Contact Forms

Contact forms prevent spamming software from collecting your email address. However, if they are not built right, they can expose your email address anyway. And if the script behind the contact form has a security flaw, hackers can exploit it and use your website to send out spam. This is a very serious and, unfortunately, common problem. If your website is hacked to send out spam, in a matter of minutes your domain will be blacklisted and you will have trouble sending legit emails.

First, let’s talk about the basics. The HTML code of the contact form should not expose any email address. In Figure 1, you can see the code of a contact form on a website that has this problem. Notice, where we put the red arrows, how the destination email addresses are present in the HTML form. This means that when the user selects a “contact department”, the form is the one doing the conversion between “departments” and email addresses. This should not be done: as explained, the email addresses are publicly exposed this way.

Email addresses exposed on a contact formFigure 1: Email addresses exposed on a contact form

Instead, the email address should not be exposed in the HTML code, and the script where the data is sent should be able to decode this request and send the message to the appropriate email address. In other words, the conversion between an alias (“department”) and an email address must be done behind the scenes, away from privy eyes.

Of course, you should not use an alias that is just the first part of the email address or use an obvious email address, as these are too easy to guess by spamming software. For example, if you have a contact option (“department”) called “research,” do not create an email called [email protected]; this is too obvious and easy to guess.

The addition of verification code on contact forms, also known as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is a must. You probably have seen this a lot, as either an image with random letters and numbers that you must repeat or a challenge question such as “what is the result of 1 + 1 – 2?” This should be done to prevent the use of spamming programs that try to send out spam in an automated way using your contact form. Even if your contact form does not have a security flaw that allows spammers to use your contact form to send out spam to other people, you will get a lot of spam on your email address coming from your contact form.

Use of a CAPTCHA codeFigure 2: Use of a CAPTCHA code

Gabriel Torres is a Brazilian best-selling ICT expert, with 24 books published. He started his online career in 1996, when he launched Clube do Hardware, which is one of the oldest and largest websites about technology in Brazil. He created Hardware Secrets in 1999 to expand his knowledge outside his home country.