as a result and are searching for practical solutions to the problem. Ensure that you set up simple methods to protect your business and do not to became an unwitting participant in spam mailing.
If you have any questions, please write a comment below the article or contact our support team.