30

There is something I don't get, one of my web apps has a small form that allows you to enter you name and email address to "subscribe" to a user list for a site I maintain. The site is very low traffic, and only useful to a very small number of people that live in a very small town..it would be of no interest to anyone else.

Yet, every day, sometimes many times per day, someone (or a bot) is entering fictitious names and probably bogus email addresses into the form.

This form is not even active on my site anymore, it just happens to still exist as an orphaned page on my IIS directory (which tells me that someone is searching for these types of forms via Google, because there is no path to this form if you come in thru the default page.

This is not a big hassle for me, I can solve the problem with captcha, but what I don't understand is for what purpose would someone setup a bot to repeatedly fill in forms? I figure there must be a reason, but for the life of me don't know why?

What am I missing?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
EJB
  • 1,329
  • 5
  • 15
  • 23

6 Answers6

39

These are bots trying to send you spam, or worse, trying to exploit your contact form to send spam to others.

For example, there are several well-known exploits for the PHP mail() command commonly used by contact forms that can cause the TO address you put in your code to be overwritten by POSTed data, if you aren't careful how you handle the data coming in from your form.

Some ways to prevent this:

  1. Use a captcha. For a low traffic site, even a static captcha (an image that just has the same text in it every time) will work very well.

  2. Check the HTTP referrer to make sure the POST is coming from your contact form. Many bots will spoof this though, so it isn't terribly useful.

  3. Use hidden form fields to try to trick the bots. For example, create a field called phone_number on your form, and hide it with CSS in your stylesheet (display: none). A bot will normally fill in that field (they usually fill in all fields to avoid possible required-field validation errors) but a user would not, since it's hidden. So on POST you check for a value in that field and SILENTLY fail to send the message if there is a value in it. I find that this method alone is highly effective.

chicks
  • 3,639
  • 10
  • 26
  • 36
Eric Petroelje
  • 761
  • 5
  • 12
  • 4
    If you use a hidden field, I suggest naming it something less common. I've encountered browser toolbars in the wild that attempt to helpfully fill out forms automatically -- even hidden fields! – Eli Jan 04 '13 at 03:25
10

These bots are blindly trying every form they find in order to send spam mail. Some of them may have historical data of forms and even if it's not currently listed on search engines, these bots can post data to that URL.

Let's say a web site contains a HTML form for sending a recommendation to a friend, typically "Tell a fried" or "Send greeting card", which is not protected by a CAPTCHA image, for example. A bot could use the form to send thousands of spam emails using your SMTP server.

If the bot is coming from the same IP address, you could block that address on IIS or on your firewall.

splattne
  • 28,348
  • 19
  • 97
  • 147
  • A simple fix for this can changing the names on the forms. Bots crawl using google, and look for common form and field names like `address` or `recipient`. Change these to something a bit more obscure, and you're less likely to get any spam on them. – Dentrasi Jun 25 '09 at 15:25
  • Less likely, but it can still happen. I've seen forms with obscure names on obscure fora still get hit with spambots. – Ward - Reinstate Monica Jun 25 '09 at 15:39
  • Also, then you defeat auto fill-ins from Lastpass and similar products, which are a great help to users. – PRMan Nov 19 '21 at 16:43
4

If they can somehow get into your server and implant software on it without you noticing, that's one extra spambot for them.

Being registered is one step closer to being able to take over a server, since you're able to see a bit more of the files on the server.

Plus, if the form isn't protected against XSS and other such tactics, hacking is even easier.

KdgDev
  • 205
  • 1
  • 6
  • 20
3

They ususally try to forge custom HTML/PHP/ASP commands when they hit submit, its used as a backdoor for trojans etc.

pauska
  • 19,532
  • 4
  • 55
  • 75
2

Comment spam is one reason. They attempt to add a lot of links in blog comments, for example, in an attempt to raise their page rank.

Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148
  • That makes sense. The search engine crawlers would pickup the links and rate them higher. Although I'm sure (if the crawler is sophisticated) it would rank user comments way lower than a link on the article itself. I don't work with this stuff so I'm not certain - just a guess. – Kellen Stuart Jun 25 '16 at 05:26
-2

Some of them just seem to just fill out any form they see with links to porn sites in the hope that somewhere, somehow the links in the form will appear on your site and be picked up by google.

I've had a lot of luck blocking bots with some custom mod_Security rules.

Eli
  • 107
  • 3