Alex Hardy

Hello there!

How does simpleContact deal with spam?

This is a question I’m asked on a regular basis, so in lieu of a dedicated FAQs page I’ll answer it here. I do not use CAPTCHA filters (as a designer I find them ugly), but I’ll describe the security and anti-spam measures I have in place:

Recipient addresses in database

It’s not unusual for a developer to add the recipient email address(es) to an HTML form as hidden fields. It is a simple matter for a spambot to uncover these addresses. I do not do that – your email addresses are safely stored in the MySQL database.

This also prevents spammers exploiting your website to send emails through your server by overriding the recipients on your contact form.

Server-side validation

Instead of client-side validation that can be bypassed easily by turning off JavaScript in your browser, simpleContact has server-side validation. Form submissions are checked for the following:

  • Required fields are completed
  • Email addresses are valid
  • Character limits are not exceeded

The last point is important. A field’s “maxlength” attribute can be deactivated by tools such as the Firefox web developer toolbar (a legitimate tool that I use myself).

One thing you notice about spammers though is that they tend to submit a lot of text – mostly nonsense. The character limits on fields are enforced in the server-side validation, where they can’t be bypassed. A spambot is likely to fail here.

Escapes submissions to prevent SQL injection attacks

This is more of a database security measure than an anti-spam thing. If submitted data is not processed for certain characters (e.g. ” ) then a hacker could post SQL code through a form to either damage its database or expose data. Wikipedia has a more thorough description of SQL injection attacks.

Suffice it to say, my app is protected from this.

Your password is stored as a salted hash

Simply put, this means that even if your database was compromised, a hacker would not be able to retrieve usable passwords because they are encrypted (rather than stored as plain text).

At the end of the day, noone – not even Google – can honestly claim to have built a 100% spam-proof system. Since last May my WordPress comments form has had about 2,000 spam submissions (thankfully most of which were blocked by Akismet).

What I can tell you is that over that same period I have received one spam email through simpleContact. My clients have reported none at all.

I find that a tolerable amount :)

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • Facebook
  • StumbleUpon
  • del.icio.us
  • Reddit
  • Ma.gnolia
  • Technorati

Posted on Thursday, January 24th, 2008 at 12:47 pm under Downloads. You can post a comment, or trackback from your own site.

Comments are welcome. Keep it friendly and on-topic please.

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>