The bogus email addresses on your domain are easy. I’ll point you at a previous article of mine: “I Keep Getting Bounced Emails for Addresses On My Domain That Don’t Exist. How Can I Stop This?”. The bottom line is that simply having a domain will cause this to happen. And the only solution that I know of is to only pay attention to the email that is actually sent to valid email addresses on your domain. Ignore all of those others.
The form submission issue is an interesting one, and it’s something that I actually deal with everyday.
Become a Patron of Ask Leo! and go ad-free!
In a word, the problem here is spam. It’s a form of spam known as web spam. Every contact, comment or information submission form on every website has to deal with it, or will deal with it at some point soon. And yes, as a website owner, it’s something you’re going to deal with as well.
Web spammers are looking to do either of two things: try to use your form to send email spam, or to post spammy information on your website.
Any form where you might enter some information and press a submit button typically works by collecting that information and then emailing it to someone. Here at Ask Leo! for example, when you enter your question it’s sent to an email address that records it appropriately, and then inserts it into my question-handling database. It also automatically emails a quick response to let you know that I got your question.
Hacking and abusing web forms for email
Since email is the backbone of so many web forms, spammers try to do two different things:
- they try to hack the technology so that they can directly send email messages, i.e. spam, using some unanticipated vulnerability in the form handler on your site
- they try to hack the form so that when the form sends its message, that message is actually sent elsewhere and the contents of the form contain the things that you saw: spammy messages, medication URLs, or who knows what else.
Spammers will probe every web form they find on the internet to see whether it can be abused. Those probes often look like blank messages, or they may even have a few URLs in them.
The other thing that spammers care about a lot these days are comment forms.
The goal is to place links on your site that go to their sites – in order to either entice your visitors to go there or, more commonly, to make it seem to Google and other search engines that their site is much more important or authoritative than it really is – because it has all of these links coming to it from all over the internet.
Unfortunately, there’s no real standard for what a comment form looks like. So, spammers will treat just about any form as if it were a comment form.
Solutions are limited, but they boil down to these two most common approaches.
- CAPTCHA is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.” It’s trademarked by Carnegie Mellon University. Technically a CAPTCHA is
CAPTCHAs. This is why you see those squiggly characters on so many submission forms. Computers can’t figure those out yet, so automated tools that are used to post spam to web forms can’t get past this step. There are other forms of CAPTCHA too; things like math equations or picture matching forms.
- Spam filters. If your website uses WordPress, as mine does, then you have something called Akismet available to you. It’s a spam filter for web forms. After a web form is accepted, but before the email is sent, Akismet judges whether or not its contents are spam. If the message is determined to be spam, it’s filtered out and the mail is never sent. So, it all comes back to spam, spammers, and the constant battle of wits and technology.
Regardless of whether it’s email spam or comment spam, it’s spam that’s at the root of what you – and thousands of other webmasters – see every day.
2 comments on “Why Am I Getting Empty Form Submissions from My Website?”
As a software writer, I do what I can to prevent automated form submission.
I’ve recently started using Ajax to insert the form into the page after the page has loaded. So far, it’s been 100% effective. We’ll see in the longer run.
CSS3’s contenteditable tag can be used to accept keystrokes into divs. A click on a pseudo-button can cause the information to be sent to software on the server. This technique eliminates the need for a form and field tags. I believe the latest browsers for iOS and Android now support contenteditable, but older ones won’t, which is why I’m not making much use of this technique – yet.