How You Could Be A Spammer And Not Even Know It

About a month ago, we published an article about spam entitled "How Much Is SPAM Costing You?". In it, we addressed the problems of reduced productivity and increased bandwidth usage. However, we recently saw a related article at Site-Reference.com which addressed some additional problems that spam could cause for your business. One interesting thing on their list was that hackers can make it look like you the spammer!

How Hackers Can Make You Look Like A Spammer

One of the most important problems that the author mentioned was the abuse of ‘contact us’ forms. Contact Us forms are usually placed on a website to enable visitors to send a quick message. However, they can be easily exploited by malicious hackers and used to dispatch hundreds or thousands of illegal spam messages.

This often results in a few bad things for your website. First, this may increase the server load, causing your website to load slowly. Second, it will increase bandwidth usage. So if you have a limited bandwidth hosting plan, be prepared for costly overage fees. Third, your IP address or domain could be blacklisted. This may mean that you will be unable to send email to certain recipients or that your website could be banned from certain search engines.

Clearly, none of these outcomes is desirable.  So if you have an email script, it is important to make sure that it is not vulnerable.

How To Hacker-Proof Your Email Script

To make your script more secure, we suggest the following:

1. Do Not Use Hidden Fields. Make sure that your email is not submitted to the script as a hidden field. Verify that it is indeed hard-coded into the email script.
2. Avoid Using Popular Email Scripts. For a more secure script, it is best that you write your own. But if you are unable to do so, only choose popular scripts that enable complete customization, and that have inbuilt spam-prevention mechanisms.
3. Parse User Input. Unfortunately, all of your website’s visitors are not completely trustworthy. So you need to assume the worst-case-scenario when handling any user-inputted data. This means validating email addresses (ie. verifying that users are submitting real email addresses) and removing any invalid characters. Hackers, for example, could input certain characters which enable them to modify the recipient of an email, thus giving them full control of your script.

For additional precautions that you should take to avoid problems from excessive spam, see the original Site Reference article, 5 Ways To Get Your Website Shut Down By Spammers. Also, take a look at our recent tutorial for details on how to write a hacker-proof PHP email script.