The Problem
Spam has been around since the early days of the Internet. Since the very first unsolicited message, people have been trying everything to stem the tide - with varying degrees of success. It has inundated practically every communications medium invented - from the postal mail to electronic mail. Some say that the very first spam message was sent via telegraph in 1904!
Anyone who has been on the Internet for any length of time is well aware of email spam. Over time, we learn to manage the flood of messages using filters, blacklists and other technologies. As a result, spammers have had to find means of getting around these filters in order to get their messages through.
Target: Your Mail Form
Your mail form is a direct means into your inbox. Most webmasters consider these message to be of the utmost importance, and - as a result - they don't filter these messages as stringently as "regular" email. In fact, many webmasters have a special filter in place to ensure those messages get through.
Spammers are well aware of this fact, and they exploit this in order to get their message through. They know that, if they can get their message in surrounded by legitimate customer messages, the odds are that you will practically be forced to read it.
All these spammers need to do is to create a "robot" that trawls the web looking for contact forms. This is a very trivial task - someone with a semester or two of computer programming can create one in short order. Once they have this "robot" programmed, they can send spam to thousands of web forms in minutes.
The '<textarea>' Tag
Web form spammers only need to search for pages with a '<textarea>' tag to get a good indication that they are on a web form that may send the results to the webmaster. Once they have a list of pages that contain this tag, they examine the rest of the page to determine if it is likely that the page is a contact form. If it is, they have all the information they need to start spamming you.
Using the HTML displayed above, they can then craft an HTTP request that will mimick what would happen if one of your visitors submits the form:
POST /somepage.aspx HTTP/1.1
Host: www.example.com
Connection: close
Content-Type: application/x-www-form-urlencode
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Content-Length: 48
message=Come+visit+my+website+and+buy+some+stuff
Once the spammer sends the above request to your web server, it is totally indistinguishable from a legitimate form submission. All the proper fields are there, and note that the "robot" is even claiming to be a Windows machine running Internet Explorer! Once your server side form handler receives this submission, it will dutifully email you the contents of the message - just as you've asked it to do.
Fortunately, we have an easy way to cut down - if not eliminate - these pesky spam messages.
Read the solution.
