Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why Am I Getting Empty Form Submissions from My Website?

Question: Hi Leo. I have an email request form on my website. And every now and then I will get a blank form sent to me or maybe with a few URLs for medications of various sorts in it. I’m also getting returned email and "Out of office" messages. I can see that they’ve been sent from bogus names at my domain. How do I fix this?

The bogus email addresses on your domain are easy. I’ll point you at a previous article of mine: “I Keep Getting Bounced Emails for Addresses On My Domain That Don’t Exist. How Can I Stop This?”. The bottom line is that simply having a domain will cause this to happen. And the only solution that I know of is to only pay attention to the email that is actually sent to valid email addresses on your domain. Ignore all of those others.

The form submission issue is an interesting one, and it’s something that I actually deal with everyday.

Become a Patron of Ask Leo! and go ad-free!

Web spam

In a word, the problem here is spam. It’s a form of spam known as web spam. Every contact, comment or information submission form on every website has to deal with it, or will deal with it at some point soon. And yes, as a website owner, it’s something you’re going to deal with as well.

Web spammers are looking to do either of two things: try to use your form to send email spam, or to post spammy information on your website.

Any form where you might enter some information and press a submit button typically works by collecting that information and then emailing it to someone. Here at Ask Leo! for example, when you enter your question it's sent to an email address that records it appropriately, and then inserts it into my question-handling database. It also automatically emails a quick response to let you know that I got your question.

No SPAM!Hacking and abusing web forms for email

Since email is the backbone of so many web forms, spammers try to do two different things:

  • they try to hack the technology so that they can directly send email messages, i.e. spam, using some unanticipated vulnerability in the form handler on your site
  • they try to hack the form so that when the form sends its message, that message is actually sent elsewhere and the contents of the form contain the things that you saw: spammy messages, medication URLs, or who knows what else.

Spammers will probe every web form they find on the internet to see whether it can be abused. Those probes often look like blank messages, or they may even have a few URLs in them.

Comment spam

The other thing that spammers care about a lot these days are comment forms.

The goal is to place links on your site that go to their sites - in order to either entice your visitors to go there or, more commonly, to make it seem to Google and other search engines that their site is much more important or authoritative than it really is - because it has all of these links coming to it from all over the internet.

Unfortunately, there’s no real standard for what a comment form looks like. So, spammers will treat just about any form as if it were a comment form.

Solutions are limited, but they boil down to these two most common approaches.

  • CAPTCHA is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.” It’s trademarked by Carnegie Mellon University. Technically a CAPTCHA is
    CAPTCHAs. This is why you see those squiggly characters on so many submission forms. Computers can’t figure those out yet, so automated tools that are used to post spam to web forms can’t get past this step. There are other forms of CAPTCHA too; things like math equations or picture matching forms.
  • Spam filters. If your website uses WordPress, as mine does, then you have something called Akismet available to you. It’s a spam filter for web forms. After a web form is accepted, but before the email is sent, Akismet judges whether or not its contents are spam. If the message is determined to be spam, it’s filtered out and the mail is never sent. So, it all comes back to spam, spammers, and the constant battle of wits and technology.

Regardless of whether it's email spam or comment spam, it's spam that's at the root of what you - and thousands of other webmasters - see every day.

Including me.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

2 comments on “Why Am I Getting Empty Form Submissions from My Website?”

  1. As a software writer, I do what I can to prevent automated form submission.

    As a heads up, some of the following techniques may suffer from accessibility issues for very old browsers and for readers used by the visually handicapped. For browsers with JavaScript turned off, a noscript tag can be used to inform the person JavaScript is required.

    In my experience, using JavaScript to change the form’s action URL from bogus to correct after the form loads prevents much of it. Seems the bots read the source code of the page without parsing the JavaScript. I’m assuming their software then tries to submit the form to the bogus URL.

    I’ve recently started using Ajax to insert the form into the page after the page has loaded. So far, it’s been 100% effective. We’ll see in the longer run.

    CSS3’s contenteditable tag can be used to accept keystrokes into divs. A click on a pseudo-button can cause the information to be sent to software on the server. This technique eliminates the need for a form and field tags. I believe the latest browsers for iOS and Android now support contenteditable, but older ones won’t, which is why I’m not making much use of this technique – yet.

    Will

    Reply
    • I used to use the Javascript Form action trick and it works very, VERY well. Had a few false positives from people who had blocked Javascript, but that was it. Unfortunately spammers are more often resorting to cheap overseas labor to bypass all the techniques used to block automation – because they’re not automated.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.