Securing your Contact Us page

Securing your Contact Us page

One of the standard features of any modern website is the contact us form. While a convenient way for your site visitors to get in contact with you and better from a privacy point of view than putting an email address on your site it also has some issues.

 

Contact forms can be attacked if not secured correctly

For example a user can trick the system by putting commands into a forms text boxes like CC and BCC, effectively allowing the user to bounce emails off the web servers email system. This can have a flow on effect for not only the site owner but also anyone else who uses the same email system.

 

Public Blacklists

There are many sites that allow you to do a blacklist lookup

There are many sites that allow you to do a blacklist lookup

To combat this there are public blacklists around the Internet that an anti-spam system can use to check whether or not the sender email system is safe or not. If your email system gets in one of these lists you may find that emails start bouncing back on you. So it is important to ensure that your email system is not used for any relay attacks (like the method i described above) which is the quickest way to get in one of these lists. It is relatively straightforward to get off one of these lists but only if it doesn’t keep happening, quite likely they will refuse if it is a regular occurrence.

 

Relay Attacks

Example of a Captcha

Example of a Captcha

A relay attack is a method of bouncing or rebounding emails off another remote system. The effect of this is that emails will appear to be coming from the remote system and not from the true source. This is both a valid way of routing email (like using your upstream provider) across the internet and it is also a method that spammers use to mask the true source of their mass mailouts. And if you are planning on sending bulk marketing material out the best method is to use a specialised bulk mail system like MailChimp.

 

Thankfully most systems combat this now

If you are using a plugin in WordPress or one of the other popular CMS systems they usually have some form of spam filtering, whether it is using some form of background validating or a Captcha. For those who don’t know a Captcha is generally a randomly generated number you type into to prove that you are a human and not a robot, these appear in an image that the robots cannot see, at least that’s the theory.

 

Conclusion

In the end as with everything concerning security you need to find the best balance between usability and security that is relevant to your business model. For instance a bank is going to have different security requirements to a non profit sports club.

 

Links

http://mxtoolbox.com/blacklists.aspx – A tool for check whether your domain is blacklisted
http://www.captcha.net/ – Some information of Captcha

Leave a Reply