The bogus email addresses on your domain are easy. I’ll point you at a previous article of mine: “I Keep Getting Bounced Emails for Addresses On My Domain That Don’t Exist. How Can I Stop This?”. The bottom line is that simply having a domain will cause this to happen. And the only solution that I know of is to only pay attention to the email that is actually sent to valid email addresses on your domain. Ignore all of those others.
The form submission issue is an interesting one, and it’s something that I actually deal with everyday.
Become a Patron of Ask Leo! and go ad-free!
Web spam
In a word, the problem here is spam. It’s a form of spam known as web spam. Every contact, comment or information submission form on every website has to deal with it, or will deal with it at some point soon. And yes, as a website owner, it’s something you’re going to deal with as well.
Web spammers are looking to do either of two things: try to use your form to send email spam, or to post spammy information on your website.
Any form where you might enter some information and press a submit button typically works by collecting that information and then emailing it to someone. Here at Ask Leo! for example, when you enter your question it’s sent to an email address that records it appropriately, and then inserts it into my question-handling database. It also automatically emails a quick response to let you know that I got your question.
Hacking and abusing web forms for email
Since email is the backbone of so many web forms, spammers try to do two different things:
- they try to hack the technology so that they can directly send email messages, i.e. spam, using some unanticipated vulnerability in the form handler on your site
- they try to hack the form so that when the form sends its message, that message is actually sent elsewhere and the contents of the form contain the things that you saw: spammy messages, medication URLs, or who knows what else.
Spammers will probe every web form they find on the internet to see whether it can be abused. Those probes often look like blank messages, or they may even have a few URLs in them.
Comment spam
The other thing that spammers care about a lot these days are comment forms.
The goal is to place links on your site that go to their sites – in order to either entice your visitors to go there or, more commonly, to make it seem to Google and other search engines that their site is much more important or authoritative than it really is – because it has all of these links coming to it from all over the internet.
Unfortunately, there’s no real standard for what a comment form looks like. So, spammers will treat just about any form as if it were a comment form.
Solutions are limited, but they boil down to these two most common approaches.
- CAPTCHA is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.” It’s trademarked by Carnegie Mellon University. Technically a CAPTCHA is
CAPTCHAs. This is why you see those squiggly characters on so many submission forms. Computers can’t figure those out yet, so automated tools that are used to post spam to web forms can’t get past this step. There are other forms of CAPTCHA too; things like math equations or picture matching forms. - Spam filters. If your website uses WordPress, as mine does, then you have something called Akismet available to you. It’s a spam filter for web forms. After a web form is accepted, but before the email is sent, Akismet judges whether or not its contents are spam. If the message is determined to be spam, it’s filtered out and the mail is never sent. So, it all comes back to spam, spammers, and the constant battle of wits and technology.
Regardless of whether it’s email spam or comment spam, it’s spam that’s at the root of what you – and thousands of other webmasters – see every day.
Including me.
As a software writer, I do what I can to prevent automated form submission.
As a heads up, some of the following techniques may suffer from accessibility issues for very old browsers and for readers used by the visually handicapped. For browsers with JavaScript turned off, a noscript tag can be used to inform the person JavaScript is required.
In my experience, using JavaScript to change the form’s action URL from bogus to correct after the form loads prevents much of it. Seems the bots read the source code of the page without parsing the JavaScript. I’m assuming their software then tries to submit the form to the bogus URL.
I’ve recently started using Ajax to insert the form into the page after the page has loaded. So far, it’s been 100% effective. We’ll see in the longer run.
CSS3’s contenteditable tag can be used to accept keystrokes into divs. A click on a pseudo-button can cause the information to be sent to software on the server. This technique eliminates the need for a form and field tags. I believe the latest browsers for iOS and Android now support contenteditable, but older ones won’t, which is why I’m not making much use of this technique – yet.
Will
I used to use the Javascript Form action trick and it works very, VERY well. Had a few false positives from people who had blocked Javascript, but that was it. Unfortunately spammers are more often resorting to cheap overseas labor to bypass all the techniques used to block automation – because they’re not automated.